IT Governance: The Solution to IT Anarchy, Part III

By Rick Freedman

(Back to article)

As good as they are, however, the definitions in last week's column do little to guide CIOs towards implementing an IT governance policy, so let’s discuss how IT executives can help their organizations get there?

Here are a few ideas to help get started down the path to disciplined IT governance:

Sell IT to the board. The idea of governance itself is closely tied to corporate governance, and most observers agree that good IT governance starts in the boardroom.

The board must apply the same strategic focus to IT matters as they would to any other element of corporate strategy, such as acquisitions or product development. They must support the idea of IT as a strategic lever, and not merely as a cost center.

It is the board that is ultimately responsible for enforcing accountability, and so performance measurement, perhaps in the form of an IT-focused balanced scorecard, is a critical component of board-level IT governance. CIOs must make the case for board-level IT governance, since most IT executives are not lucky enough to have a board that comes to that conclusion independently.

CIOs, for instance, can use the wealth of analyst material, as well as briefings from the IT Governance Institute, to begin educating their board on the movement towards IT governance. They can begin putting some of the structures in place, such as an IT steering committee, and begin applying some of the disciplines, such as IT project portfolio management, to demonstrate that they are "walking-the-walk" in their own management activities.

You can begin to apply a balanced scorecard approach to their own areas of operations, rather than waiting for the board to request or mandate it. CIOs, in short, should prepare a marketing, communications, and education strategy to help move their boards towards a governance oversight structure for IT.

Connect IT to enterprise strategies. When viewed as a back-office operational function, IT can often become disconnected from the organization’s strategic goals. IT teams can get into a tactical rut, where they perform routine IT operational tasks and projects without understanding or buying into the strategies that drive the enterprise.

IT managers need to connect IT activities with strategy at every opportunity.

Every project should be reviewed, with the delivery teams, to make the explicit connection between project goals and corporate objectives. Long-range strategic plans should be prudently communicated to IT staff, so that consensus is built and IT technical resources have a chance to mature into strategic thinkers.

Some IT executives schedule periodic long-range strategy session just for their IT teams, so they can have a concentrated opportunity to look down the road at corporate objectives and develop IT strategies to align more closely with the enterprise.

Think of IT as a portfolio. CIOs manage a portfolio of assets, from hardware and infrastructure to applications and utilities, and they typically also manage a portfolio of projects that may be ongoing simultaneously, such as migrations, application selection projects, and software rollouts.

One of the key elements of IT governance is the “portfolio mentality;” the ability to look at projects, assets, and operations holistically across the breadth of the IT function, and to make investment and priority decisions based on both business case and balance.

Business case discipline requires IT executives to mandate that any incremental investment, from the purchase of disk storage to the development of a custom Web-based storefront, be analyzed from a cost-benefit perspective, with the right level of quantitative rigor to ensure that “pet projects” are not prioritized over more strategically impactful initiatives.

Balance requires CIOs to look at the level of risk of their projects to ensure that they’re not taking on too much or too little risk. Too much risk exposes the enterprise to loss, too little limits the ability to innovate, and so potentially allows rivals to gain competitive advantage.

By beginning to implement portfolio management as part of the standard IT decision process, CIOs can prepare the organization for board-level IT oversight and can help ensure that IT investments are directed at the most fruitful initiatives.

Measure IT. The elemental measurements for IT projects are similar to those for any type of project: Did the project deliver on time, on budget, and with the expected functionality? This "triple constraint" type of measurement is familiar to any project manager, but is not sufficient to fulfill the needs of a rigorous governance process.

The balanced scorecard approach is a widely used framework for applying metrics to the IT function, but it’s not the only framework. At Intel, we’ve developed the business value index, a rigorous set of measurements designed to embed within Intel a repeatable and uniform IT project evaluation process.

This set of metrics is used both to evaluate investments as they are proposed and to monitor their performance throughout the lifecycle. By using a mix of quantitative and qualitative measurements, running the gamut from hard metrics like projected impact on Intel revenues to "softer" measurements like customer satisfaction and intangible benefits, Intel hopes to guide both the decision and monitoring processes with a consistent, enterprise-wide measurement process.

The point is not which process is used; the point is to select (or construct) one that’s compatible with your corporate culture and has the right level of rigor for your needs, and to use it consistently throughout the investment and execution process.

Manage risk. From 9/11, to Enron and WorldCom, and changes to the regulatory environment like Sarbanes-Oxley, the need to manage risk has become apparent to managers at every level.

Financial risk is, of course, a key component of any risk strategy, but other risks, such as operational risk and information security, are equally critical.

CIOs should develop a holistic risk strategy that ensures that all risks are exposed and analyzed, and that documented mitigation and contingency strategies are developed.

Active risk avoidance, which utilizes techniques like after-project "lessons learned" reviews, should be implemented at the departmental and project levels and then elevated to the board level as IT governance takes hold. ·

Manage resources. Just as directors on the board must stay focused on using existing assets — such as plant, materials, people, and relationships — to the best possible advantage, so must IT leaders.

The infrastructure, transport, data, facilities, and teams that make up the IT function must be maximized to deliver the highest possible benefit to the enterprise, and the costs associated with these resources must be strictly controlled.

CIOs need to develop strategies for outsourcing, co-sourcing, and partnering in order to extend the capabilities of IT while keeping costs competitive. Management of resources also means having a talent development program in place so that leadership in the next generation is incubated and encouraged.

The use of techniques like service level agreements (SLAs) is an integral element of governance, since they document expectations and set clear service objectives. Asset tracking and lifecycle management is another key component of a robust governance strategy.

Elevate accountability. Ultimately, teams and leaders need to understand that their ability, or lack thereof, to deliver against IT objectives and to utilize IT to achieve the strategic goals of the enterprise, will have consequences.

Clearly documented roles, responsibilities, and operational processes set a foundation against which performance can be measured. Firms that use individual objective-setting exercises such as documented management by objectives (MBOs), are already on the right path to governance.

If the enforcement of accountability is a challenge in your organization, you may want to review the literature on objective-setting, and also explore other tactics for encouraging accountable behavior such as incentives and rewards for high achievers as well as mentoring, coaching, and corrective action plans for those team members not accomplishing their objectives.

One of the challenges of IT governance is that many are doing some or all of these things with varying levels of rigor and discipline, leading to the “we’re doing that already” reaction. It’s important to remember that IT governance is not about a set of unconnected processes and techniques, but rather is a single, unified discipline that addresses all of these matters, comprehensively and holistically, at a senior level.

A recent study by the CIO executive board, a subgroup of the Corporate Executive Board in Washington, DC, shows that many IT leaders excel at some elements of these disciplines, but very few rate themselves highly in regard to overall governance. Responding to this survey were over 200 of the most influential organizations in the world, and over 800 IT executives.

These IT executives named IT governance as their top priority for improvement, and rated themselves poorly on some of the key governance techniques we’ve outlined here, such as business case discipline, performance measurement, and IT value measurement.

Most IT executives recognize that neither ad hoc, fire-fighting methods nor unconnected, inconsistent and siloed processes will make the grade in this era of higher scrutiny, transparency, and visibility. The holistic disciplines recommended by advocates of IT governance, if applied judiciously and appropriately based on the needs of the organization, can’t help but place IT on a more manageable footing.

CIOs and CEOs alike should recognize that the days of anarchy in the data center are over, as are the days of unlimited, unaccountable IT investment. In this new world, CIOs who lead their enterprises towards more disciplined governance structures, processes, and messages do their companies and own their careers a real service.

Rick Freedman is worldwide project management practice leader at Intel Solution Services, a division of Intel Corp.