This paper was submitted as part of the Australian Computer Society’s Certification Program Cover Page Student Name: Jeff Garner ACS Member No: 1009282 Contact Phone Number/s Mobile: 0411 878 658 Home: 07 3821 4437 Email: jeffg@ Subject: Management & Strategy for IS 1 (CCS221) Assignment Number: 1 Topic: Who is accountable for IT Governance?
Who is accountable for IT Governance? By Jeff Garner, Principal Consultant July 2004, Object Centric Solutions Pty Ltd Executive Summary Are you concerned about IT governance in your business? Then read on. IT governance is a key component of corporate governance and requires a framework to facilitate timely and accurate accountability of your IT investment. The need for a senior management team, conversant with treating IT as an investment and expecting a return, is a core theme of this paper. Many people have talked about aligning IT and business, while this paper goes a step further and show how you can achieve accountability of IT in reaching your businesses goals. This is undertaken through a mapping of IT governance to goals while harmonizing “what” you want to achieve with “how” you are going to achieve it. The strategies proposed for introducing IT governance mechanisms are not uncommon in successful businesses today but may present some CEOs with a personal challenge for organisational change. Introduction This paper addresses concerns expressed by many Chief Executive Officers (CEOs) with regard to IT governance. What is IT governance? How does it fit with corporate governance? What is the Chief Information Officers (CIO) role and how should this role interface with the senior management team? Although some research has been draw from US sources there is an emphasis on the Australian experience with examples from HIH and Bank of Queensland. CEOs and senior managers in medium to large Australian businesses, as well as government should find this paper of particular relevance. What is IT governance? Broadbent and Weill define IT governance as “the assignment of decision rights and the accountability framework to encourage desirable behaviour in the use of IT” (Weill, 2003; Broadbent & Weill, 1998). An Australian flavour to the definition of corporate governance of ICT is “The system by which the use of ICT is controlled. It involves evaluating and directing the plans for the use of ICT to support the organisation and monitoring this use to maintain that Jeff Garner Management & Strategy for IS 1 - Assignment 1 Page: 1
plan. It includes the strategy and policies for using ICT within an organisation” (DR 04198 - Corporate governance of information and communication technology, 2004:6) Whether it is the “IT” or the European influenced “ICT” view of the world does not make a significant difference. Australian federal and state governments have adopted the term ICT and for our purpose both IT and ICT are interchangeable. They both encompass the hardware, software and business processes that constitute the information system of your organisation. Why should IT governance be an issue for senior executives when technology is an accepted and pervasive tool in today’s modern organisation? The very pervasive nature and capital investment, is exactly why senior management needs to sit up and take notice. In the Best of Information Age it was quoted that “the Wall Street Journal has reported that almost half of all American business capital spending now goes on IT, compared to a fifth in 1990” (Head 2004:2) and I am sure this trend may be applied to Australia with our growing ICT deficit. (Houghton: 2003) Even considering the expenditure on Year 2000 (Y2K) IT issues, this is a revealing insight into the investment commitment IT now commands. What are the drivers for IT governance? Surely the level of IT capital investment alone must make senior executives demand better governance to be able to make informed decisions about IT and maximise the value returned by the business. The Justice Owen report April 2003 into the HIH collapse stated “HIH was plagued by a variety of deficiencies in its information systems. As a result, it was deprived of timely and reliable information as a basis for management decisions.” (The Failure of Governance and Systems: Module 2). This same article also quotes Deloitte Touche Tohmatsu forensics expert Tim Phillipps warning “perhaps one in every three Australian companies still experience reasonably significant challenges with information flowing through to management,…”. The Justice Owen report facilitated many law reforms and prompted the Australian Stock Exchange (ASX) Corporate Governance Council to release