In rules we trust

In rules we trust

The economic crisis highlights the need for CIOs to facilitate corporate governance.

As the world descends into a harsh economic downturn, those who have been crying out for strong corporate governance can at least bask in

the warm inner glow of utter vindication.

But for chief information officers the message is clear: it's time to

gird their loins, seize the day, and play their part in delivering the

tools and information their boards need to ensure such ineptitude does

not raise its head again.

"The historic carnage that we are witnessing in the financial services

arena across the world is testament to the fact that corporate

governance does not have the right tools to deploy to better

understand exposure to risk. If they did, they could and would

leverage those tools to their advantage," says greater New York-based

senior enterprise information risk management consultant and subject

matter expert Ashish Atri. "CIO does, after all, stand for chief

information officer, with the key word being information."

Atri says information has just one strategic role in the organisation:

to reduce the uncertainty in business decision-making. That is the

essence of corporate governance. Although CIOs, as part of their day

job, play an important role in supporting the business-as-usual

functions like payroll and accounts payable, their real responsibility

is to find and disseminate knowledge that helps the board understand

the enterprise's exposure to risk.

"The CIO must play a key role in educating and preparing corporate

governance to understand and leverage risk towards competitive

advantage," Atri says.

"They could be the key enablers to richly endow the context within

which corporate governance can make informed choices. Given the

current economic turmoil, there has never been a better time for CIOs

to step up and deliver those tools."

Beasts of burden

The financial meltdown is symptomatic of numerous challenges that are

embedded in the corporate culture and difficult to change, says

NetReturn consulting director Adam Bateson. Many boards were likely

to have felt the tide shift long before disaster struck, but they

almost certainly lacked the necessary mechanisms that would have

allowed them to act to reduce the impact, he says.

It would have been of little use for the board of a major corporation

to identify a need to provide tighter control mechanisms around

lending criteria if proper processes, a strong, positive

organisational culture, solid leadership, well-educated staff and

highly adaptive technologies were all missing. "Without these at your

disposal, all you can do is sit back and watch the termites as they

slowly eat away at your business and hope they do not have too big an

impact," Bateson says.

Boards also struggle in being exposed only to sanitised information

that makes it impossible for them to govern well or on time, which is

why their intervention typically comes too late, says the information

officer for Reliance Communication India, Sumit Chowdhury. "Just

look at Lehman Brothers."

Chowdhury says it is vital for CIOs to deliver accurate financial data

- including closing of monthly, quarterly and annual balance sheets

and cash flows - to the board in an automated way, and provide

linkages and dashboards so that the board can track items on watch

lists. They also must provide risk management systems for assessing

and quantifying corporate risk and tracking legal, regulatory and

environmental issues and projects. "These things should be done [in

conjunction] with the CEO," he says.

The information officer should be the bastion of governance, putting

in place processes, technology and awareness programs that allow the

organisation to operate with minimum risk. A good executive will

proactively and regularly meet with stakeholders and set expectations

for having an effective program in place. Good corporate governance

requires a general acceptance of definitions, risks and terminology

across the business, but also demands there are proper systems to

automate and enforce the decisions and agreements that are made.

"CIOs and their teams should have the best chance of understanding the

technologies that might help a company to implement changes in

response to an identified risk," Bateson says. "The CIO should be able

to acknowledge the requirement for proper training and change

management and implement the necessary processes to make sure the

company is in a state of readiness. Where you might see CIOs trip up

is with their inability to engage the decision-makers and demonstrate

that change is possible."

After all, who can blame the information officer for not wanting to

spearhead a project of this magnitude? Bateson points out that

enabling a company to react to decisions that might require

behavioural change in staff (for instance, a tightening of approval

processes for mortgage brokers) is counter-intuitive to the key

performance indicators many of these business units employ. To be

successful, the CIO may have to convince the board to make changes

that might motivate staff to spend less time generating revenue and

more time qualifying, which increases cost. "A CIO would have to be a

pretty amazing salesman to get that message across effectively,"

Bateson says.

Crack the whip

Corporate governance is a set of processes and practices to ensure

that the executives and directors work to benefit the shareholders in

an ethical and legal manner.

The CIO is one of the few people in the organisation capable of

directly visualising how any and every management plan benefits the

owners, US Securities and Exchange Commission the assistant director

Srinivas Bangarbale says. Having unfettered access to one of the most

critical aspects of the modern enterprise - information - the CIO can

easily contextualise a management action plan and highlight the

relevant analysis of the data available. Bangarbale says that means

the CIO must be the conscience of the company in ensuring that

management's plans (mergers, acquisitions, expansions, downsizings,

etc) are intended and designed to benefit the owners.

"The standards that need to be in place for corporate governance are

mainly business and ethical standards for the directors and officers

of the company," Bangarbale says. "They should live by those

standards, which should explain to the owners how these people will

behave, how they will avoid conflicts of interest and what is the

trade-off between such standards and profits.

"Technology could be used as a tool to support corporate governance in

the form of executive compensation reporting, voluntary reporting of

perks and disclosure of such information to the owners of the company

using automated systems - a sort of self-regulation. Also, the CIO

could work with the executives to link their trading accounts, for

example, to the disclosure system, so that such material would be

available to the shareholders, of course taking into account privacy


Four measuring sticks

Corporate governance answers four questions, management consultancy

Kogekar Consulting's principal, Hemant Kogekar, says. First: Are we

doing the right things?

This question mainly concerns strategy and investments. As companies

get more dependent on technology and information, executives have a

big role in ensuring that the strategy makes sense and, more

importantly, can be implemented. "The CIO can make a key contribution

to ensuring that the investments [especially the technology-centric

ones] are appropriate for instance, by ensuring the business case

aligns with strategy," Kogekar says. "Many organisations apply more

rigorous investment discipline to IT investments than perhaps other

investments. The CIO can work with other C-level executives to ensure

investment benefits, as well as risks, are understood."

Next, ask the question: Are we doing things the right way? For

example, is the organisation managing its risks appropriately and are

decisions aligned to the strategy and architecture of the business?

Here the CIO can contribute to sound risk management practices in

providing systems for risk reporting, Kogekar says.

"There is a key role in ensuring IT and project risks are understood

by the board and that effective controls are in place," he says. "The

risks include project risks, information security, service delivery,

contingency planning risks and so on. Using business intelligence, the

CIO can help with reporting other types of operational and investment

risks as well."

Third, ask: Are we doing things well? This covers project execution

and other types of service delivery. With an intimate understanding of

projects, as well as many aspects of technology-enabled service

delivery and change management issues, information officers can

leverage knowledge to help ensure that reporting and governance

practices are effective.

Finally, governance asks: Are we getting the benefits? Are projects

and investments delivering the promised benefits and is the

organisation getting appropriate returns? Who better than the

information officers, with all their understanding of change

management, to contribute to ensuring that projects include necessary

steps to enable benefit realisation, not just technology

implementation? Many projects end when systems are implemented,

leaving benefit extraction up to the business and not even tracked,

Kogekar says. This leads to investments that may not produce promised

benefits. "CIOs can play an effective role in ensuring projects

deliver business outcomes and not just technology installation," he

says. "They can also help track the benefits."

Like that of the CFO, the information officer's role touches many

parts of the business, Kogekar says, as their understanding of project

selection and governance can easily extend to other investments and

strategic initiatives. Similarly, understanding of technology risks

and risk management can contribute greatly to improving the board's

understanding of the business, and in securing resources to

successfully manage these risks. "An effective framework to manage

risks is more important than technology systems and other standards,"

he says. "I have seen multiple risk reporting systems of varying

complexity. When people at all levels understand how to report and

manage risks in their operation, the governance becomes effective.

Otherwise it is 'garbage in and garbage out'."

Internet and technology strategist Lily "Spider" Redgold says good

corporate governance reflects awareness by decisions-makers in

applying smart thinking based on accurate reporting. "A CIO should

prepare a technology roadmap along with a helicopter view schedule

that clearly connects the improved functions and services to specific

investment in technology," Redgold says. "This can turn business

executives into allies. The roadmap provides a common conversation

that is focused on resources and functional requirements and the

technology change required to deliver these improvements. The

conversation becomes one of strategy at the divisional level. The CIO

is best placed to contribute to this if on the senior executive team

and reporting directly to the chief executive officer."

One of the challenges is selecting a method to facilitate choice when

competing projects are very different, Redgold says. She finds the

method provided by the Product Development Institute

( to be effective across internal and

outsourced activities. It offers a way to score strategic fit and

technology complexity across products and projects and improve

decision-making behaviour. She also uses a project classification

model from Max Wideman to assess complexity


"There are plenty of change-management tools but tools support your

processes," Redgold says. "Choosing can have a ripple effect and cause

an organisation to implement processes on the fly to meet the

requirements of a tool. Making the development of governance process

part of an implementation can create cost, time and scope-slippage for

that project. Good tools with broken processes won't get anyone very

far and good processes may be enough with spread sheets and document

registers, except in large organisations."

Set the bar

Governance is being made easier as the IT service management industry

enters the next stage of its evolution. For example, there is now an

international standard for IT Service Management, ISO/IEC 20000, BMC

Software solutions architect Erin Casteel says. "This ISO standard

tells us what to do, whereas frameworks like ITIL and COBIT tell us

how to do it," Casteel says.

"The big question most CIOs are asking is 'What do we do?' This

standard clearly helps to answer that question. We also now have more

highly developed and integrated toolsets that can provide the much

greater end-to-end visibility and control required for successful IT

governance. Finally, the fact that we can now automate so many more of

the tasks which were previously done manually means that staff will be

able to spend more time focused on innovation, rather than just

keeping the lights on.

"This combination of governance, integrated process and automation is

powerful - rather like a ship that previously had to rely on the stars

to navigate and now has access to satellite navigation. How much

easier to pinpoint exactly where you want to go, and then actually get


Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!

Error: Please check your email address.

Tags strategygovernance

Show Comments