HOW DO YOU DISCLOSE? SOME EVIDENCE ON IT GOVERNANCE AND PERFORMANCE IN EUROPEAN BANKING SYSTEM

This paper examines the evolution of the attention paid by a sample of EU banks on IT governance. We propose an analysis based on IT public disclosure to contribute to the less explored strand of literature on IT governance transparency. We explore if the attention paid by banks to this topic has grown after the crises and if the greater importance ascribed to IT governance is due to the Supervisors' pressure or the value- driven decisions. In particular, we test if, as for other corporate governance mechanisms, there is a veri¯able linkage between IT governance (disclosure) and banks' performance.


Introduction
This paper investigates banks' attitude towards IT governance in a sample of major EU banks, deepening the underlying rationales and the possible impacts on banks' performance. In particular, we highlight if the renewed interest on IT governance paid by scholars and regulators À À À especially after the¯nancial turmoil À À À also a®ected banks' disclosing behavior on this topic. We aim at testing if the increasing attention for IT governance by banks in°uence, like other corporate governance mechanisms, their performance in term of market-based and accounting-based indicators.
Even though academics started to focus on IT in the 1960s did only in the late 1990s did this topic raise a systematic interest from scholars and practitioners. Ever since, the concept of IT governance has become the object of greater attention and analysis encompassing the mechanisms of corporate governance. To the extent that IT is a component of business, it is undeniable that the entire corporate governance includes IT governance.
However, IT governance merits distinct attention within other corporate governance mechanisms for two reasons: most organisations in today's complex and competitive business environment rely heavily on IT to improve operating e±ciency and sustain competitive advantage (Mata et al. 1995); -IT governance can help¯rms to arrange and specify an e±cient IT decisionmaking structure (Sambamurthy & Zmud 1999, Weill & Ross 2004 for a range of IT-related topics. An e®ective governance of IT can support organizations in generating value-added from IT, contributing to the broader objectives of corporate governance (Weill & Ross 2004). As in other sectors, IT is an intrinsic component of modern banks' operational functioning. It has become the backbone of almost all banking processes, considering the growing role assumed in: (a) supporting management in strategic decisions; (b) facilitating the automated control environment on which core banking data are based; (c) developing new products and services to compete in the¯nancial markets; (d) improving distribution channels.
Nonetheless, while IT has emerged as a strategic resource in today's banking business environment, it can also raise critical issues.
Banks' capacity to capture robust data for timely and automated risk identi¯cation increasingly relies on data and technology infrastructures. The lack of the ability of many banks to e±ciently and e®ectively provide Senior Management with a real picture of the risks the organization faces À À À which was more evident during the global¯nancial crisis À À À has led to a renewed attention to IT management from Regulators.
In light of the above, this study intends to contribute to the academic debate deepening IT governance mechanism in the banking sector, namely, IT governance transparency: which is de¯ned as the attitude of¯rms to provide adequate and relevant IT governance information timely and in an e®ective manner to stakeholders, to improve management's attitude in using IT (Millar et al. 2005, Eldomiaty & Choi 2006, Raghupathi 2007, Joshi et al. 2013. We rooted our research on the widely-shared assumptions that¯rms with good IT governance tend to disclose more on mechanisms related to IT (e.g. Clarkson et al. 2004).
In particular, we aim to highlight if the renewed interest on IT governance paid by scholars and regulators also in°uenced banks; furthermore, where this attitude could be con¯rmed we explore if banks are moved by value-driven decisions or by regulatory constraints. Highlighting the possible behavioral changes and their driving forces, we form the premise to see if, like other corporate governance mechanisms, an increased focus on IT governance results in better performance of banks, as measured by both market-based and accounting-based indicators.
In order to grant the replicability of our study, we base our analysis on banks' public disclosure (this is an added value with respect to previous studies which use case studies and/or questionnaires to deepen IT governance practices). Moreover, we have developed an original descriptive framework of IT governance (ITGF) disclosure tailored to the banking sector to explore the attention paid to the topic in the banking sector. Using the ITGF, we performed a content analysis to measure the level of attention on IT governance through the years (2008)(2009)(2010)(2011)(2012)(2013)(2014)(2015) and a cross countries, from both the banks' and Supervisors' perspectives.
This study provides several insights into the academic debate within the macro strand of literature on the corporate governance mechanisms, deepening the less analysed strand of IT governance and focusing on the banking sector from di®erent perspectives.
In particular, the analysis falls in the strand of literature focused on the understanding of the impact of¯rms' corporate governance attributes on performances, that have gained a growing interest especially after the recent¯nancial turmoil and mainly in EU countries.
