Getting to grips with governance issues

A crucial distinction to remember is that ICT governance is a separate function from ICT management

“Governance” is the flavour of the day. Everyone from politicians to low-level line managers is now using the term. But how many people really understand what it means — particularly when it comes to ICT?

There are dozens of definitions, depending on whose website one accesses. And consultants are lining up to offer advice or to rework businesses to fit perceived requirements.

However, the one thing governance is not is management: the two are different concepts that are often confused by people.

Mark Toomey, one of the authors of Australia’s new standard on corporate governance of ICT — AB8015 — says governance is about getting better results and value for money from investment in ICT. He says business leaders are still not engaging with IT, and that governance has an important role to play in fixing this.

He has proposed six high-level principles:

• Establish clearly understood responsibilities for ICT

• Plan ICT in a way that best supports the organisation

• Acquire ICT validity (that is, have good reasons for investing)

• Ensure ICT performs well whenever required

• Ensure ICT confirms to formal rules

• Ensure ICT use respects human factors.

There should be a rolling review programme of process-performance and direction, and periodic external assessments, to provide an independent perspective.

Today, software vendors provide a range of automated tools to assist with governance. In the interests of trying to understand where there is common understanding, Computerworld sent the following short questionnaire to four vendors: Borland; IBM; Serena, which is represented in New Zealand by ActivateNZ, and Compuware, as well as to two research companies including IBRS.

We asked:

1. Differentiate between corporate governance and IT governance.

2. Is IT governance a top priority for CIOs over the next few years and, if so, why?

3. What are the major benefits of implementing an IT governance programme?

4. Where is a good place to begin when looking to improve governance procedures and controls?

5. What are the risks CIOs face if they don’t embrace IT governance?

6. Can IT learn from other areas of business that have encountered similar demands for better governance?

7. Is there one word or phrase that can be used to define an effective governance programme?

Here is what our vendors and research firms had to say:

Borland sales manager Chris Gray.

1. Differentiate between corporate governance and IT governance.

Corporate governance is an enterprise-wide initiative based on business strategy and objectives. IT management and governance focuses on the IT portfolio, as a sub-set of broader corporate governance goals and objectives.

IT management and governance processes enable CIOs to maximise returns on their IT and software investments, by improving up-front decision making and streamlining day-to-day execution [of tasks]. The data housed within supporting IT governance systems provides management with the updated information it needs to course-correct, as priorities change, and to better understand the impact of changes before they are made.

2. Is IT governance a top priority for CIOs over the next few years and, if so, why?

With IT becoming such a critical business function, and compliance mandates putting pressure on everyone, executives now see IT management and governance initiatives as more of a “must-have” than a “nice-to have”.

Last year Greg Symons of Forrester Research wrote: “Optimising IT investments must become a priority… There is just too much at stake today for organisations to leave IT governance to chance or legacy processes.”

3. What are the major benefits of implementing an IT governance programme?

CIOs see four primary benefits resulting from effective IT management and governance. These include the ability to:

• Gain visibility and control over their organisation

• Align IT investments with strategic business goals

• Improve execution through more effective and efficient use of resources

• Comply with industry and government regulations.

4. Where is a good place to begin when looking to improve governance procedures and controls?

As with most successful IT endeavours, an effective IT management and governance initiative comes down to solid requirements and well-defined, mature processes. The key here is to make sure those requirements and processes are customised and tailored to the specific environment in which they’ll be implemented. When defining governance processes, or selecting and configuring an IT management and governance system, make sure those processes and systems reflect the goals, make-up, maturity and culture of the organisation.

For example, are team members in different locations? If so, the underlying system that collects and analyses the data should support distributed and global currencies. Are the current processes in place ad-hoc and undocumented, or is the organisation already working at Capability Maturity Model (CMM) Level 3? If existing processes are immature more time should be spent up-front in defining, documenting and training employees regarding consistent processes.

By taking a personalised approach, CIOs can optimise the benefits they realise from an IT governance initiative.

At the same time, an incremental approach can help CIOs deliver value much faster than a monolithic approach, which can require large up-front investment and perfect processes right from the start. CIOs who want to foster greater … [take-up], from both executives and users, should set realistic goals and [register] ongoing success milestones. This is a good way to speed adoption and preserve agility as priorities change.

5. What are the risks CIOs face if they don’t embrace IT governance?

Today’s CIOs must work closely with key business leaders to prioritise technology-related initiatives, from selecting to approving and managing all major IT projects.

