IT Governance and Value

Whilst there are bullish projections for the expected take up of cloud computing, apparently there remains a significant degree of ignorance of what it really means amongst IT leaders in Europe. As reported in CW this week (http://www.computerweekly.com/Articles/2009/11/17/239225/cloud-computing-unfamiliar-territory-for-it-heads.htm) a recent survey by Portio Research revealed that more than 50% of IT decision makers reportedly knew very little about cloud computing whilst, of those familiar with the technology, more than 75% were already rolling it out within their enterprises. Does this mean that the ignorant majority are missing a trick? Are their enterprises in danger of losing competitive advantage through continuing to ignore what perhaps promises to deliver significant cost savings and efficiencies to their businesses?

The apparent lack of CIO understanding of cloud computing, coupled with another recent survey (from Coleman Parkes for Fujitsu) which indicated that CIOs have a tendency to play safe with proven technology rather than take an informed risk on innovative solutions does raise questions of governance. With all of the media discussions on cloud computing it is probable that the CIO's boardroom colleagues will at least have heard the term and may be curious about what it means and its potential business benefits. Indeed it would be disappointing if Board members did not ask such technology focused questions periodically. Therefore CIOs, where this is a gap in their confidence or knowledge, would be well advised to ensure that they rapidly become properly informed on cloud computing and what it might mean for their enterprises. There is no shortage of knowledge on the web and many consultancies and solution providers are anxious to promote their own cloud computing services. However, as with all new technologies there is a significant degree of hype around cloud computing which needs to be overcome in order to understand the true opportunities and risks.  There is a well balanced paper available from ISACA (www.isaca.org) with the snappy title 'Cloud Computing: Business Benefits with Security, Governance and Assurance Perspectives' that many should find helpful.

One of the key implications of cloud computing is the fact that enterprise data no longer is held physically by the enterprise. Enterprise data, much of which may be sensitive or confidential, could be held anywhere in the 'cloud'. This raises security issues that need to be addressed therefore any discussion on implementing cloud computing must involve the security and privacy specialists who can ask the right questions and ensure that the security risks are properly understood and mitigated.  At the very least processes detailing the way information is stored, archived and backed up will need to be revisited. There may also be issues of trans-border data flow as physical location often dictates jurisdiction and legal obligation.

Many traditional outsourcers may already be using the cloud. This raises the question of how they are managing this different risk. From a governance perspective this would be a good question for their customers to be asking of them. 

Cloud computing is not just a new technology. It is a whole new way of providing IT services to an enterprise. There will be technical, security, privacy, business process and governance issues to be addressed. The cloud computing FUD factor is still dangerously high. Opportunities may be being missed whilst risks may be improperly addressed. Knowledge is essential. All businesses will need to consider whether or not the cloud is for them. Ignorance or denial can only bring grief.  

This week's Public Accounts Committee (PAC) report into the C-Nomis project once again highlights (amongst a plethora of other issues) the failure of high level governance of a significant and costly business change project. The facts behind the failings of the C-Nomis project are catalogued in detail elsewhere but can be summarised in the PAC words as a 'prime example of how not to develop a project'. Sadly we have heard that many times before in relation to other similarly doomed projects. An earlier National Audit Office (NAO) report (www.nao.org.uk/publications/0809/national-offender-management.aspx) on C-Nomis covered much the same ground and came to the same overall conclusions.

From a governance and value perspective there were many issues highlighted by both reports including lack of accountability and lack of critical oversight. In particular the PAC report identified 'an over-optimistic good news culture which was not challenged with sufficient rigour by senior management with in-depth knowledge of the business'. Development project history is littered with similar instances where a project was allowed to run out of control at least partly due to insufficient timely and informed challenge from business management.

The first source of challenge should come from the Project Board itself although in too many cases this Board is too close to the project and its participants to take a fully objective and independent view. Indeed the NAO report revealed that the C-Nomis Board received no reports on project progress until mid-2007. Given the magnitude and significance of C-Nomis to its sponsoring organisations the senior Management Board and its Audit Committee should have been active in asking for and challenging the reported progress and likely outcomes. Perhaps an external independent review during the course of the project might have highlighted warning signs at an early enough stage to bring the project back on course.