The paper has the following structure: Sec. 2 provides the background of the research, including prior literature and the development of research questions, Sec. 3 describes the research methodology and the sample and data collection, while results are reported in Sec. 4. Section 5 summarizes the main conclusions and suggests future research.

Backgrounds and Development of Research Questions
2.1. IT governance transparency: level of disclosure as a proxy of governance practices IT governance and its attributes and mechanisms are mainly conceptualized in the literature following corporate governance principles (Korac-Kakabadse & Kakabadse 2001, ITGI 2003, Weill & Ross 2004, Peterson 2004, Jordan & Musson 2004, Mähring 2006, Willson & Pollard 2009). In the e®ort of identifying e®ective IT governance arrangements, scholars identify di®erent mechanisms of IT governance (Sambamurthy & Zmud 1999, Kambil & Lucas 2002, Trites 2004, Weill & Ross 2004, Andriole 2009, Huang et al. 2010, Xue et al. 2011, focusing in particular on the role of the Board of Directors, on the e®ectiveness of the IT steering committee, on the relationship between IT control and¯rm performance, on the IT investment performance, and on IT audit issues (Trites 2004, Hu® et al. 2006, Mähring 2006, Boritz & Lim 2008, Gu et al. 2008, Merhout & Havelka 2008. Less attention seems to be paid to IT governance transparency, de¯ned as the ability of¯rms to provide adequate and relevant IT governance information in a timely and e®ective manner to stakeholders (i.e. investors, policy makers, and regulatory bodies), to enable them to assess management's behavior in using IT (Millar et al. 2005, Eldomiaty & Choi 2006, Raghupathi 2007, Joshi et al. 2013. The existing literature proves that¯rms provide information on IT governance À À À voluntarily À À À if they obtain bene¯ts such as reduced cost of capital (Barry & Brown 1985, Vanstraelen et al. 2003Easley & O'Hara 2004, improvements in liquidity (Diamond & Verrecchia 1991, Kim & Verrecchia 1994, and better information intermediation (Bhushan 1989, Lang & Lundholm 1996. Based on the study of Lang & Lundholm (1996) and Clarkson et al. (2004), we infer that the better IT governance¯rms have in place, the more they are incentivized to disclose. This allows us to base our analysis and our evaluation on banks IT governance on the level of disclosure regarding IT governance attribute.
It is important to bear in mind that corporate disclosure of IT governance does not adhere to any standardized or mandatory reporting format which could be used by banks. This is a fundamental premise to develop our research: as reported in the literature, the fact that banks' IT governance disclosure is voluntary and linked to the bene¯ts that can ensure, leaves spaces for in-depth studies addressed to investigate if IT governance practices are in place. Establishing and measuring the relationship between IT governance mechanism and IT level of disclosure is challenging because it may overcome the main di±culties in measuring corporate governance mechanisms and more speci¯cally IT governance ones without the access to internal resources; thus, in trying to solve this issue, the meta-objective of the paper is to establish a methodology for further research on this topic.
To the best of our awareness, also the existing IT governance literature does not propose any single standard framework to assess IT governance using disclosure practices: all empirical analysis are based on surveys and/or single case studies, i.e. on internal information. The only exceptions are Joshy et al. (2013) and Leo & Panetta (2018) that propose a di®erent framework based on public information. Analyzing banks' from outside, we are aware that banks would not disclose on all aspects of their IT governance, also because they are not forced to describe speci¯c procedures related to their IT strategy and so on.
Considering this theoretical premise, we expect to¯nd some clues of speci¯c structural IT governance mechanisms settled in each institution analyzed. For example, a bank might disclose the presence of Technology Committee to implement IT strategy, or of CIO to support business goals with IT management at the top level. The underlying assumption is that the dissemination of this kind of information makes sure stakeholders that the bank has an IT governance structure and that À À À probably À À À IT policies and procedures are established.
Therefore, our¯rst research question is: Q1: Has the level of IT governance disclosure changed after¯nancial turmoil?
We expect an increase in the level of disclosure on banks' IT governance meaning greater attention at the¯rm level of IT governance issues also considering the growing importance of IT in the banking sector.

IT Governance disclosure and regulatory environment
Since IT governance À À À like other aspects of banking business À À À can be in°uenced by the regulatory environment, it is essential to understand in which direction Regulators have recently moved. Indeed, there are no provisions at international level regulating directly IT governance: some of the more recent interventions (EBA, BCBS, EC) only indirectly a®ect IT governance allowing Regulators large degree of autonomy in discipline the issue at national level. As mentioned above, the recent¯nancial turmoil started in 2007 has catalyzed the attention, among others, on risk management and in particular on the processes, data management and the new emerging risks, such as IT risk.