They must optimise investments, resources and budgets, and more — playing both a support and a leadership role to all groups within the business. CIOs play a much broader role in today’s organisations than did their predecessors.

Today they occupy a place in the boardroom and are accountable not only to the CEO and CFO but also to the lines of business they serve. Their chief concern is no longer to simply keep the lights on but to provide value and infuse innovation into the organisation.

Yet many CIOs still struggle to effectively manage and govern their IT processes.

Why have only the most strategic CIOs fully implemented a governance strategy? It’s not easy. But neither is running a business or implementing any other significant enterprise-level initiative. With risk comes great reward, and, luckily for our industry, the risk of implementing an IT governance strategy and system isn’t as risky as it once was.

Systems to support these initiatives are now also more abundant, affordable and easier to implement. And there are also best practices and proven successes from which one can draw.

Those success stories prove that the right strategy, training and support can go a long way towards reducing the risks of implementing an IT governance initiative.

6. Can IT learn from other areas of business that have encountered similar demands for better governance?

Even if an IT management and governance strategy is initiated for one particular area (that is, operations or application development), the responsibility for making it a success should be shared by everyone.

The CIO must be willing to be the primary sponsor of the effort, to get everyone focused on the right goals and to help minimise cultural obstacles and adoption challenges. However, as with any other high-priority business initiative, senior executives outside IT must also buy in and support the initiative. After all, this has the potential to significantly impact on, and contribute to, the company overall.

7. Is there one word or phrase that can be used to define an effective governance programme?

An effective IT management and governance initiative can help the CIO take more control over the organisation, positioning the CIO and the team, and their work, as a more strategic asset to the business.

IBM — Martin Stubbs-Race, a managing consultant for IBM Australia and New Zealand’s “Strategy and Change Practice”, which specialises in providing management advice to CIOs.

1. Differentiate between corporate governance and IT governance.

IT governance is a component of corporate governance. Corporate governance is broadly defined as [ensuring] an organisation conforms to its corporate responsibilities, in terms of legal standards and principles of behaviour. In the case of public sector organisations it is about conforming to policy.

Increasingly, we are witnessing, with the introduction of legislation such as Sarbanes-Oxley, greater responsibility for information management being placed on the CIO. Hence, IT governance is becoming gradually more significant, so the lines between corporate governance and IT governance are beginning to blur.

However, as CIOs are increasingly charged with the responsibility for information, there is still a [separate] role for them [and they need] to consider separate IT governance structures and mechanisms from that of corporate governance. This … [is because of the structures] surrounding the business of IT—such as the architecture, operations, and application portfolio decisions.

At the same time, large investments, as in the case of enterprise systems, still need to be made at the corporate governance level.

2. Is IT governance a top priority for CIOs over the next few years and, if so, why?

CIOs are accepting IT governance as one of their top priorities. For some time, many CIOs have had in place what might be referred to as supply-side governance, which refers to governance concerning the operations, maintenance and development of systems within IT. Supply-side governance is critical to delivering IT. Today, however, CIOs are increasingly looking to better manage the demand-side of IT services. With the growth in service-oriented architecture IT is opening up its capability to a range of possibilities built around services rather than applications. This means that business users of IT can get better business outcomes from their IT systems — when the demand for IT services is managed effectively to meet their expectations.

3. What are the major benefits of implementing an IT governance programme?

The major benefit of implementing IT governance is to bring forth an efficient return on the significant investment that corporations are devoting to IT. The ultimate aim of IT governance is to answer the age-old question of: “Am I getting significant business value from my IT investment?”

For this answer to be positive, an IT governance programme must be able to address both sides of IT governance: supply and demand.

Today, there are many organisations that have adopted a strong supply-side IT governance model, through the implementation of ITIL and COBIT. Yet, at the same time, they have neglected to address the equally significant demand-side of IT governance.

The supply-side will address the CFO’s efficiency concerns. The demand-side will address the CEO’s business growth and innovation concerns, enabling the business to utlilise and benefit from powerful approaches, such as service-oriented architecture.

Demand-side IT governance will also engage business owners in the process of making investment decisions around IT, which will lead to better and more informed decisions [being made] for both IT and business groups within an organisation. With limited, or increasingly fixed IT budgets, the business, in strong collaboration with the CIO, can now make better strategic decisions around the use of IT, thereby enabling IT to expand beyond simply being a cost centre … [and become] an enabler of the business goals.