A key aspect of robust governance is the ability to exercise appropriate objective oversight, ensure accountability and provide assurance on the delivery of value from the investment. Governance over C-Nomis seems to have failed on all of these counts. Perhaps unambiguous and transparent accountability was the main missing ingredient. Properly assigned, and continuing, accountability at the right level and to the right person might have helped. However, ensuring that the accountable individual has the experience, the confidence, and the mandate to provide effective challenge and guidance is never easy. Such skills and experience are not easily available on most Boards.

One of the most depressing quotes from the PAC report states 'the individuals who took the key decisions on C-Nomis and were responsible for its monitoring and oversight have all retired or moved on, and no-one is held to account for an estimated £41m wasted due to delays and cost overruns'.

The subject of my last blog, on business processes, also has a relevance here as another reported failing was the inability to simplify and standardise business processes. This indicates that once again this was treated as an IT project rather than as a business change project. The evolution of the IT function towards becoming a business process function may move a step closer as a result of these well documented failures.

Interesting article by Alan Bowling, Chair of the SAP UK and Ireland User Group (http://www.computerweekly.com/Articles/2009/10/20/238224/why-processes-not-technology-will-drive-business-improvement.htm) on the changing role of the IT department in achieving business change through improved business processes. Alan makes the point that business processes are actually more important than the technology that supports and enables them. In my view the two are inseparable as technology in itself will achieve very little. It is the way the business uses the technology that creates value. The technology and the business processes need to be designed together as a seamless whole if success is to be achieved in any business change initiative. Building revised business processes around pre-defined IT functionality is a surefire recipe for disaster - as many enterprises have found out to their cost.

The article talks about how the IT department can and should take a leading role in enhancing and improving business processes as it is often best placed to understand how the technology and the processes can be leveraged together for best effect. This already works extremely well within many enterprises but lack of integration and partnership between the IT and business functions still causes problems within too many organisations.

Given the importance of business processes and the evolving role of the IT department it is perhaps time to re-label IT departments as Business Process Departments and extend the skill set of staff within the renamed and refocused department. This might have the beneficial effect of neutralising the often negative technology centric perception of IT that still persists within many private and public sector entities. A useful concept to debate?   

Trying to introduce IT governance to an enterprise without the benefit of an established framework upon which to base your own structures and processes can be problematic and unnecessarilly time consuming and painful. Proprietary frameworks exist but most enterprises are likely to make use of no cost public access frameworks such as CobiT and Val IT (usually alongside service management frameworks including ITIL). These frameworks are sometimes misunderstood and incorrectly categorised solely as 'audit' methodologies. Whilst there is no doubt that auditors do make use of, in particular, CobiT as an assessment tool for auditing IT related business processes and governance, its potential for enhancing corporate success through the application of technology is far greater when it is embraced directly by the IT function and the business.

I recently stumbled across a brief video clip from Michael Cangemi, an old friend and business colleague, in which he explains very succinctly how CobiT and Val IT can benefit the enterprise. This clip is at  http://www.youtube.com/watch?v=bg_GEN8AZA0&feature=related. Readers may also be interested in another clip which refers to the CobiT game which seems to be a very novel means by which to enhance the CobiT learning experience. This one is at  

http://www.youtube.com/watch?v=z2WLY-TP2R0&feature=related.

Worth taking a look at both of these if enterprise governance of IT for value creation is of interest to you.

 

Today's CW story regarding CIOs' attitudes towards innovation (http://www.computerweekly.com/Articles/2009/09/29/237909/cios-are-followers-not-leaders.htm), based upon a survey carried out by Coleman Parkes for Fujitsu, makes interesting reading, particularly when read in conjunction with a recent ISACA report on the CEO's views on IT governance (www.isaca.org). The two reports are remarkably complementary.