The renewed interest in risk management has culminated in the necessity of reviewing the regulatory framework. In fact, at the international level the BCBS has . started a comprehensive review of Basel II, culminated in the release of a reform package known as Basel III Framework (corresponding to Capital Requirements Regulation (CRR) and Capital Requirements Directive (CRD IV) in EU countries) which has a®ectedalbeit indirectly -IT governance, emphasizing that risk management systems should have appropriate Management Information Systems (MIS); . rolled out a new set of Principles with the aim of developing banks' Risk Data Aggregation and Risk Reporting, requesting banks to comply starting from 2016.
In the renewed Basel framework, there is no speci¯c reference to IT-related risk and IT risk management processes, neither in other international regulatory intervention; IT risk is considered as a sub-type of operational risk (see art. 85 CRD IV). Articles 4 and 321-325 of the CRR set out the measures that¯nancial institutions should take to manage operational risk (and the related capital requirements), including risks related to cyber-attacks (CRR, CRD IV). Banks also need to have a contingency lens that ensures continuity of their business and limit losses in case of severe disruptions.
The CRD IV requires banks to perform a signi¯cant update to their IT risk management regarding: . process: the implementation of the rules and standards into their business, leading to new opportunities and adapted business processes; . data: under the new rules, banks will need to demonstrate data quality and traceability; . technology: one of the most signi¯cant impacts from a technological standpoint is the ability to produce integrated reports, with consistent reporting across the company. Furthermore, at a European level, the EBA Guidelines provide direction to the Supervisors for assessing banks' IT risk (EBA 2016) to reinforce the importance of an adequate IT risk management for banks: one more time, Regulators don't address to banks speci¯c requests for an e®ective IT risk management but set a framework for Supervisors to monitor this topic at institution level.
Considering that all these changes in the regulatory environment may result in strategy overhaul, process review and IT system impact, we want to examine whether any di®erences in Regulators' awareness to IT concerns at the national level will induce di®erences in banks' IT governance to comply with regulatory prescriptions or guidelines, if any. Thus, the second research question is Q2: To which extent the Supervisors' behaviorif changedhas a®ected the attention paid by banks to the theme?
We expect that Supervisors' habits highly condition changes in the banks' level of the disclosure.

IT Governance disclosure and bank performance
Over time, previous studies focused on the relationship between corporate governance and performance have spanned using di®erent types of analysis, moving from the use of the link with the agency costs, or transaction costs (Fama & Jensen 1983, Williamson 1985, Grossman & Hart 1986, Hart & Moore 1990, Shleifer & Vishny 1997, Zingales 1998, to the link with the decision-making dynamics (Zahra & Pearce 1989, Johnson et al. 1996, Hillman & Dalziel 2003, Zattoni 2006, Ca®erata 2007, Miglietta 2007, Minichilli et al., 2009, Fortuna 2010; from the investigation of a positive correlation among the performance of listed companies and the implementation of corporate governance best practices (Becht et al. 2002, La Porta et al. 2002a, Bhojraj & Sengupta 2003, Gillan & Starks 2003, Gompers et al. 2003, Kiel & Nicholson 2003, Wood & Patrick 2003 to the impact of board characteristics on performance (Arnaboldi et al. 2018). Furthermore, we notice that the most recent empirical studies conducted in di®erent national contexts do not show convergent results. While researches carried out in Emerging Market shows a general positive correlation between corporate governance and market value of companies, for OECD countries, the results appear to be di®erent. Gompers et al. (2003), in studying US context, show a strong positive correlation between speci¯c \anti-scale" measures and Tobin's Q, while Larcker et al. (2007)¯nd the existence of a weak positive relationship between Tobin's Q and common corporate governance indicators. Furthermore, Bhagat and Bolton (2008) report a positive relationship between a series of corporate governance measures and accounting values, while there is no evidence of a correlation between market values as performance indicators. Furthermore, Bauer et al. (2004) prove the absence of a signi¯cant relationship between corporate governance and performance variables, both in terms of market (Tobin Q) and accounting (ROA and ROE) variables. Drobetz et al. (2004) in a sample of German companies show a positive relationship between corporate governance variables and market value.

Vice versa
Two key takeaways emerge from the literature: . the overall quality of a corporate governance system contributes to the increase in the economic and¯nancial value of listed companies (Alexander et al. 2007, Schmid & Zimmermann 2008, Renders et al. 2010) measured through speci¯c variables; . the understanding the speci¯c impact of certain variables on company performance is not supported by generally shared results.
