Abstract

Information Technology (IT) used for business processes is not only provided by the organization’s IT department. Business departments and users autonomously implement IT solutions outside of the organizational IT service management. This phenomenon is called Shadow IT. Opportunities for innovation and flexibility, and problems in security, compliance, and efficiency call for its management. Following design science research and guided by a multiple-case study, this paper provides a method to manage Shadow IT instances. The designed measures to identify, evaluate and control these are theoretically justified by informal organization research, risk maps, and Transaction Cost Theory. The modes to control Shadow IT instances, registration, coordination of related activities, or renovation, follow efficient and adaptive governance structures and consider risk-based parameters. Applying the method turns Shadow IT into a business-located IT, preserving the opportunities resulting from autonomy. The findings contribute to IT Governance research regarding IT activities at business and user level.