Principles of Good Corporate Governance and Best Practice Recommendations. (See Annex 1 for a list of these principles) Standards Australia is another body responding to the need for better governance. AS 8000 Good Governance Principles, AS 8001 Fraud and corruption control, AS 8002 Organizational codes of conduct, AS 8003 Corporate and social responsibility, AS 8004 Whistleblower protection programs for entities, these standards all contribute to a framework for providing good corporate governance. Standards Australia has also published a number of standards specific to the IT industry, including: AS/NZS 17799:2001 Code of practice for information security management, HB 240:2000 Guidelines for managing risk in outsourcing using the Jeff Garner Management & Strategy for IS 1 - Assignment 1 Page: 2
AS/NZS 4360 process, AS/NZS ISO/IEC Standard 12207:1997 “Information technology – Software life cycle processes”. So it is evident that the public outcry from business failure has resulted in government, industry and standards bodies all taking up the challenge to benchmark best practice for corporate governance. What about the environment that a business operates in? The challenges of Y2K, Goods and Services Tax (GST) compliance and the ever increasing demand to do more with less. In an eight year world wide study of over 100 businesses the authors opened with the words: “We have embarked on a new era of competition, one of faster paced, more global, and increasingly volatile, simultaneously requiring that firms find new ways to differentiate and to create value while relentlessly reducing costs.” (Weill and Broadbent: 1998: vii). This is still relevant today and if anything, has picked up pace with technology being accepted as a core infrastructure requirement in many modern businesses. This relentless drive may be seen in multinationals physically locate in different time zones around the globe to allow for 24 hour, 7 days per week (24/7) operations and routinely expect the technology to deliver that capability. Even with a raft of legislation and reforms the human factor still plays a big part in ensuring governance is effective. The human factor may be seen in the HIH collapse “Unpleasant information was hidden, filtered or sanitised.” (A Tale of Management too Strong and IT too Weak: Module 2) and in a USA Today survey where, 82% of CEOs admitted lying about their golf scores (Honestly?!: module1). Where is the line for honesty and accountability? There is no line! The widely held belief that the decline in the teaching of basic Christian values will be detrimental to our future social fabric is in someway being addressed by the inclusion of ethical instruction in many of our educational institutions and professional bodies. The wild card in governance then, is you, the CEO. From the people you govern and the culture you engender, the governance of the organisation is distilled. How do you make IT governance an integral part of your unique corporate governance framework? How does IT Governance fit with your Corporate Governance? As the business demand for a technology based infrastructure increases, there needs to be a realisation that senior managers can no longer treat IT as a cost centre but must focus on IT as an investment. Yes, we still have Sales, Marketing, Production, R&D etc but we now have what Weill and Broadbent call the “New Infrastructure” (Weill and : 6). This is a layered infrastructure underpinned by a Public Infrastructure that includes such things as electronic shopping, Internet, telecommunications and service providers. Jeff Garner Management & Strategy for IS 1 - Assignment 1 Page: 3
Business has always had the challenge of deciding where to invest to give the best return for their shareholders/stakeholders. This has not changed, and a “common business language” (Weill and Broadbent. 1998: ix) (DR 04198 - Corporate governance of information and communication technology:4) must be found to facilitate the investment in IT and the return of value on that investment. To do this we must look at establishing an IT Governance framework that works with your Corporate Governance framework. Marianne Broadbent (Gartner Symposium ITXPO 2002: Module 2) adopts a model from MIT Sloan CISR (Weill and Woodham) to do just that. This involves the IT Governance framework having three major components. 1. What decisions need to be made? 2. Who has the decision and input rights? 