Traditionally, literature has deepened IT issues relating to the banking sector analysing IT as a critical resource in improving operating e±ciency in the banking system (Banker et al. 2009, Berger 2003, Chiasson & Davidson 2005, Chowdhury 2003, Fuβ et al. 2007, Zhu et al. 2004. Nonetheless, only a tiny strand of the recent literature has started to analyze banks' IT governance (e.g. Pardo et al. 2011). In fact, Information Technology with respect to the banking sector delved into considering its linkages with e±ciency and with divergent results. Moreover, empirical evidence supports both the IT as key resource in improving banks' operating e±ciency thesis (Banker et al. 2009, Berger 2003, Chiasson & Davidson 2005, Chowdhury 2003, Fuβ et al. 2007, Zhu et al. 2004; and, at the same time, the presence of weak, or no existing, relationship between IT and productivity (CEA 2001, McKinsey Global Institute 2001, Beccalli 2007.
Academic studies have been on one side focused on the relationship between corporate governance and performance, and on the other side between IT investments and banks performance; in both cases, the lack of studies on the causal relationship between IT Governance and banks' performance allow us to address the following research question. Q3: Do IT Governance level of disclosure impact on banks' performance?
We expect a positive relationship between banks' performance and IT governance practices expressed by the level of disclosure in this topic.

The construction of IT governance disclosure index
Our analysis is devoted at evaluating the IT governance practices in a sample of EU banks over time and across countries (Italy, Germany, France and Spain) to observe if the attention to this issue has increased and varies geographically (Q1), in°uenced by regulatory constraints (Q2), or changes at banks' level depending on value-driven decisions.
With the aim of answering our research questions, it is¯rst of all necessary to de¯ne the measure of the di®erent attitude of banks to IT governance concerns.
To this purpose, as mentioned above, we assume that the level of disclosure on this topic performed by each institution could be a proxy of the di®erent way of behavior towards IT governance.
The level of IT governance transparency is measured from a unique dataset built up performing the content analysis (Weber 1985) on public disclosure documents of observed banks (see Sec. 3.3).
We perform the content analysis following the¯ve stages reported in Table 1.
We construct a so-called IT Governance Framework (stage 3) according to previous scholars that contributes to assessing IT governance and based on our pilot study conducted on the Annual Reports of banks/Supervisors and main international regulation; Appendix A provides a brief description and supporting literature for each item included in the four focus areas/categories.
According to the prevalent literature, we suggest that the level of transparency of IT roles and responsibilities (IT Role & Responsibility, ITRR) can be used as a proxy of a good IT governance practices. In our opinion, the presence of the following roles is the necessary premise for an e®ective IT governance: (i) IT strategic roles; (ii) IT senior management; (iii) IT operational roles; (iv) IT control roles.
The de¯nitions of corporate governance (OECD 1999(OECD , 2004, of which IT governance can be considered as a sub-set, present a need for leadership (strategic roles), direction (Senior Management) and control (roles). Therefore, IT governance must be driven from the highest levels within the organization not only from the IT department or business unit levels (operational roles) across the organization (Webb et al. 2006). In order for IT to be e®ectively governed, the presence of a variety of roles can be considered as a necessary premise.
Compared with previous studies, we improved the number of items related to control functions. Indeed, starting from the main three obligatory control functions in banks de¯ned by Basel documents (risk control, compliance and internal audit), we have considered IT risk control, IT compliance, and IT audit; we presume that with a growing level of complexity and interdependencies of banks' technology and operating structures, IT control roles should be reinforced and, to some extent, performed internally. Inspect the institutions' documents with the help of the software MAXQDA r in order to verify whether or not each item within ITGF is present. 5 Build up a unique dataset to be used to measure the level of IT governance disclosure.
With the second focus area (IT Resources & Plans, ITRP) we aim to investigate the relevance attributed to IT resources/process and infrastructures, in the belief that, due to both competitive and regulatory pressures, the relevance of IT management elements would increase, and consequently, the related information in the public documents.
In order to capture IT risk management practices (IT Risk Management, ITRM), we consider the main phases of risk management process: identi¯cation, evaluation, treatment and monitoring. The underlying hypothesis is that the main constituent of IT risk management should be communicated to all relevant stakeholders. With this indicator, we try to¯x if banks disclose regard the presence of IT-related risk management policies/processes, and if IT risk is treated jointly or independently to the operational risk management framework.
The last focus area, ITINV is focused on IT budget/investments. Even though in the past two decades, practitioners and scholars (ITGI 2003, Weill & Ross 2004 have paid great attention to this topic, but the major part of these studies focused on the relationship between disclosure on IT¯nancial matters and economic bene¯ts for rms. In our research, we analyze IT investments as an attribute of IT governance disclosure, since budgeting and investments are the responsibilities of Top Management (ITGI 2003), and better IT governance practices are based on clear information on IT investments useful to assess the business value of IT.
