As the CIO moves away from directly managing technology and ICT becomes an intrinsic component of all parts of the business; the spectre of ICT governance is taking a more solid form. Without sound governance, every organisation with more than 20 staff puts itself in harm’s way. Most businesses of a reasonable size are structured with parts of formal governance. Many managers (still too few CIOs!) moving into board roles learn governance in courses such as those run by the Institute of Directors. This is resulting in more local businesses being governed to an acceptable level.
ICT must be subject to the same standards of governance as every other part of the business. But, why has ICT managed to stay hidden from the governance searchlight?
For years corporate governance has buried ICT. Part of the reason is the traditional location of the ICT department under the CIO. Another part of the reason for ignoring ICT has been fear. The basis for this fear is shown in where more than half of CEOs do not feel comfortable or competent presenting ICT reports to the board. Sadly, as most boards are populated with a high proportion of accounting and legal professionals, they are mostly baffled by ICT reports. To make matters worse they seem to be comfortable calling the CFO in to talk dollars, yet feel it is “breaking governance” to accord the same respect to the CIO.
These issues are remarkably absent in our most successful and innovative organisations.
So how do we introduce good ICT governance? We will briefly look at what good ICT governance delivers. Then a look at what is ICT governance and where does it fit. Finally we look at the tools available to insert sound and effective ICT.
Governance into the corporate governance structure
ICT governance will never take its rightful position unless it is seen to deliver real benefits.
The benefits of good ICT governance include:
● Access to facts. Ensuring the board has access to the tools that translate data into insight into action that creates business results. Many companies have more data than they can use effectively. This needs to change and the board must be able to ensure it changes.
● Measurement. The old saying ‘if you can’t measure it you can’t manage it’ still rings true. The board must be able to hold their management team accountable and providing sound, timely reporting in a form the board can use.
● Synthesis of strategy. ICT is a vital component of every aspect of the business. The board must understand what the technology is delivering now, and how it can contribute to the future growth of the business. Strategy cannot be defined without ICT input.
● Delivery of innovation. As business becomes more complex, real innovation is needed to both give the business competitive strength, and to help clarify some of the complexity. The board must be able to trigger innovative processes.
● Compliance. ICT plays a key role in ensuring regulatory requirements are met. The board must be able to see that ICT is delivering outcomes that meet regulatory requirements. While most local businesses (and government departments) are not as regulated as in the US or EU, for example, there is still a lot of regulation to comply with.
● Management of risk. While ICT delivers great benefits, it is also the source of much risk. Frequently this risk is handled as an ICT management issue. The board Audit and Risk committee (or equivalent) must have clear access to the information about these risks, to ensure balanced decisions are made.
This list is not comprehensive, but it does point to the board’s two ‘three legged stools’ of which one leg of each stool is governance. Both stools need to start with sound governance to stay upright and provide a solid seat.
The first stool’s legs are governance, risk and compliance.
The second stool’s legs are governance, strategy and innovation. Although these views on ICT governance are business oriented, they also fit into government. In fact, the New Zealand government is in the process of implementing a sound ICT governance structure, which IDC has commented on favourably.
ICT governance definitions
To help us better understand ICT governance, it is useful to have some formal definitions.
ISO 38500 defines corporate governance of ICT as this: The system by which current and future use of ICT is controlled. Corporate governance of ICT involves evaluating and directing the use of ICT to support the organisation and monitoring this use to achieve plans. It includes the strategy and policies for using ICT within an organisation.
IDC’s governance, risk, and compliance infrastructure taxonomy defines IT governance as:
According to the IT Governance Institute, IT governance consists of the leadership, organisational structure and processes that allow an IT organisation to sustain and extend a firm’s strategies and objectives. IT governance and the effective application of an IT governance framework are critical in helping enterprises gain more value from information and information technology, while ensuring that IT remains aligned with the enterprise strategy, values, and culture. Effective IT governance formalises IT oversight and accountability. It facilitates resource allocation and decision making and enhances communication and performance between business units and IT and across IT functional silos. IT governance also facilitates compliance and audits by documenting processes, controls and decision authority.
The tools needed for strong ICT governance in an organisation:
The first and most significant tool is the Corporate Governance of Information Technology standard ISO 38500.
If you have read this far, you need to buy a copy of this standard (please see http://tinyurl.com/4hftruq) and read it. Applying the standard will take some selling effort:
● Educate the CFO to accept they are better off moving the CIO out of their control (they will still have control of finance ICT).
● Then to convince the CEO that he/she needs to have the CIO report to them.
● With the management team on board, it is time to get the board up to speed. If you have the rest of the CXO suite on the same page, this should not be hard.
Implementing a new ICT governance model is not easy and won’t happen overnight.
You may need to re-examine how you see your role as a CIO. Do keep trying though, it is worth it. You may need some external help and there are good people who have done this before. In addition, IDC has some research that is useful to support your proposal.
Succeed in delivering strong, effective and flexible ICT governance and your business will thank (and hopefully reward) you, and you will have a massive tick next to ICT governance on your CV.
Peter Macaulay is principal, executive programme at IDC New Zealand and in charge of the inTEP Programme for CIOs.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.