3. How are the decisions formed and enacted? Broadbent supports the framework buy mapping the “What” of governance (enterprise goals, IT governance style and performance measures) with the “How” of governance (desirable IT behaviour from enterprise goals, IT governance mechanisms in place and IT metrics and accountabilities) so that we can make the “trail of evidence” for IT governance transparent. Taking the link from desirable IT behaviour to enterprise goals allows use to continue the “trail of evidence” to the broader corporate governance umbrella. This “trail of evidence” is supported by Professor Peter Weill in his model of Corporate and Key Asset Governance (Don’t Just Lead, Govern! Effective IT Governance: Module 2). Having shown that IT Governance fits within your Corporate Governance framework, we must look at the way the business makes it’s decisions and why the CIO must have a meaningful contribution. What should the CIO role be in your business? We can now look at the second component of “Who has the decision and input rights?” to help establish the CIO’s role best suited for your business. Broadbent suggests that these decision rights may be exercised through the six styles of Business Monarchy, IT Monarchy, Feudal, Duopoly, Federal and Anarchy. A matrix of the five major IT Decision Domains and these six styles was applied to a study of 250 businesses. This resulted in different governance styles being identified for different IT domains with the Federal style dominant. This may be an exercise that you find beneficial to do in your own organisation (See Annex 2 for a template). Having determined these relationships, some Governance mechanisms were considered for forming and enacting decisions. In essence these were different communication mechanisms with varying levels of effectiveness. Interestingly “senior management announcements” were most effective followed by “formal committee”. The ability of the board to set the direction for a business is paramount. Without direction there can be little to focus on for the senior executive team. Shared Jeff Garner Management & Strategy for IS 1 - Assignment 1 Page: 4
organisational goals allow executive committees focus on driving the business forward while providing scope for different points of view to be expressed and ideas canvassed. There are also times when CEOs and other senior executives need to take decisive action on their own volition but this does not release them from their duty to seek informed opinion. Given the level of investment in IT today, the CIO has an overarching responsibility to facilitate the communication of the influence that IT exerts on the business landscape. From board members to the executive team there needs to be an informed common dialog around the organisations IT infrastructure and architecture. Issues such as Outsourcing and Offshoring may have a major impact on corporate governance. Recent experiences as a customer of the Bank of Queensland (BOQ) has highlighted the disruptive impact on customer service and staff moral that introducing new systems can have. In June 2004 the BOQ, through their outsourcer, Electronic Data Systems (EDS), introduced new systems to their branch network and Internet banking services. Expectations were established for a weekend change over and period of one week to bed the systems in. This expectation was not met and three weeks later the BOQ is still experiencing service outages. This example shows that Outsourcing does not relieve a business of governance responsibilities and may actually lead to specification barriers through lack of direct IT involvement. (Weill and Broadbent, 1998: 44) In the mix of business types, management styles, corporate cultures and operating environments we can look to the CIO for flexibility in wearing many hats. Your business may be in survival mode, maintaining the statuesque or breaking away into new markets or doing all three in different business units. (A Pivotal Role: Module 1). At the very least your CIO should be an important part of your management team ensuring IT is contributing directly to your business goals and keeping your team informed of IT trends, opportunities and threats. How does the CIO contribute to business goals? Apart from the communication role for senior management, the CIO has an integral role to play in helping achieve the business goals. This may be even more significant in the public-sector where the CIO must have keen political instincts to survive. (Creating a public-sector CIO job description: Module 2) When we look at aligning IT to business goals (Weill & Broadbent: 1998: 41) and harmonizing IT governance to enterprise goals (Creating Effective IT Governance: Module2) there is no explicit or implied CIO role that must exist. The process however does have to be managed and the incumbent must be able to deliver in a number of areas. Broadbent says, “CIOs need to deliver on three demand side imperatives (lead, anticipate and strategies) and three supply side imperatives (organise, deliver and measure).” (A Pivotal Role: Module1). This encompasses communication with customers, suppliers, IS group and business executives. Delivering on these imperatives requires a CIO with excellent communications skills. Jeff Garner Management & Strategy for IS 1 - Assignment 1 Page: 5