Using the selected set of items, we inspect the institution documents to verify the presence and the frequency of each item (stage 4); this information was structured to de¯ne a unique dataset used to compute a total IT governance score which represents the number of times that each item is disclosed in the reports analyzed. Given the impossibility to discriminate if institutions write a short sentence or an entire section regarding IT governance in their reports, we decided to consider not only the presence of each item (0,1) but also the total number of times they are enumerated (frequency, item score). The underlying assumption is that the more institutions mention ITGF items, the higher is the level of disclosure. For example, if we¯nd evidence of Internal Audit position¯ve times in the Annual report, then an item score of 5 is assigned. By changing the level of aggregation considered, we can calculate di®erent IT governance score: Total ITGF score, Category and sub-category score.
In order to analyse banks' behaviors, we calculate four IT governance indices, one for each focus area within ITGF (ITRR INDEX, ITRP INDEX, ITRM INDEX,  ITINV INDEX); the indices are obtained dividing the category score by the number of expected items in each category (Bollen et al. 2006, Joshi et al. 2013, Leo & Panetta 2018: where ITy Index is the IT governance Index related to y category (namely RR: Role and Responsibility; RP: Resources and Plans; RM: Risk Management; INV: Investment); x i is the sum of the item scores within each category, and N y number of items included in y category. We use the sum of the four ITy index to calculate the total ITGF Index for banks. This index and its components are used to compare the level of IT governance disclosure across time and countries.
In order to measure the changes in the attention paid by di®erent Supervisors/ Regulators to IT governance, we decided to perform the content analysis on a selected group of Supervisors' documents. Speci¯cally, we considered items included in the¯rst three ITGF-categories (ITRR, ITRP, ITRM), verifying whether each item is present (1 ¼ present; 0 ¼ not present) in the Authorities' Annual reports and/or national law. The underlying hypothesis is that in this kind of documents, it is possible to¯nd evidence of a higher level of attention to IT governance paid by Supervisors. To the best of our knowledge, this kind of analysis was not previously performed.
Starting from the resulting original dataset, we build up a comprehensive ITGF INDEX for each Authority calculated as the sum of two speci¯c IT governance indices: . the index calculated on the national regulation of the analyzed countries (ITGF SUP REG), which means the presence of some set by national agencies on the IT governance related topics; . the index calculated on the Supervisors' Annual Reports (ITGF SUP AR), which expresses the attention paid on banks' IT governance issues.

The panel data analysis: The¯xed e®ects model
Aiming at evaluating the in°uence of Supervisors' attitude on banks' IT governance behavior, we infer the relationship between ITGF INDEX BANKS and ITGF INDEX SUPERVISORS (Q2) using panel data model estimates. We employ the panel data model also to verify the existence of some relationship between banks' performance and the level of IT governance disclosure (Q3).
To empirically test Q2, we compute a Fixed E®ect Model as expressed in the following baseline model: where . Y i refers to the level of IT governance disclosure (ITGF INDEX BANKS) of bank i in year t; . X i is a matrix containing the k Supervisors' features (di®erent ITGF INDICES for Supervisors); . z i is the bank control variable (banks size measured by a natural Logarithm of Total Asset, LogTA); . ; and , that are the (1 þ k) coe±cient vectors, are to be estimated; . i þ " i (U it ) is the error term and is assumed to be independent of the k regressors and the bank-speci¯c control variable. The noise " it has assumed identically and independently distributed, whereas i (the time-invariant component) represent unobserved¯rm-speci¯c heterogeneity.
The model controls time e®ects through a full set of yearly dummies. The use of¯xed e®ects helps to mitigate biases caused by time-invariant omitted variables correlated with the regressors which result in inconsistent parameter estimates. The use of lagged regressors in some model speci¯cation helps us to alleviate some of the endogeneity concerns.
We also employ the¯xed e®ects model to verify the existence of some relationship between banks performance and the level IT governance disclosure (Q3) reached by banks. In this case, Y i refers to bank performance indicators (ROA, ROE, Cost to Income, and Tobin Q), and X i refers to bank disclosure indicators related with each sub-category (ITRR INDEX, ITRP INDEX, ITRM INDEX, ITINV INDEX). Being aware that bank performance is not a®ected only by the level of disclosure of IT Governance, we include in the regression model, in addition to LogTA, other explanatory variables linked to the business model, to the riskiness of bank assets and to the level of leverage, respectively: . BUSS, Net Interest Rate Revenues to Intermediation Margin as a proxy of the business model; . RIoASS, Loan Loss Provision to Gross Loan as a proxy of the quality of Loan portfolio; . EtA, Equity to Total Asset as a measure of leverage.
See Appendix B for variable de¯nition.

