June 03, 2009, 4:16 PM — Many IT organizations continue to struggle with strategy alignment and demonstrating the value of IT to the business. Recently a group of IT Executives discussed this topic and concluded there was no silver bullet when it comes to IT Governance, or is there?
IT Governance can be defined as the guiding principles for directors on how to ensure the use of IT is effective, efficient and acceptable. Robert McIsaac, Group Vice President & Chief Information Officer First Citizens Bank simplified it when he indicated “effective IT Governance is about using the right resources on the right problem in the right amounts at the right time”.
It continues to remain high on the focus list because the business may not have fully grasped the effect IT has on its business and IT hasn’t fully become part of the business. There also has been some confusion of what is the difference between IT Governance, effective IT Management, standards and best practices. In reality, you cannot have effective IT Governance without effective IT Management, use of industry standards and best practices. But it’s the partnership between IT and the business that will ultimately lead to effective IT Governance.
The following strategies are something to consider, however not all techniques can effectively work for all organizations:
• IT Steering Committee: having a committee comprised of the right executives to discuss IT investments seems, on the surface, to ensure IT investments are being given the proper focus. However, having these discussions during normal management meetings is the true indicator that IT is truly part of the everyday operation of the business.
• Charge Back System: Although being able to calculate the IT costs to particular parts of the business does increase everyone’s awareness and help in the determining priorities, it can create animosity if not handled properly. Knowing the cost and being able to calculate the return for the organization on investments are much more important than distribution of IT costs to the business.
• Organizational Structure: The best organizational structure for an organization depends on the personalities and strengths of the executives involved. Having the CIO report directly to the CEO may have little to do with the effectiveness of the IT Governances. However it does send a signal externally on the importance of IT to the organization.
• Organizational Culture: IT has to become part of the business and the business has to accept IT as being a strategic partner in the business. The IT executive has to speak in business terms and shows how IT brings value to the organization. Changing the culture of the organization is often a long and arduous task and requires a strategic plan, patience, and most of all commitment from the top of the organization.
• Use of Frameworks and Tools: There are a number of frameworks that address IT Governance issues including ITIL, COBIT and the new ISO 38500 standard. No one framework will assure that IT resources are used effectively, although using these frameworks can increase the chances that it does. The GRC (Governance Risk and Compliance) tools assist in Risk and Compliance Analysis but may do little in the Governance areas except for organizing documents and assisting in communication. It may be a better way to communicate in a one-on-one fashion than relying on tools to ensure communications happen.
• Communications between IT and the business: On one hand, IT is in a great position to have open communications and interaction with other parts of the business. They are positioned to help the other departments than anyone else in the organization. Chuck Musciano, CIO of Martin Marietta Materials states “can you imagine some other department going to another department to find out about how they operate their business? The problem is that the “I” in IT sometimes seems like it stands for introvert; good technicians often find it hard communicating in direct on-on-one conversations”. So the CIO has to be and have people who are conversant in both the technology and the business.
It is difficult to identify the perfect solution to IT Governance except the following may be identified as when you know it’s not working:
• The CIO reports are filled with technical jargon
• The CIO spends a large amount of time in their office.
• The business selects the CIO on their technical expertise
• Project overruns seem to be the rule, rather than the exception
• IT projects get allocated based on corporate politics rather than value to the organization
• IT related risks tend to have higher probabilities and impacts than similar businesses
So there may be no silver bullet when it comes to effective IT Governance except that IT has to be an integral part of the business and it’s the board and senior management’s job to make sure they have the right people, organization and culture in place to make that happen.
It will also be a positive sign when effective IT Governance is discussed between board members and CEOs and not necessarily between IT Executives.
About Visage Solutions – www.VisageSolutions.com
Visage Solutions is a consulting company operating in the areas of regulatory compliance, risk assessment, information security, risk management, business continuity and compliance processes. Utilizing our proprietary SingleVue™ and OpsAudit™ methodologies, the company focuses on assisting business entities in mitigating operational risk. Visage has provided solutions to a client base ranging from private, entrepreneurial companies to large multinationals. Our team is comprised of experienced executives, managers and consultants who can assist clients with the development, implementation and execution of their risk management and compliance strategy.