The Fujitsu survey suggests that few CIOs regard themselves as innovators, with the majority regarding themselves as followers. Fewer than 50% of respondents reportedly were prepared to invest in technology that had yet to be proven successful elsewhere, with around one third even suggesting that nothing other than 'industry standard' technology would be implemented within their companies. Whilst caution and scepticism are essential attributes for any successful CIO, a willingness to take managed risk is also essential if real success and competitive advantage are to be achieved. So are CIOs missing a trick through allowing undue caution to temper their innovative ideas?

The ISACA survey looks at the same issue from the perspective of the CEO and Boardroom. Their findings indicate that some 40% of CEOs were sceptical about the contribution of IT to innovation with over 30% being critical about the ability or willingness of the CIO to inform the business about the innovative value of new and emerging technologies. Both surveys suggest that the current CIO priorities are based around process improvement and cost efficiencies, understandable perhaps in the current economic climate but, as Paul Parrish, UK managing director of Fujitsu Technology Solutions reportedly states, 'those that are able to harness the power of IT in the coming months will be fitter and leaner for the upturn when it inevitably comes.'.

The key message in my view is the need for enhanced regular and open communication between the CIO and the CEO. Innovation always carries risk but taking risks will always be essential if businesses are to prosper. Any risk involving technology needs to be shared between the business and IT. The final decisions on implementing innovative technology need to be taken by the business based upon fully informed input on risk and opportunity from the IT function. For the CIO to be regarded as an equal and trusted Boardroom colleague (or to aspire to Boardroom status) he or she must be prepared to lead from the front in discussions and decision making on technology innovation and not shy away from it. 

 

Today's news that the London Stock Exchange has decided to replace Tradelect with MillenniumIT probably comes as no surprise. However the decision to actually buy the whole company (for a reported £18m) was unexpected - by me anyway. From a business and a governance perspective this appears to be a good decision. As the LSE CEO states 'this transaction enables the group to implement a new, more agile, innovative and efficient IT capability for our future business needs.....'. LSE is now in a position to determine the future strategy for its key IT platform enabling direct alignment with any future business needs without having to rely on external outsourcing partners or suppliers.

It is interesting also that all announcements on the trading platform change have come from the Chief Executive and not from IT leadership. This again reflects the business centric focus of the selection process and the almost certain direct Board involvement in this key business decision. It looks like a good financial decision as well. Tradelect took four years and £40 million to design, build and implement. Whilst significant costs are still to come, the £18 million paid for the company looks like a sound investment - with the possibility of further sales (outside Europe) of the software being a potential additional revenue generator for the future. The value to risk ratio looks heavily in favour of value. Today is a good day for the business governance of IT. 

The fact that 'bad processes lead to bad outcomes' is one of the oldest cliches in the book, hence it is perhaps unsurprising that many more enterprises are adopting frameworks such as CobiT, Val IT and ITIL to help them formalise and optimise their business and IT processes for efficiency, effectiveness and cost optimisation. Whatever the benefits may be, process improvement is never easy. It needs to be approached and managed in a properly disciplined and formalised way through a programme of activities requiring proper constituent buy-in, management and governance. It will not come for free, requiring investment of time and resource, together with commitment from the top. Such a programme, as with any investment, will require prior justification and approval with the costs and the benefits fully articulated and quantified.

A new research paper from ISACA (www.isaca.org) 'Building the Business Case for CobiT and Val IT' should provide particularly useful and timely for those enterprises wishing to embark on a process improvement programme yet who may be struggling with preparing their own business case. The research, carried out by the University of Antwerp Management School, provides convincing evidence of the correlation between enhanced  business and IT processes and business success. The paper is based upon global multi-industry research with almost 600 enterprises responding to the detailed survey upon which the findings are based. Although the research will not help directly in formulating your own business case - which necessarilly will need to take into account your own circumstances, maturity and priorities, it will provide useful background material to help with the justification. It also provides useful evidence of which key processes potentially provide the greatest value in terms of achieving both IT and business goals.

All in all a very useful read to help any enterprise in their quest for enhanced value from investment in IT. 