The sample and the data collection
We consider the¯ve major banks of each country, including in the sample at least one G-SIB for each country: the¯nal sample consists of 20 international banking groups (Table 2). Countries selected for our analysis are France, Germany, Italy and Spain due to the dimension of the national banking system in term of total assets, representing together around 73% of total assets of the EU banking sector (ECB, 2016). As mentioned, to perform the content analysis, we record data from di®erent sources of public disclosure of banks included in the sample (398 documents), namely Annual Reports, Corporate Governance reports, Pillar III reports, CSR/Sustainability reports, if any.
In order to calculate Supervisors' ITGF INDEX, we perform the content analysis on the following types of sources: . Supervisors' Annual Reports (30 documents in total, Table 3); . Regulations which, during the period 2008-2015: also, any other speci¯c regulation on IT governance, if available in English (see Table 4). Indeed, in order to ensure the viability of the analysis, in some cases, we chose to exclude some other important regulatory provision because of the native language availability only À À À di®erent from English À À À which prevented us to perform a content analysis.
Regarding the banks' performance indices, we collect data from Bloomberg. Unfortunately, the available data do not cover the entire time span of the analysis reducing the number of observations exploited to answer the research questions Q2 and Q3. In order to ensure data consistency, we use the same source of data instead of calculating indicators based on¯nancial information. This should support the reliability of data and the replicability of our analysis.

Results and Discussion
4.1. Has the level of IT governance disclosure changed after nancial turmoil? Table 5 provides descriptive statistics for the ITGF-variables employed in this study. The mean for the overall IT disclosure index for banks (ITGF INDEX BANKS) is 2.50, representing that on average, during the period considered, banks disclosed on around 103 items of the 41 within ITGF; however, the variance of the index is broad among the sample. Similar considerations can be done for Supervisors' ITGF index, even if the mean value and the range of variation are smaller than banks' ones. As shown in Table 2, the number of documents considered in the analysis di®ers consistently: from one bank to another from 8 documents for the French Cr edit Agricole, Cr edit Industriel et commercial to the 32 documents considered for the Italian Intesa Sanpaolo and Unicredit or Banco Santander and Deutsche Bank. Deepening the analysis at the country level (see Fig. 1), we have not found any evidence of the existence of regulatory constraints regarding the number of the reports to be produced by banks. At¯rst sight, it is possible to a±rm that some banks tend to disclose on IT governance more than others and this attitude is not related to the number of disclosed documents. For our analysis that means not having to normalize the index value calculated for banks by the number of documents provided by each institution: in fact, the correlation between the level ITGF Index and the number of documents analyzed is shallow (0.29), as shown in Fig. 1. We then considered the percentage of IT governance items disclosed by banks and Supervisors in the sample (Table 6) grouped by sub-categories. Before analyzing the results of the Supervisors' behavior, we make it clear that it was impossible to  However, we performed the content analysis using the available version of the three documents: while in Italy we have some¯ndings due to the use of English terms in Table 6. Level of disclosure (Index*) and percentage** of banks and Supervisors*** disclosing IT governance items by sub-categories. ITRR A. IT Control roles 10% 10% 10% 20% 15% 10% 15% 25% B. IT operational roles 60% 75% 80% 75% 75% 70% 80% 75% C. IT senior management 35% 30% 20% 25% 25% 25% 40% 40% D. IT strategic roles 5% 5% 10% 5% 5% 5% 10% 15% ITRP A. IT plans/policy 15% 15% 15% 20% 20% 30% 40% 60% B. IT processes 50% 40% 35% 45% 50% 55% 50% 55% C. IT resources 65% 70% 50% 70% 60% 65% 80% 85% D. IT standard/principles 25% 30% 25% 35% 30% 35% 55% 55% ITRM A. Identi¯cation 50% 60% 55% 70% 75% 80% 85% 90% B. Evaluation À À À 5% À À À À À À À À À À À À 10% 30% C. Treatment 80% 85% 85% 95% 90% 95% 100% 95% D. Management 5% 5% 5% 5% 10% À À À 20% 15%

CAT
Notes: * ITGF INDEX calculated for each sub-category in the sample; **Number of banks that disclose the Items by sub-categories within ITGF divided by the number of banks included in the sample; ***Number of Supervisors, which refer about the Items of each category and sub-categories within ITGF divided by the number of Authorities considered in the study.
national legislation, for France we have found less evidence. Considering these limitations, we analyzed the percentage of Supervisors that enumerate the items included in ITRR, ITRP, ITRM categories (Table 6).
