Voted Best Answer
Sep 27, 2016 - 10:06 PM
Having said that, shadow IT isn't risk free and it's important that these risks are identified, managed and controlled. My recommendation would be a blanket rule that all contracts and new vendors need to be risk assessed by (a responsive!) IT Procurement team who then determine an appropriate management methodology for each supplier - if the supplier is unique to a particular business unit, there is low risk of contract non-compliance and the contract includes basic provisions such as repatriating data from the supplier after contract end, then why not let the business unit manage the contract directly?
On the other hand, if the business unit want to contract directly with Oracle, then Procurement, SAM, Enterprise Architecture and Information Security would want to have much greater involvement in contract management because the risks to the organisation as a whole are much higher.
This segmentation approach needs to be backed up by assurance processes to ensure that appropriate management is actually taking place.