4. Where is a good place to begin when looking to improve governance procedures and controls?

A good place to start is with the basics:

a) Does the organisation have good supply-side IT governance practices in place, built around standard process and measurement frameworks such as ITIL or COBIT?

b) Does the organisation know how IT investment decisions are made? Are they centralised or decentralised? Is there a common set of principles around which decisions are made?

c) How are the different IT governance mechanisms linked within a corporation? Who approves [spending] and up to what value? Do people understand the impact on corporate IT architecture and business architecture?

d) Who sets the principles regarding IT governance and how often are they reviewed?

e) How are investment decisions prioritised?

f) Are key business people involved in the IT governance process?

Asking the above questions ensures that corporations consider both the supply and the demand sides of IT governance, and ensures that IT investment benefits the business as a whole, and that both IT and business leaders have been engaged in key decision-making and investments.

5 What are the risks CIOs face if they don’t embrace IT governance?

CIOs cannot afford to ignore IT governance mechanisms and procedures. If they do so they run the risk of being disenfranchised from their business-executive peers and risk operating in silo-based organisations, where IT spending does not lead to tangible business outcomes. This leads to IT being viewed by business leaders as a commodity, and a costly investment, and not as an enabler of change.

6. Can IT learn from other areas of business that have encountered similar demands for better governance?

IT can learn a lot from financial governance. Financial governance has been in place for many years and provides discipline, rules, and controls around financial decisions. Given that IT is pervasive within most businesses and cannot, especially in large corporations, be centrally controlled, it makes sense to impose top-down governance mechanisms. Putting in place controls built on principles will provide much needed discipline around IT decisions in the same way financial governance controls the finances of a corporation or government department.

7. Is there one word or phrase that can be used to define an effective governance programme?

The best word to use would be “leadership.” This means that someone with a strong understanding, and discipline, must initiate and drive the IT governance programme.

A formidable leader is needed to champion the IT governance cause and become its advocate to key stakeholders.

An effective IT governance programme will only become a reality when someone takes the initiative and makes it happen.

Serena – Mike Lowe, director ActivateNZ

1. Differentiate between corporate governance and IT governance.

Corporate governance is best defined as protection of shareholder value. The procedures and controls put in place ensure the best interests of the shareholders are what govern the strategic, tactical and operational decisions taken by the leadership team.

IT governance is similarly defined as the procedures and controls put in place to ensure the best interests of the shareholders [are upheld] and which govern the strategic, tactical and operational decisions of the IT leadership team.

At a more practical level, IT governance refers to the management processes that enable public or private sector organisations to gain more qualitative and quantitative benefits from existing and planned IT investments, irrespective of whether the systems and related services are owned or outsourced.

2. Is IT governance a top priority for CIOs over the next few years and, if so, why?

IT governance should be the top priority for NZ CIOs over the next few years for one very compelling reason: if the local IT industry fails to deliver the systems and related services that New Zealand public and private sector organisations need to compete in a global market then those organisations will either fail to protect their shareholders’ interests or be forced to seek their systems’ and related services from off-shore — at a premium [price].

3. What are the major benefits of implementing an IT governance programme?

The greatest benefit from implementing IT governance is the optimal use of limited IT resources. We all know the value of good people; poor IT governance is a most inefficient use of valuable skills and experience. IT is known to waste around 40% of total budget.

The majority of this waste is a direct result of poor governance procedures and controls, leading to poor decisions regarding ‘what we do’ and ‘how we do it’.

4. Where is a good place to begin when looking to improve governance procedures and controls?

I recommend two functional areas to focus on when looking to improve IT governance maturity:

• Investment analysis — [look to] complementary enterprise and solution architectures (52% of the total waste in IT is a direct result of poor investment decisions)

• Change management — standardise on an effective approach to managing changes of dependent and complex IT systems (80% of all incidents raised through the service desk are a direct result of poor change management).

Once decided upon, the most effective way to get the ball rolling is to get an assessment done of the current methods, techniques and tools available. [This should result] in a brief report of findings and recommendations.

5. What are the risks CIOs face if they don’t embrace IT governance?

There are three major risks a CIO will face from not embracing IT governance:

1. The demand for more IT systems and services will put current limited investments under greater pressure, resulting in high attrition rates, further compounding the problem.

2. The dynamics of business change will require IT to deliver the ‘right’ solutions in a ‘timely’ fashion. Failure to align IT systems to business needs will have significant and dire consequences.

3. To compete in a global market New Zealand companies will need to partner with offshore companies.

This will require them to meet certain internationally recognised regulatory compliance standards. In time (hopefully soon), equivalent standards will become law in New Zealand.