The results for banks highlight the following: . a generalized lack of disclosure of organizational positions (see category ITRR); more attention paid to operational roles related to the insurance of business continuity; surprisingly there is no increase in IT control roles as expected; . ITRP exhibits an increasing number of banks that disclose on IT resources (65-85%) starting from 2013, while not many banks refer about IT policy and IT plans; . ITRM is the most reported focus area; an increasing number of banks in the sample (from 50% to 90%) referred directly to IT risk (et similia), starting to consider it as a speci¯c category instead of being included under the operational risk. A relevant part of the interest by respondent banks is devoted to the treatment phase of Risk Management, and to Business Continuity plans and Information security as a whole; .¯nally, ITINV indicates that most banks reported IT expenditure, but it seems related to accounting policies instead of disclosing investment plans. Perhaps this attitude is due to the strategic and competitive relevance to IT investments and the banks' need to preserve the related programs' details.
For Supervisors, we notice that starting from 2013, they focused on: . IT operational roles for ITRR; . IT plans/policies and IT resources for ITRP; . Identi¯cation and Treatment for ITRM.
Comparing results between banks and Supervisors, we notice a similar behavior among the two groups regarding the sub-categories enumerated. This evidence allows us to verify the existence of an e®ective relationship between Supervisors' attitude and banks' behaviors (Q2).

To which extent the Supervisors' behavior has a®ected the attention paid by banks on IT governance? (Q2)
In order to estimate the relationship between ITGF INDEX for banks and Supervisors, we exploit the wherewithal of panel data models. Table 7 displays the summary of the panel data variables used at this stage of analysis. At¯rst glance, we note a \higher" variation of the dependent variable expressed by the standard deviation, which indicates the ITGF INDEX variation of the banks in the eight years analyzed. Considering the individual ITGF INDEX components, Table 7 shows di®erent attitudes: while ITRR INDEX shows greater variability over time, the remaining three indices di®er more on an individual level. Less evident are the di®erences between the Supervisor indices for which only ITGF SUP AR seems to have a di®erent trend in the periods considered.
Starting from the baseline regression described in Sec. 3.2, we constructed three models by changing the independent variables, all related to Supervisors' behavior. In Model 1, we measured the direct relationship between ITGF INDEX in t of both Banks and Supervisors. In Model 2, we deepen the previous relationship considering the two components of ITGF INDEX SUPERVISORS in t: (a) ITGF SUP AR t , as a proxy of Supervisors' moral suasion; (b) ITGF SUP REG t , as a proxy of a prescriptive attitude of Supervisors. Finally, in the third Model, to alleviate some of the endogeneity concerns, we used 1-year lagged regressors, in particular: (i) ITGF SUP AR tÀ1 , we decided to consider the time lag 1 bearing in mind that the more Supervisors \talk" about IT related issues, the more banks are incentivized to disclose the same topics in the following year; (ii) ITGF SUP REG tÀ1 , which may reveal the behavior of banks in response to regulatory requirements on IT governance.
In all models, we use the control variable LogTa (logarithm of banks' Total Asset) as a proxy of the dimension of¯nancial intermediaries. We consider LogTA for two reasons:¯rst of all, to taking into account the idiosyncratic dimension of the phenomenon; furthermore, from an economic point of view, it could be possible that greater banks are more inclined to invest in IT and then to disclose about related issues. Additionally, we control for time e®ects using a set of yearly dummies. Table 8 summarizes the estimation results. At¯rst sight, the causal linkage between the behavior of Supervisors and banks is faded: in fact, the independent variable coe±cient (ITGF INDEX SUPERVISORS) is not signi¯cant in the¯rst model. Model 2 surprisingly reveal a more relevant and statistically signi¯cant e®ect of the moral suasion that seems to be more relevant on banks' behavior compared with regulating prescription. Model 3 emphasizes the dependence of the bank level disclosure from moral suasion of Supervisors. We have to point out the absence of a signi¯cative relationship between regulation and the level disclosure on the IT issues; this is probably because if speci¯c rules have to be respected by all institutions, there is less incentive to make more disclosure to obtain a competitive advantage. Notes: *p < 0:05 **p < 0:01; ***p < 0:001.    Notes: *p < 0:05; **p < 0:01; ***p < 0:001.
The number of observations changes consistently among di®erent Models depending on the availability of Data; besides, in Tobin's Q Ratio Models the number of observation is further reduced due to the number of listed institution considered in the sample (see Table 2).

Does IT Governance impact on banks' performance? (Q3)
With the last research question, we investigate the causal relationship between the level of disclosure on IT governance and di®erent banks' performance indicators (dependent variables); we choose ROA, ROE, Cost to Income (CtI) and Tobin's Q ratio, since they are the most used in literature. Table 9 displays the summary of the panel data variable used to answer Q3. For each dependent variable, we de¯ne di®erent models considering ITGF INDEX BANK in t (Model a) and ITGF indices related to each sub-category (Model b). For all models, we considered the possibility that performance might depend on the speci¯city of the bank size (LogTa), its business model (BUSS), the riskiness of both asset (RIoASS) and the¯nancial structure (EtA). Besides, we consider the growth rate of GDP to verify the possible dependence in relation of the bank performance with the state of the economy in each country.
