The document discusses research conducted by the IT Process Institute on the relationship between IT controls and organizational performance. The research found that: 1) Higher performing organizations consistently implement a small number of "foundational" IT controls related to change management, access controls, and configuration management. 2) For larger organizations, nine additional controls around release management, problem management, and service level management help explain performance differences. 3) How organizations manage exceptions to IT processes, through detection and enforcement of consequences, is a key factor in performance. Those that do not enforce consequences see less benefit from controls.