Wanted! Meeting of minds at the top

Governance: Getting the best returns on IT investment is an important part of IT governance. But to achieve this, the gap between IT and the business needs to close.

Governance: Getting the best returns on IT investment is an important part of IT governance. But to achieve this, the gap between IT and the business needs to close.

In 1776, when Adam Smith wrote “when ownership and control of corporations are not fully coincident, there is potential for conflicts of interest between owners and controllers”, little did he appreciate that he was sowing the seeds for what has become the great corporate governance debate of the late 20th and early 21st centuries.

Smith recognised that there were complex dynamics between the roles of business ownership and business management and that, as corporations grow there becomes a need for a layer of governance to protect the interests of those who provide capital and those who, effectively, spend it. Indeed, Smith himself may be regarded as the grandfather of Sarbanes-Oxley and other regulatory legislation.

This need for corporate governance, whilst exacerbated by the corporate scandals of the last 30 years (just think Maxwell, Enron, Worldcom etc), has therefore been an essential component of good business practice for well over 200 years.

The same basic principles also apply to IT governance where, within many business entities, traditionally there has been a separation between those responsible for allocating funds for information technology investment, and those responsible for managing the investment.

With the perception, and perhaps the reality, that everything to do with IT is complex and hard to fully understand, there has often been a reluctance for senior business managers, and in particular the board of directors, to fully assume any sort of demonstrable and effective governance responsibility for IT.

Even with today’s dependence upon IT it remains rare, for example, for the CIO to have a seat on the board, and hence the reporting lines and the accountability for IT, at the highest levels, are at best ambiguous or inappropriate, and often non-existent.

The need to establish effective IT governance within today’s increasingly complex and IT-dependent businesses is generally accepted as a given.

All too often, however, its effectiveness is lost among well meaning, but ultimately meaningless, governance structures and processes, exacerbated by a real lack of knowledge and often a reluctance, perhaps a fear, to get involved at the most senior business levels of the entity.

In this respect I recall a meeting with the board of a significant institution in the City of London a couple of years ago, where a formal review of that institution’s IT governance had identified some very real issues that were contributing to the less than optimum return being achieved from its significant investment in IT.

Partly this was caused by communication problems between senior business management and the IT function, leading to ineffective and uncoordinated IT-related initiatives.

To help overcome this I had recommended some facilitated training for both IT management and executive board members in the development and implementation of IT strategy.

I had in mind partnering with an appropriate business school to provide this through a combination of workshops and individual mentoring over a period of time. Although the principle was accepted by the board, their concept of such training was that 30 minutes be allocated for it (in totality) at a future board meeting.

This demonstrated to me, yet again, the lack of fully informed engagement between IT and the business that still exists within so many corporate and public sector organisations.

It is a regularly repeated mantra that successful development and deployment of IT-related business change can only happen when IT and the business are able to work together in full partnership, using a common language, having a proper understanding of each other’s domains, within a culture of mutual respect.

A formalised, yet non-bureaucratic, approach to IT governance will help to achieve this.

Indeed, the business case for implementing appropriate IT governance is well proven. For example, research carried out by the Sloan School at the Massachusetts Institute of Technology (MIT) has identified that entities with higher levels of governance are able to achieve 40% greater returns from their investment in IT through their enhanced ability to:

  • clarify business strategies and the role of IT in achieving them
  • measure and manage the amount spent on, and the value received from, IT
  • assign accountability for the organisational changes required to benefit from new IT capabilities
  • learn from each implementation and become more adept at sharing and re-using IT assets.

This research is most encouraging as it provides evidence to support the view that governance is not just about regulation, compliance and bureaucracy; rather it is about how to obtain optimum returns from investment in IT and how to ensure that measurable and transparent long-term, sustainable stakeholder value is achieved.

This has to be a worthwhile objective for all organisations. However, according to a survey carried out by PricewaterhouseCoopers for the IT Governance Institute at the end of 2005, less than 20% of the almost 700 organisations surveyed believed they had already implemented IT governance, and 39% currently had no plans for implementing IT governance.

Partly this is a matter of definition. Ask two CIOs to explain what IT governance is and it is likely that you will get two different answers. Equally, ask the same question of two business managers and you will again get different answers.

The answers may not wholly conflict, and indeed may be compatible, but there remains much confusion as to what IT governance really means. To many it is all about compliance and regulation. To others it is all about delivering demonstrable value from investment in IT. The reality is that it is about all of these things – and more.

The definition used by Peter Weill of Sloan MIT in his book on IT governance is “specifying the decision rights and accountability framework to encourage desirable behaviours in the use of IT”. A little vague for some perhaps, but useful nonetheless.

The IT Governance Institute has defined it as “the structure, oversight and management processes which ensure the delivery of the expected benefits of IT in a controlled way to help enhance the long-term sustainable success of the enterprise”. Both of these definitions are equally valid.

IT governance is of fundamental importance in helping businesses maximise their returns from their IT spend. But it is about more than that. It is about transparency and openness of IT decision-making, and the delivery of sustainable returns.

It is about recognising and managing IT-related business risks. It is about compliance with relevant laws and regulations.

Above all, it is about ensuring that IT is properly understood and debated at boardroom level and that directors and senior managers are fully informed and engaged, at the right level, in IT-related business issues.

Paul Williams is a consultant, writer and speaker on IT governance and related topics. He is a past president of the IT Governance Institute and a former chair of the IT Faculty at the Institute of Chartered Accountants in England and Wales

Have your say: Is your company meeting the challenge of effective IT governance? What is your approach to achieving high-level cooperation? E-mail [email protected]


Read more on IT governance