Looking at results reported in Table 10, we notice, even if with di®erences, all set Models are in higher dependence of performance from bank-speci¯c characteristics.
Our¯ndings related to ITGF INDEX BANK and di®erent performance measures should be interpreted bearing in mind our theoretical premise: as mentioned above the underline assumption is that the level of disclosure on IT Governance issue can be used as a proxy of the relevance given to the topic in each¯nancial intermediary considered.
Overall, the results suggest that there is no impact of attention paid to IT Governance on accounting-based return on asset and equity.
Results related to CtI reveal a positive and signi¯cant relation with ITGF INDEX BANKS as an all, and in particular with its component related to risk management sub-category ITRM INDEX.
The¯ndings also indicate that ITINV INDEX has a positive, signi¯cant, even weak, in°uence on Tobins' Q ratio.

Concluding Remarks: Key Findings, Limitation and Future Research
IT governance establishes a signi¯cant point of attention for Supervisors and banks as the di®usion, and the complexity of IT continues to increase across the¯nancial sector. Information Technology leads to critical issues: nearby the role assumed in supporting banking business, it can reveal its' dark side, as demonstrated during the recent¯nancial turmoil. In this scenario, ensuring that IT processes are fully integrated into all business processes À À À risk management included À À À can be considered a strategic asset for banks and a new challenge for Supervisors. For instance, IT can ensure to provide Senior Management with a real picture of the risks the bank faces.
As far as the scope of this study is concerned, we have analyzed public corporate disclosure of IT governance practices across major EU banks. Adopting a IGTF governance disclosure, we conducted a content analysis to examine the level of attention paid to IT governance issues across the time (2008)(2009)(2010)(2011)(2012)(2013)(2014)(2015) and countries (Germany, Spain, France, Italy). It is important to underline that corporate disclosure of IT governance does not adhere to any standardized or mandatory reporting format which could be used by banks. This is an essential premise to develop our research: as reported in the literature, the fact that banks' IT governance disclosure is voluntary and linked to the bene¯ts that can ensure, leaves spaces for in-depth studies addressed to investigate if IT governance practices are in place.
Similar considerations should be made on the Supervisors' side. There are no provisions at international level regulating directly IT governance: some of the more recent interventions concerning this issue (EBA, BCBS, EC) only indirectly a®ect IT governance, allowing regulators large degrees of autonomy to discipline the issue at national level; this permitted us to use the same methodology developed for banks to analyze the di®erences in the Supervisors' behaviors. One of the questions to which this study sought to answer is whether this awareness has been reached before by banks or by Supervisors. On this topic, it seems that banks have started to be \interested" before their \custodies", even if both have increased their attention during the period analyzed.
The following further key-points arise from the analysis: (i) banks, within the IT Governance Framework, seems paying more attention to IT Risk Management; (ii) among the others, Spanish banks included in the sample have recorded the most evident change in behaviors while Italian ones have revealed a more constant attention to the theme.
Furthermore, analyzing regression results, we¯nd that banks change the level of disclosure on IT governance in response to Supervisors' moral suasion pressure instead to react to a speci¯c prescription. The absence of a relationship is maybe because if speci¯c rules are having to be respected by all institutions, there is less incentive to make more disclosure to obtain a competitive advantage.
Finally, our results give evidence of a nonsigni¯cative impact of the ITG level of disclosure on banks performance re°ected by ROA and ROE. While cost e±ciency (CtI) and Tobin's Q Ratio seem to be sensitive to the level of disclosure on IT governance, and in particular respectively on component related to risk management, and on the level of disclosure on investment on IT.
The study contributes to the existing literature in several ways. It enriches the current understanding of IT governance in banks, focusing on the level and the content of IT governance disclosure. Secondly, it highlights the regulatory environment that favored IT governance practice in banks and tried to measure the intensity of this relationship. Moreover, it contributes to the governance disclosure literature providing an original methodological framework based on solid theoretical background.
The theoretical approach used in this study may well serve as a base for further analysis. The study may be replicated across other EU countries not included in our sample to get more signi¯cative results, from a statistical point of view and to complete the normative framework with the missing provisions.     it is calculated for each bank dividing: the number of times that each item is disclosed in the reports analyzed; also, the number of expected items comprised in RP category  the number of times that each item is disclosed in the Supervisors' Annual Report analyzed; also, the total number of expected items within the ITG Framework Authors' calculation using content analysis results ITGF SUP REG IT Governance Index calculated on the national regulation; it is computed for each Country dividing: the number of times that each item is disclosed in the Regulatory Framework analyzed; also, the total number of expected items within the ITG  Appendix C. Correlation Matrix