The risks associated with non-compliance will be major for those New Zealand CIOs slow to grasp the opportunity to be proactive.

6. Can IT learn from other areas of business that have encountered similar demands for better governance?

Back in the mid-eighties, finance managers were becoming over-burdened by the volume of transactions, need for compliance and reporting requirements emanating from eager business unit managers and executives. IT was instrumental in solving these problems and meeting these challenges, by replacing the Mongol hoard of accountants with management applications that could keep pace with this growing volume and demand for accuracy, and provide an audit trail and produce accurate and meaningful reports — in minutes, not months.

IT is now suffering as a result of the same issues and challenges our colleagues in finance encountered decades ago. We need to ‘enable’ ourselves, using similar methods, tools and techniques to those we provided to finance. In a modern business, information is as valuable an asset as cash, some would argue more valuable.

If New Zealand IT fails to keep pace with the need for better-quality information systems we might all end up bankrupt.

7. Is there one word or phrase that can be used to define an effective governance programme?

Leadership.

Compuware — Anthony Farr, regional sales manager, Australia

1. Differentiate between corporate governance and IT governance.

Corporate governance is driven primarily by the need for transparency of enterprise risks and the protection of shareholder value. IT governance is about understanding the risks and exploiting the benefits of the pervasive use of IT in today’s enterprise environment. IT should be considered ‘a business within a business’ and, like any business, must have benchmarks by which to manage efficiency and performance improvement efforts.

2. Is IT governance a top priority for CIOs over the next few years and, if so, why?

This is a very broad question, but one that many IT leaders are asking as organisations have long been looking to find out how organisations can most effectively increase efficiency and performance. IT governance is a ‘mandatory’ journey, as business relies on technology to track and manage critical information.

Today’s CIOs need to deal with a portfolio of business-critical issues including: aligning IT strategy with the business strategy; providing organisational structures that facilitate the implementation of strategy and goals, and creating constructive relationships and effective communications between business and IT. They also need to insist that an IT control-framework be adopted and implemented, and measure IT’s performance as a business unit.

3. What are the major benefits of implementing an IT governance programme?

Successful IT governance programmes maximise the business value generated by IT, at an affordable cost and with an acceptable level of risk. Without an IT governance programme an organisation can endure massive cost blowouts — a factor that continues to give the wrong impression of IT being that of a cost centre rather than a value centre. IT governance helps transform IT from a cost centre, which provides commodities, into an active contributor to business growth and generator of competitive advantage. Evaluation is an important part of IT governance and also helps to communicate the value of IT to the rest of the business.

4. Where is a good place to begin when looking to improve governance procedures and controls?

Think big, start small, and move fast. It’s important to identify the most urgent needs and the areas of biggest value-creation potential. Focus on these areas at the beginning and generate tangible and quantifiable benefits, and capitalise on that confidence capital to drive the organisational change process in a dynamic and flexible way.

Effective IT governance requires that IT has a number of key elements in place. Having a clear understanding of the business strategy of the enterprise is essential and it’s also important to have defined IT organisational decision-making structures. Also, ensure there are decision-making and performance management standards.

5. What are the risks CIOs face if they don’t embrace IT governance?

Due to the pervasive and critical nature of IT in today’s global corporate environment, a CIO not embracing IT governance is not realising the potential of IT and is putting competitiveness at risk. Streamlining IT management will bring about better business efficiencies.

6. Can IT learn from other areas of business that have encountered similar demands for better governance?

Although IT governance has challenges that are unique in nature IT can learn from governance practices in other business areas, in order to put in place the necessary leadership and organisational structures, and processes. These will ensure the organisation’s IT [initiatives] sustain and extend the organisation’s strategies and objectives.

7. Is there one word or phrase that can be used to define an effective governance programme?

It’s about getting it right the first time. An effective IT governance programme has a clear understanding of the business, defined structures and constantly looks back at its performance. An effective governance programme touches the business and supports business objectives.

IBRS senior consultant Alan Hansell

1. Differentiate between corporate governance and IT governance.

There is little difference, in theory, as both corporate and IT governance revolves around determining:

a) What decisions have to be made so the organisation’s resources can be used to achieve its strategic objectives?

b) Who should make the decisions?

c) Who will be accountable for the results of the decisions?

d) Who will monitor, measure and report the results?

