IT Governance

by Alison Holt, founder and director of Longitude 174 Ltd, a company specialising in information technology (IT) governance. Article kindly reproduced with permission from Boardroom magazine, the journal of the Institute of Directors.

I am a cricket umpire and company director and I see a lot of similarities between the two roles.  If a cricket umpire loses concentration on the game in hand, for even the briefest moment, the results can be disastrous, and so it is with being a company director.  Some decisions are very straightforward to make and give – ‘no brainers’.  Some decisions are very easy to make (you know the batsman is out) and difficult to give (and now his team have lost).   Some decisions are difficult to make and to give.  Most leg before wicket (LBW) decisions fall into this category.  I was told that in my first season as a cricket umpire that if I didn’t give a single LBW, I’d be right 95% of the time. 

And thus, it is with IT investment decisions – hard to make, hard to give, and often based on such woolly assumptions that saying ‘no’ to an individual appeal, however loud and threatening, might be the right decision.  So, why is this?  Well, often the supporting information for the proposed investment is written in IT terms and not as plain English business requirements, and on top of that you have a ‘gut feel’ that the numbers don’t stack up.  A new payroll system for a medium-sized New Zealand business could cost $1million, but that’s nothing like the full cost of deployment.  In fact the $1million is just the beginning of the overall organisational cost – the cost of implementation – including the hardware for it to sit on, the training for the staff to use it, the development and delivery of new business policy and process, and so on.  And then there is the cost (emotional, financial, lost sleep, too many coffees to soothe wounded souls and so on) of the change to organisational culture, which could be of Titanic proportions.  These additional costs are not always captured accurately in the business case that gets put before the board.  Go with that initial ‘gut feel’.

Is this the fault of the IT managers?  No – not necessarily.  The young IT developer working in a pod in the office might not even know who his CEO is.  It’s not because he’s not highly intelligent or motivated in his job.  It’s just that he’s not interested.  It is possible to have a healthy career in IT and get to an IT management role having had little business training, and without having the discernment to fully interpret the gap between what the business wants and what the business needs.  Possibly, you are also using external IT consultants who have little experience of your day-to-day business.  Optimal timing for IT change is also a difficult skill to master.  Let’s return to the payroll example – December sounds good for ‘go live’ because it’s the slack period, but you’ll end up training the users twice.  The end of the financial year sounds neat and tidy, but is only good if you think your CFO could do with more stress!

So how can a board make good IT investment decisions when the information presented initially is possibly incomplete, inaccurate and ill advised, and the accompanying timing and planning is plainly impractical?  Can I hear cries of ‘outsource, outsource!!’  Well, sorry folks, there’s more bad news – you are unlikely to be successful outsourcing your IT if you don’t first understand your IT environment well enough to make good internal IT investment decisions.  What can be done?  Is there a simple checklist that directors can turn to for a sanity check on IT investment decisions?  Yes, there most certainly is!  It’s in the form of an international Standard, ISO/IEC 38500, Corporate governance of IT, and it was published in June this year.  The Standard has been designed to assist boards in making sound IT investment decisions, and in understanding and managing the risk and compliance profiles associated with company information.  

IT governance principles
The Standard includes six principles, which relate IT decisions to the following areas of corporate governance:

1.       responsibility

2.       strategy

3.       acquisition

4.       performance

5.       conformance

6.       human behaviour.

These principles can be used as a simple checklist for making IT investment decisions, or can be developed into a full governance framework for IT governance.  This framework will be owned by the board and implemented by the IT management team.  The board owns the overall strategy and the associated review cycle.  The IT strategy for an average organisation should be reviewed every six months, or when the organisation vision and mission changes – whichever comes sooner.  For a fast growing company, more regular reviews would be appropriate.  Rather than ask for warranties on the implementation of the strategy, set very clear expectations with carefully chosen key performance indicators, and key performance goals.  By the time warranties aren’t met, it’s generally too late.

Your full governance framework will include principles linked to your organisation mission and vision, charters to provide an expectation of what is delivered for IT services, data and systems, policies to ensure that IT is handled in a consistent way across the organisation, and procedures to show how to achieve common IT desired outcomes.