For technology dependent enterprises I have long been a supporter of the concept of the Board Technology Committee. Such a committee, comprising executive and non-executive Board members, perhaps with the addition of some additional experienced resource, can provide useful input, and where appropriate, a challenge to the setting and implementation of the technology enabling business strategy. The concept can be a particularly valuable one where the CIO does not have a Board position him or herself. Most enterprises already have Audit Committees, Remuneration Committees and Risk Management Committees therefore Technology, where it is of strategic importance to the enterprise, should equally be represented.

One enterprise that already does this is NYSE/Euronext. No-one doubts the importance of technology to trading platforms such as the New York Stock Exchange and Euronext and it is good to see that their Technology Committee forms an essential part of their governance structure. The Committee is chaired by a Brit, Sir George Cox who, many years ago, was a forming partner of Butler Cox, a well respected UK consultancy firm. His credentials are impeccable. I had the pleasure of meeting Sir George at an IT Investment Value seminar at which I was speaking a year or so ago and it was good to hear his perspective on the importance of value to business investment decisions, He was particularly clear that investment governance messages need to be targeted to the senior business audience, ie the Board, rather than to the CIO and IT management, although from my recent experience CIOs are fast coming on board the value bandwagon. This is encouraging.

For those interested in following the NYSE/Euronext example, the charter of their Technology Committee can be freely downloaded from http:/www.nyse.com/pdfs/technology_charter.pdf. If anyone is aware of any other good examples I would be delighted to hear from you.

Amongst the responses to my recent blog on Value Management Offices was one from Jim Clark from Portland, Oregon. Jim's own blog recently carried an article on Project Management Landmines (http://www.pmhut.com/avoiding-project-management-landmines) which contains useful thoughts on typical project problems and how to avoid them. In his response to me he makes the valid point that the achievement of value will always be inhibited by budget and time constraints. This may be true but it makes it even more important to set realistic budgets and timescales in the first place, together with a full identification of quantified benefits and the timescale over which they will arise. This will then enable the project (value) manager to work closely in partnership with the development team and the business sponsor to spot value delivery problems at the earliest stage (including at specification/approval stage and immediately post-implementation) and find practical ways to resolve the issues. After all is there little point in implementing a solution with known quality and functionality issues merely to meet budget and time constraints? Unless expectations are properly managed this is a sure way to achieve user frustration, reputational damage and, ultimately, value destruction. We all live in the real world and recognise that time and budgets are genuine constraints but we must recognise also that quality and functionality are the inevitable consequences of squeezing either too hard.   

The CW story http://www.computerweekly.com/Articles/2009/08/03/237159/britannia-and-co-operative-set-for-it-journey.htm regarding the merger of Co-operative Financial Services and the Britannia Building Society indicates that, following the merger, much needs to be done to decide which systems to use going forward. This begs the question as to the extent of IT related due diligence and pre-merger planning that went into the deal before it was agreed. Whilst not knowing how much or how little was done in this instance, in my experience, despite its potential to unlock post merger value, IT is often subject to a relatively perfunctory review as part of the due diligence process. This can prove to be a major mistake as the potential for value from IT can often have the opposite effect once the merger euphoria has dissipated. The failure to spot lock-in to significant contracts, the failure to identify failing or unnecessary projects, the loss of key staff through merger uncertainty, together with many other matters, can quickly turn value creation into value destruction. Many companies have learnt this the hard way.

During my professional career I have been involved in many due diligence projects, often being given only a very few days to carry out the IT related reviews, sometimes in very complex environments. Indeed in many instances IT was excluded from the due diligence completely. By contrast my financial and tax specialist colleagues would bring in large teams and spend weeks reviewing their aspects of the proposed deal. Perhaps little has changed.

Successful and ambitious CIOs need to ensure that they are involved from the outset in any merger or acquisition activities. IT will be a key success (or failure) factor in any significant M&A activity in almost all industries. Within financial services it could be a potential deal breaker. IT can certainly have a significant effect on deal pricing. Enterprises that pay insufficient attention to the impact of IT on M&A success do so at their peril.