In practice though, corporate governance, as distinct from IT governance, mostly revolves around meeting statutory obligations, for example, deciding when not to trade due to insolvency. These obligations rarely exist, if at all, in IT governance where the decisions that have to be made (and by whom) are less clear, for example, deciding what has to be done and by whom to maximise the firm’s return on investment in IT [infrastructure], such as electronic trading facilities.

2. Is IT governance a top priority for CIOs over the next few years and, if so, why?

IT governance, where the objective is to maximise the firm’s investment in IT-related resources, for example, skilled people and smart systems, has long been a top priority for CIOs. This is because of either competitive pressures or, in the public sector, the need to meet increasing client service requirements. Neither need is likely to change in the next few years.

The CIO’s priorities are to:

a) Keep the board and senior management informed on what might be achieved from the organisation exploiting IT.

b) Advise on which investment decisions can be made, implemented and monitored, so the benefits expected can be realised.

3. What are the major benefits of implementing an IT governance programme?

The major benefits from implementing an IT governance programme are:

a) Facilitates making the right decisions, when allocating IT-related investment, as the decision-makers have been kept informed of the potential from exploiting IT by both the CIO and commercially astute business managers.

Second, decision-makers know the results of their investment decisions, including the lessons learned, that is from reviews of previous investments. Last, decision-makers have learned, from monitoring the progress of previous investments, who to make accountable, and how to track and measure their progress.

b) Sends a message to all stakeholders not involved in the governance process, for example, industry analysts or elected officials, that wise investment decisions are being made and monitored.

c) Keeps implementers and business sponsors honest because they are accountable for outcomes.

4. Where is a good place to begin when looking to improve governance procedures and controls?

Begin by assessing the effectiveness of existing governance processes. This can be done by:

a) Reviewing and assessing the value of existing collateral, for example, governance processes, internal controls and management accountability.

b) Surveying and interviewing management on how they have implemented, or not, existing governance processes.

c) If today’s governance processes are not of value, redesign them, based on the top ten leadership principles of IT governance, as outlined by Weill and Ross in IT Governance, published by Harvard Business School Press.

d) Concurrent with redesigning existing governance processes, begin the improvement initiative at the point where IT-related investment decisions are made, that is by deciding what criteria should be used to equitably allocate resources to competing IT investment initiatives.

The criteria needs to be multi-faceted and, apart from investing in initiatives based on business priorities, include a ranking process that ensures an equitable allocation across the existing portfolio, for example, includes sustaining IT infrastructure and investment in innovative or emerging technologies.

e) Gradually implement the redesigned governance processes, including management awareness training

5. What are the risks CIOs face if they don’t embrace IT governance?

CIOs who do not embrace IT governance will do both themselves and their organisations a disservice because:

a) By default, they assume responsibility for both the (business) demand and supply roles in IT. This means, for instance, taking responsibility for allocating resources to competing investment initiatives and assuming systems’ ownership roles. CIOs, by doing the latter to gets things done, run the risk of getting clients offside when a system failure occurs or their initiatives fail to get IT resources allocated.

b) IT-related investment allocation decisions will be made based on deals and not on objective and agreed criteria.

c) In the absence of IT governance it is almost impossible to hold management accountable for results.

d) In the absence of a formal review, as part of the IT governance process, decision-makers, including the CIO, will not know whether they made the right investment decision or not. They run the risk of repeating mistakes.

6. Can IT learn from other areas of business that have encountered similar demands for better governance?

It is my observation that when IT governance processes are ineffective, or there is a lack of compliance, the same [ineffectiveness] applies to other non-statutory based governance processes, for example, for manufacturing and business development.

However, when statutory obligations apply, based on corporations law and tax law, and board members or office holders, such as the CFO, are liable for the consequences of their decisions, compliance is generally the norm and not the exception.

The area in which IT has most to learn from when it comes to governance matters is finance, where decisions are made on a more structured basis and follow well-defined business control processes, for example, when deciding who can authorise purchases for nominated supply items (and to what amount) or who is accountable for the integrity of financial statements for statutory authorities.

Similarly, IT has to decide which governance processes it will implement in a structured environment, for example, in IT Operations, to ensure output integrity and data security, and to decide who is accountable for them. But this is the easy part.

However, in the unstructured environment, such as when it comes to deciding how to maximise investment in IT, the governance processes need to balance process control with flexibility, so innovation and creativity aren’t stifled.

Join the newsletter!

Error: Please check your email address.

Tags Special IDgovernance

More about Borland AustraliaComplyCompuwareForrester ResearchHarvard Business SchoolIBM AustraliaIBM AustraliaIBRS

Show Comments

Market Place

[]