At times an educator and at other times someone willing to take on the board to get what is needed. (The Tale of Management to Strong & IT to Weak: Module 2) Results, published 9/3/2004, from a Gartner survey of 956 CIOs shows that 16% are “breaking away”, 69% are maintaining competitiveness and 15% are fighting for survival. (Gartner Issues Annual CIO Survey Results: Module 1). Gartner believes that alignment with the rest of business and exhibiting “breakaway” behaviour would bring CIOs more success. We now need to look at what strategies may be adopted to achieve this alignment with the rest of the business and how the CIO may realise some of this “breakaway” behaviour. What strategies work best The RACV has a governance model that puts an IT steering committee and executive committee in charge of the governance of IT. (Who’s in Charge: Module 1) Perhaps a more collaborative approach to management, one of a team environment would balance risk and reward better than an adversarial approach with dominant senior management. Jonathan Gosling and Henry Mintzberg think that “Leaders don’t do most of the things that their organisations get done; they do not even make them get done. Rather, they help to establish the structures, conditions and attitudes through which things get done. And that requires a collaborative mind-set.” (Five Minds of a Manager: Module 1). This could involve committees responsible for one or more of the IT Decision Domains. These committees would involve senior executives, business unit heads and specialists as required. The CIO would be involved on a number of committees with possibly different roles. Technical specialist, strategic planner, futurist, outsourcing guru or business continuity expert could all be roles the CIO may take up. This will depend on your organisation and the business environment you operate in. Blockbuster video’s IT director Steven Ash “is expected to take an active leadership role in delivering and supporting the overall goals and objectives of the company and to offer up ideas and solutions to issues or improvements across every department.” (Who’s in Charge: Module 1) It would be nice to be able to pigeonhole the CIO but businesses operate in a fluid environment and roles must be flexible to adapt to the current state of flow. How does your CIO communicate with your executive team? What your CIO should NOT sound like: “Did you know that ISO has issued 123 standard for payments over TCP/IP with IP6 and ISO 4567 incorporated” What your CIO should sound like: “ Did you know that we can now get payments directly paid to our bank account over the Internet and the risk from hackers has been reduced. We Jeff Garner Management & Strategy for IS 1 - Assignment 1 Page: 6
should look at this and see if the technology can deliver value with this lower risk exposure.” Peter Hind has the old view of IT as “piggy in the middle” and change can impact a business on the four fronts of industry change, workforce change, technology change and socio-economic change. (Squeeze Play: Module 1). This is surly a case of the glass being half full. An entrepreneurial CEO/CIO would have a strategy that incorporates IT as the business enabler that could leverage these opportunities and not see them as only threats. Conclusions So, who is accountable for IT Governance? When it is all said and done, the board of directors and the senior management team will be held accountable for IT governance as a key component of their existing responsibility for corporate governance. (Don’t Just Lead, Govern!: Module 2) No doubt, this will place even more pressure on the CIO. They will not only need to be open and transparent with the processes they employ to align IT and business but also deliver on the six CIO imperatives while continuing to do more with less. • Are you serious about how your investment in IT delivers value in your business? • Is your CIO part of your senior executive team? The challenge is yours. Don’t just lead, govern! (Don’t Just Lead, Govern!: 2003) Jeff Garner Management & Strategy for IS 1 - Assignment 1 Page: 7
Annex 1 The ASX Corporate Governance Council's ten corporate governance principles 1. Lay solid foundations for management and oversight 2. Structure the board to add value 3. Promote ethical and responsible decision-making 4. Safeguard integrity in financial reporting 5. Make timely and balanced disclosure 6. Respect the rights of shareholders 7. Recognise and manage risk 8. Encourage enhanced performance 9. Remunerate fairly and responsibly 10. Recognise the legitimate interests of stakeholders Annex 2 Which governance styles are used for different types of decision in your business? Domain IT IT IT Business IT Principles Architecture Infrastructure Application Investment Style Strategies Needs Business Monarchy IT Monarchy Feudal Federal Duopoly Anarchy Don’t Know Business Monarchy – A group of, or individual business executives (ie: CxOs) IT Monarchy – Individuals or groups of It executives Feudal – Business unit leaders, key process owners or their delegates Federal – Shared by C level executives and at least one other business group. IT Duopoly – IT Executive and one other group Anarchy – Each individual user Jeff Garner Management & Strategy for IS 1 - Assignment 1 Page: 8
References ACS (Australian Computer Society). Management & Strategy for IS 1: study guide ASX Corporate Governance. (Accesses July 28th, 2004). Brodbent, M. Effective IT Governance. Gartner Symposium ITXPO 2002. Gartner Broadbent, M. 2003. A Pivotal Role. . August, 13-16 Bushell, S. 2003a. Who’s in Charge. . June, 102-107 Bushell, S. 2003b. A Failure of Governance and Systems. . August, 75-79 Bushell, S. 2003c. A Tale of Management too Strong and IT too Weak. . August, 81-85 DR 04198 - Corporate governance of information and communication technology. (Accessed July 20th, 2004) Gartner Issues Annual CIO Survey Results. 2004. (Accessed April 17, 2004) Gosling J and H Mintzberg. The five minds of a manager. The Weekend Australian Financial Review, January 4, 64-65 Head, B. 2004. The Big Spend is now. The Best of Information Age. June, 2-3 Hind, P. 2004. Squeeze Play. . April, 39 Houghton ., Australian ICT Trade Update 2003 (Accessed July 28th, 2004) Wallington P. 2003. Honestly?!. . May, 56-57 Weill P. 2003. Don’t Just Lead, Govern! Effective IT Governance. MBS Alumni Thought Leadership Forum. October 16 (Slides) Weill, P. and M. Broadbent. 1998. Leveraging the New Infrastructure. Boston: HBS Press. Jeff Garner Management & Strategy for IS 1 - Assignment 1 Page: 9
Bibliography Aberdeen Group, Inc. 2003. Turning IT Security into Effective Business Risk Management. An Executive White Paper. July 2003. ACS (Australian Computer Society). Management & Strategy for IS 1: study guide Alter, A. 2003. The Role of the CIO: Are Budget Pressures Overwhelming You?. (Accessed March 22, 2004) ASX Corporate Governance. (Accesses July 28th, 2004). Brodbent, M. Effective IT Governance. Gartner Symposium ITXPO 2002. Gartner Broadbent, M. 2002. The Heat is On. : 13 Brodbent, M. 2003a. The Right Combination. . April, 13-14 Brodbent, M. 2003b. A Clear and Present Objective. . May, 13-14 Broadbent, M. 2003c. A Pivotal Role. . August, 13-16 Broadbent, M. 2004. Deciding Factors. . January, 11-12 Bushell, S. 2003a. Getting the Big Guns Onside. . May, 82-87 Bushell, S. 2003b. Who’s in Charge. . June, 102-107 Bushell, S. 2003c. Rising to the Challenge?. . July, 82-87 Bushell, S. 2003d. A Failure of Governance and Systems. . August, 75-79 Bushell, S. 2003e. A Tale of Management too Strong and IT too Weak. . August, 81-85 Bushell, S. 2004. For The Love of IT. . December/January, 47-51 CFO Europe: Is the role of chief risk officer just a fad?. (Accessed February 8, 2002) CIO magazine’s 2003 State of the CIO survey. . April 2003, 47-48 Clancy, G., . Brown and R. Scholer. 2002. Fast Track for Sallie Mae: A Post-Merger IT Integration Success Story. 2002 SIM Paper Awards Competition. Jeff Garner Management & Strategy for IS 1 - Assignment 1 Page: 10
Cramm, S. 2004. Oh, the Perils of the OCIO The right way to deploy an Office of the CIO structure. . April. 38 Darwin, . 2004. Darwin John:Team CIO. (accessed February 11, 2004) Davies, . Reshaping the Information Era. (Accessed January 10, 2002) DR 04198 - Corporate governance of information and communication technology. (Accessed July 20th, 2004) Duffy, D. Underground Fears. . 1(1). 34-39 Economist Intelligence Unit. 2003. Testing the Defences. Facing up to the challenge of corporate security. Feld, C. IT Leadership in 2010. (Accessed February 11, 2004) Fitzgerald, M. 2004. Chief Beggar, Fortune-Teller and Juggler. . April. 36-39 Foo, Fran. 2003. CIOs: A dying breed?. (Accessed March 22, 2004) Fragiacomo, L. 2004. The networking game. MISAustralia. April, 86-87 Gartner Issues Annual CIO Survey Results. 2004. (Accessed April 17, 2004) Gates, R. 2004. The New CIO Paradigm. . January,13 Gosling J and H Mintzberg. The five minds of a manager. The Weekend Australian Financial Review, January 4, 64-65 Head, B. 2004a. Talking about My Generation. . April, 85-90 Head, B. 2004b. The Big Spend is now. The Best of Information Age. June, 2-3 Heifetz . and M. Linsky. 2003. Line up partners, position your enemies, and control those on the fence – six lessons in being a leader. . March, 63-65 Jeff Garner Management & Strategy for IS 1 - Assignment 1 Page: 11
Hayes, M. 2003. Quest for Quality. (Accessed April 23 2004) Hind, P. 2003. A Sporting Chance. . October, 117-123 Hind, P. 2004. Squeeze Play. . April, 39 Hill, I and C. Toman. Implementing COBIT at Curtin University of Technology. (Slides) Hoenig, C. 2003. Hidden Assets. CIO. May, 36-38 Houghton ., Australian ICT Trade Update 2003 (Accessed July 28th, 2004) Information Systems Audit and Control Association. Approved for Issue IS Auditing Guideline. Corporate Governance of Information Systems. Information Technology Management in a Merger and Acquisition Strategy. (Accessed January 31, 2001) IT Governance Institute. . (Accessed April 19, 2004) Jackson, G, A. 2004. A CIO’s Question: Will You Still Need Me When I’m 64?. (Accessed March 22, 2004) Lebihan, R. 2004. IT screw – ups take a toll on mergers. Australian Financial Review. January 8 Legislative Analyst’s Office. Information Technology Governance. (Accessed February 29, 2004) Lofgren, C. 2003. The Importance of Being Influential. CIO. April, 22-23 Kennedy, L. 2003. State of the CIO. . April, 50-55 Kidd, K. A. 2003. The Seven habits of wildly unsuccessful CIOs. (Accessed January 7, 2004) Kim, G. and J. Allen. 2004. High-Performing IT Organizations: What You Need to Change to Become One. (Accessed June 2, 2004) Koch, C. 2004. CIOs want to do business with offshore companies with high CMM ratings. . March, 63-69 Jeff Garner Management & Strategy for IS 1 - Assignment 1 Page: 12
Kost, J. 2003. Creating a public-sector CIO job description. (Accessed March 13, 2004) McCue, A. 2003. CIOs on the way out?. (Accessed March 22, 2004) Marlovics, D. 2003. Straddling the Great Divide. CIO. April, 30-32 Maxwell . 2004. Manage to lead. MISAustralia. February, 15 Mills, K. 2004. Predictions 2004. The Australian, February, 10, 1-5 Minds. 2003. . May, 69-75 Mullins, S. and . Klinowski. 2003. Defining the complementary job roles of the CTO and CIO. (Accessed April 9, 2004) Murphy, T. Achieving Business Value from Technology. Gartnerpress: John Wiley & Sons, Inc, 151-167 New National Guidelines for IT Governance and Project Management. (Accessed February 29, 2004) O’Neil, Rob. 2004. Death of the CIO – again. (Accessed March 22, 2004) Parry, E. 2004. A CIO Conversation: Sprint’s Mike Stout. Perets, A, F. 2003. The CTO role is not what it used to be. (Accessed April 9, 2004) Prewitt, E. 2004. Corporate Culture Carries On Why organisations resist change. . April. 37 Robertson-Kidd, . 2003. Top ten leadership qualities of successful CIOs. (Accessed March 22, 2004) Santosus, M. 2003. CIOs in a Class by Themselves. (Accessed March 13, 2004) Saran, C. 2002. CIOs spell out strategies for success. (Accessed March 13, 2004) Jeff Garner Management & Strategy for IS 1 - Assignment 1 Page: 13
Seabrook, D. 2003. Cost Pressures Focus CIOs on Business. Gartner. November 4 Scalet, S. 2004. Mike Hager escaped from the World Trade Centre …. . 1(1). 53-56 Sharwood, S. 2004. The moving target. MISAustralia. April, 27-30 Shove, M. 2004. IT’s a Risky Business. Information Age. February/March, 71-72 Sisco, M. 2003. Eleven traits that distinguish successful IT managers, (Accessed December 27, 2003) Smith, C. 2003. Career challenges facing the modern CIO. (Accessed January 9, 2004) Smith, P. 2004. Press the flesh. MIS Australia. April, 82-85 Sullivan, L. 2004. Tough Road to Quality Code. (Accessed April 23, 2004) Toomey, M. 2003. Practical IT governance – empowering executives and directors. Software. April, 14-18 Vowler, J. 2004. Achieving the goal of CIO. . (Accessed March 13, 2004) Wallington P. 2003. The Ins and Outs of Personality. . March, 24-25 Wallington P. 2003. Honestly?!. . May, 56-57 Weill P. 2003. Don’t Just Lead, Govern! Effective IT Governance. MBS Alumni Thought Leadership Forum. October 16 (Slides) Weill, P. and M. Broadbent. 1998. Leveraging the New Infrastructure. Boston: HBS Press. Woodhead, B. CIO priorities to change in 2004. The Australian Financial Review, November13 Jeff Garner Management & Strategy for IS 1 - Assignment 1 Page: 14