IT governance activities

The Standard also describes three activities of the board to evaluate, direct, and monitor IT related activities, understanding that the board will direct activity, having first evaluated current business needs and business drivers.  This activity will then be monitored on an ongoing basis from a risk and compliance viewpoint. 

Your competitors and IT governance

It would appear useful to know and understand the IT governance strategy of your competitors.  However, it is my experience that companies that understand IT governance well are reluctant to share what they’ve done.  Also bear in mind that an IT strategy can look excellent until disaster hits – you uncover fraudulent activity and realise you didn’t have an IT security management plan in place, or you have a water leak in your server room and realise you didn’t have a disaster recovery plan and you have no business continuity measures for your mission critical systems.

International observations

As convenor of the international Standards committee that developed the Standard, I have made four interesting discoveries:

  1. Organisations worldwide that implement the IT governance principles listed above appear to perform better than their non-principled competitors.  Maybe this is coincidence or just because they are good at corporate governance in general.  (As a group we have kicked off research to investigate this further.)
  2. Organisations struggling to manage their IT resources often do one of the three activities – they evaluate needs, direct activities, or monitor conformance – but not all of them.
  3. Organisations struggling with IT governance have in many cases confused the IT governance directing and monitoring activity of the board and the IT governance implementation activities of the IT management team.  If directors manage and managers direct, nasty things can happen – often so slowly that nobody notices!
  4. Finding somebody to build an IT governance framework is not easy – the person needs to have a full understanding of IT and of directing a business.  If this were a more common combination of skills, every board would have an IT savvy director.  This director would be able to interpret the information from the IT management, know whether the IT systems were over or under-performing, understand the information compliance and IT risk profile, and steer the board through IT investment decisions.  To this end, we are in the process of writing an implementation guide for the Standard.  Watch this space!

Final words of advice

So, in summary, there are problems on both sides of the IT/board divide, and the tables will turn when today’s IT-fluent Gen Ys are sitting on boards.  Until then, here are some words of advice:

  1. However difficult or traumatic your IT day-to-day decisions seem now, step back and take the time to put in place a good IT governance framework for your organisation.  The more you don’t have time to do it, the less you will benefit from the final result.
  2. If your IT management can’t put their requirements in plain English, don’t sign them off.  How will you ever know if they’ve been delivered?  Or if you even needed them?
  3. Run through the six principles in the international Standard with your IT management team.  It will provide a good basis for discussion.
  4. It hurts me to say this as an IT consultant – but don’t continually pay out buckets of money for streams of IT consultants to come and help you make decisions.  Retain your IT IP in house and invest in training and mentoring to get your team up to full speed.  Implementing an IT solution is one thing – maintaining it for the next three years is a different matter. 
  5. Don’t sign off on an IT project unless it’s been reviewed by the poor people who will need to operate and maintain the output, and you know what the plans are to retire the output.  Look for life cycle thinking within your IT decisions.  As you monitor the project, document all changes to scope and associated additional costs as you go along, and then at least the overruns won’t be a surprise.  Ensure that your business people understand that what looks like a minor functional change might have huge implications for the project team.
  6. Be wary, though not totally dismissive, of something that’s never been attempted before. 
  7. Measure the value of all IT investment against the original business case.  It is not enough to meet time and budget predictions for delivery.  Did the project deliver the expected business benefits?  If not, why not?  Ask yourselves, ‘what are we going to put in place to make sure that this doesn’t happen again?’

And finally – make sure that as a board you are evaluating, directing, and monitoring IT decisions.  If you are not evaluating, put some thought into how you are going to collect business intelligence.  If you are not monitoring, build a reporting framework that matches IT goals with organisational goals.  Ensure that your IT management team send through information that you can interpret, and continually review the value of what they submit. 

If you are not directing, put the ownership to direct activity on one of your most able directors.  If nobody comes to mind as suitable, it might be time to look for an additional director.   I’m sure that the Institute of Directors would be delighted to help you find somebody suitable!

Published in business and ICT.

You may be interested in these Standards: