As the world descends into a harsh economic downturn, those who have been crying out for strong corporate governance can at least bask in
the warm inner glow of utter vindication.
But for chief information officers the message is clear: it's time to
gird their loins, seize the day, and play their part in delivering the
tools and information their boards need to ensure such ineptitude does
not raise its head again.
"The historic carnage that we are witnessing in the financial services
arena across the world is testament to the fact that corporate
governance does not have the right tools to deploy to better
understand exposure to risk. If they did, they could and would
leverage those tools to their advantage," says greater New York-based
senior enterprise information risk management consultant and subject
matter expert Ashish Atri. "CIO does, after all, stand for chief
information officer, with the key word being information."
Atri says information has just one strategic role in the organisation:
to reduce the uncertainty in business decision-making. That is the
essence of corporate governance. Although CIOs, as part of their day
job, play an important role in supporting the business-as-usual
functions like payroll and accounts payable, their real responsibility
is to find and disseminate knowledge that helps the board understand
the enterprise's exposure to risk.
"The CIO must play a key role in educating and preparing corporate
governance to understand and leverage risk towards competitive
advantage," Atri says.
"They could be the key enablers to richly endow the context within
which corporate governance can make informed choices. Given the
current economic turmoil, there has never been a better time for CIOs
to step up and deliver those tools."
Beasts of burden
The financial meltdown is symptomatic of numerous challenges that are
embedded in the corporate culture and difficult to change, says
NetReturn consulting director Adam Bateson. Many boards were likely
to have felt the tide shift long before disaster struck, but they
almost certainly lacked the necessary mechanisms that would have
allowed them to act to reduce the impact, he says.
It would have been of little use for the board of a major corporation
to identify a need to provide tighter control mechanisms around
lending criteria if proper processes, a strong, positive
organisational culture, solid leadership, well-educated staff and
highly adaptive technologies were all missing. "Without these at your
disposal, all you can do is sit back and watch the termites as they
slowly eat away at your business and hope they do not have too big an
impact," Bateson says.
Boards also struggle in being exposed only to sanitised information
that makes it impossible for them to govern well or on time, which is
why their intervention typically comes too late, says the information
officer for Reliance Communication India, Sumit Chowdhury. "Just
look at Lehman Brothers."
Chowdhury says it is vital for CIOs to deliver accurate financial data
- including closing of monthly, quarterly and annual balance sheets
and cash flows - to the board in an automated way, and provide
linkages and dashboards so that the board can track items on watch
lists. They also must provide risk management systems for assessing
and quantifying corporate risk and tracking legal, regulatory and
environmental issues and projects. "These things should be done [in
conjunction] with the CEO," he says.
The information officer should be the bastion of governance, putting
in place processes, technology and awareness programs that allow the
organisation to operate with minimum risk. A good executive will
proactively and regularly meet with stakeholders and set expectations
for having an effective program in place. Good corporate governance
requires a general acceptance of definitions, risks and terminology
across the business, but also demands there are proper systems to
automate and enforce the decisions and agreements that are made.
"CIOs and their teams should have the best chance of understanding the
technologies that might help a company to implement changes in
response to an identified risk," Bateson says. "The CIO should be able
to acknowledge the requirement for proper training and change
management and implement the necessary processes to make sure the
company is in a state of readiness. Where you might see CIOs trip up
is with their inability to engage the decision-makers and demonstrate
that change is possible."
After all, who can blame the information officer for not wanting to
spearhead a project of this magnitude? Bateson points out that
enabling a company to react to decisions that might require
behavioural change in staff (for instance, a tightening of approval
processes for mortgage brokers) is counter-intuitive to the key
performance indicators many of these business units employ. To be
successful, the CIO may have to convince the board to make changes
that might motivate staff to spend less time generating revenue and
more time qualifying, which increases cost. "A CIO would have to be a
pretty amazing salesman to get that message across effectively,"
Crack the whip
Corporate governance is a set of processes and practices to ensure
that the executives and directors work to benefit the shareholders in
an ethical and legal manner.
The CIO is one of the few people in the organisation capable of
directly visualising how any and every management plan benefits the
owners, US Securities and Exchange Commission the assistant director
Srinivas Bangarbale says. Having unfettered access to one of the most
critical aspects of the modern enterprise - information - the CIO can
easily contextualise a management action plan and highlight the
relevant analysis of the data available. Bangarbale says that means
the CIO must be the conscience of the company in ensuring that
management's plans (mergers, acquisitions, expansions, downsizings,
etc) are intended and designed to benefit the owners.
"The standards that need to be in place for corporate governance are
mainly business and ethical standards for the directors and officers
of the company," Bangarbale says. "They should live by those
standards, which should explain to the owners how these people will
behave, how they will avoid conflicts of interest and what is the
trade-off between such standards and profits.
"Technology could be used as a tool to support corporate governance in
the form of executive compensation reporting, voluntary reporting of
perks and disclosure of such information to the owners of the company
using automated systems - a sort of self-regulation. Also, the CIO
could work with the executives to link their trading accounts, for
example, to the disclosure system, so that such material would be
available to the shareholders, of course taking into account privacy
Four measuring sticks
Corporate governance answers four questions, management consultancy
Kogekar Consulting's principal, Hemant Kogekar, says. First: Are we
doing the right things?
This question mainly concerns strategy and investments. As companies
get more dependent on technology and information, executives have a
big role in ensuring that the strategy makes sense and, more
importantly, can be implemented. "The CIO can make a key contribution
to ensuring that the investments [especially the technology-centric
ones] are appropriate for instance, by ensuring the business case
aligns with strategy," Kogekar says. "Many organisations apply more
rigorous investment discipline to IT investments than perhaps other
investments. The CIO can work with other C-level executives to ensure
investment benefits, as well as risks, are understood."
Next, ask the question: Are we doing things the right way? For
example, is the organisation managing its risks appropriately and are
decisions aligned to the strategy and architecture of the business?
Here the CIO can contribute to sound risk management practices in
providing systems for risk reporting, Kogekar says.
"There is a key role in ensuring IT and project risks are understood
by the board and that effective controls are in place," he says. "The
risks include project risks, information security, service delivery,
contingency planning risks and so on. Using business intelligence, the
CIO can help with reporting other types of operational and investment
risks as well."
Third, ask: Are we doing things well? This covers project execution
and other types of service delivery. With an intimate understanding of
projects, as well as many aspects of technology-enabled service
delivery and change management issues, information officers can
leverage knowledge to help ensure that reporting and governance
practices are effective.
Finally, governance asks: Are we getting the benefits? Are projects
and investments delivering the promised benefits and is the
organisation getting appropriate returns? Who better than the
information officers, with all their understanding of change
management, to contribute to ensuring that projects include necessary
steps to enable benefit realisation, not just technology
implementation? Many projects end when systems are implemented,
leaving benefit extraction up to the business and not even tracked,
Kogekar says. This leads to investments that may not produce promised
benefits. "CIOs can play an effective role in ensuring projects
deliver business outcomes and not just technology installation," he
says. "They can also help track the benefits."
Like that of the CFO, the information officer's role touches many
parts of the business, Kogekar says, as their understanding of project
selection and governance can easily extend to other investments and
strategic initiatives. Similarly, understanding of technology risks
and risk management can contribute greatly to improving the board's
understanding of the business, and in securing resources to
successfully manage these risks. "An effective framework to manage
risks is more important than technology systems and other standards,"
he says. "I have seen multiple risk reporting systems of varying
complexity. When people at all levels understand how to report and
manage risks in their operation, the governance becomes effective.
Otherwise it is 'garbage in and garbage out'."
Internet and technology strategist Lily "Spider" Redgold says good
corporate governance reflects awareness by decisions-makers in
applying smart thinking based on accurate reporting. "A CIO should
prepare a technology roadmap along with a helicopter view schedule
that clearly connects the improved functions and services to specific
investment in technology," Redgold says. "This can turn business
executives into allies. The roadmap provides a common conversation
that is focused on resources and functional requirements and the
technology change required to deliver these improvements. The
conversation becomes one of strategy at the divisional level. The CIO
is best placed to contribute to this if on the senior executive team
and reporting directly to the chief executive officer."
One of the challenges is selecting a method to facilitate choice when
competing projects are very different, Redgold says. She finds the
method provided by the Product Development Institute
(www.stage-gate.com/index.php) to be effective across internal and
outsourced activities. It offers a way to score strategic fit and
technology complexity across products and projects and improve
decision-making behaviour. She also uses a project classification
model from Max Wideman to assess complexity
"There are plenty of change-management tools but tools support your
processes," Redgold says. "Choosing can have a ripple effect and cause
an organisation to implement processes on the fly to meet the
requirements of a tool. Making the development of governance process
part of an implementation can create cost, time and scope-slippage for
that project. Good tools with broken processes won't get anyone very
far and good processes may be enough with spread sheets and document
registers, except in large organisations."
Set the bar
Governance is being made easier as the IT service management industry
enters the next stage of its evolution. For example, there is now an
international standard for IT Service Management, ISO/IEC 20000, BMC
Software solutions architect Erin Casteel says. "This ISO standard
tells us what to do, whereas frameworks like ITIL and COBIT tell us
how to do it," Casteel says.
"The big question most CIOs are asking is 'What do we do?' This
standard clearly helps to answer that question. We also now have more
highly developed and integrated toolsets that can provide the much
greater end-to-end visibility and control required for successful IT
governance. Finally, the fact that we can now automate so many more of
the tasks which were previously done manually means that staff will be
able to spend more time focused on innovation, rather than just
keeping the lights on.
"This combination of governance, integrated process and automation is
powerful - rather like a ship that previously had to rely on the stars
to navigate and now has access to satellite navigation. How much
easier to pinpoint exactly where you want to go, and then actually get