Financial Times FT.com

A new era of accountability

By Kim Thomas

Published: June 16 2005 15:25 | Last updated: June 16 2005 15:25

Traditionally, the IT department has been regarded as a burden – a necessary but unwelcome drain on resources that adds little in the way of value to the business. But in recent years, this perception has been challenged. As Paul Beach, head of corporate banking at Atos Consulting, puts it: “IT has moved from being a low-value enabler for the organisation to becoming something far more fundamental to the business process.”

Much of the change has come about because of increasing regulatory requirements. The most high-profile of these is the Sarbanes-Oxley Act, which affects publicly quoted companies in the US. However, UK organisations are also facing current or forthcoming regulatory change, including Basel II, the European Commission’s Eighth Directive on auditing and the Freedom of Information Act. These regulatory requirements have one key thing in common – they cannot be met without IT. Only IT can retrieve information hidden away in legacy systems or on desktop PCs across the organisation that may be crucial to achieving compliance with the new rules. Meanwhile, organisations are also starting to realise that this same information can also add value to the business.

The idea of IT governance has come about as a way of imposing order on chaos. IT governance is about making sure that the organisation’s IT systems are aligned with the requirements of the business – in other words, about increasing the control the business has over the IT department. The definition used by the Control Objectives for Information and related Technology (Cobit) standard, which is issued by the IT Governance Institute, is “a structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes.”

“Governance is that whole area of controlling unwanted activity,” says Jay Heiser, research director at Gartner, the research group. Mr Heiser argues that IT governance is largely about managing and reducing risk – making sure that systems are secure from viruses or unauthorised access, for example, or making sure that regulatory requirements are not being breached. Mr Beach points out that the careful management of risk has a direct relationship with the success of the business: “If shareholder value is coming out of your IT, then good governance of that is absolutely vital because a risk poorly managed could drive that value away.”

Implementing a programme of IT governance represents a challenge for organisations because of the traditionally difficult relationship between the IT department and the business. “The IT department historically has had a less than exemplary record in terms of its ability to communicate, its ability to meet targets, its ability to respond to business needs, and its ability to speak a language that the rest of the board members understand,” says Ayman Gabarin, vice-president of IT governance at Compuware, the IT management software provider.

In many organisations, the board has taken a hands-off approach to IT, allowing the IT department to make its own decisions, and to suggest new projects or programmes that might benefit the business. The consequence has often been that money has been poured into failing projects, says Jan Babiak, managing partner and head of information systems assurance and advisory service at Ernst Young. “We can provide hundreds of examples of failed system implementations that cost millions and the question is: ‘Where was the board?’ And if you go back and look at the board minutes around it, it wasn’t even discussed.”

Furthermore, since the decline of mainframe computing and the growth of client-server and desktop computing, there has been a trend towards decentralisation, with business units often implementing their own IT projects. IT governance requires a reversal of this trend – a top-down, centralised approach, where the business specifies its requirements to the IT department, and asks for solutions that will meet those requirements, and where decisions about IT spend are made at the top and implemented throughout the organisation.

There are two good reasons for the return to central management of IT. One is pure efficiency: centralisation enables organisations to avoid duplication and to rationalise resources. “The cost of maintaining infrastructure is quite onerous to the organisation. It’s very difficult to take costs out of the business if departments just go away and do their own thing,” says Jim Campbell, consultant at Diagonal Consulting.

The other reason is that, as compliance becomes more important, the CEO and board members need to have a top-level view of information across the whole business. It is impossible to do this if data are scattered in silos throughout the organisation. “Almost all those issues of corporate governance, particularly in terms of accurate financial reporting, are totally dependent on IT systems,” says Tim Jennings, research director at the Butler Group, the analyst, “yet typically there’s no one in the organisation who’s got a broad perspective to say: ‘When we produce our financial reports, I can give you a high degree of confidence that that’s what’s going on.’”

Putting an IT governance strategy in place involves rethinking some fairly central relationships – between IT and the board, between IT and the business units, and between the board and the business units. A clearly defined strategy is essential, either using a recognised standard, such as Cobit, BS 7799 or the Information Technology Infrastructure Library (ITIL), or a formal framework drawn up by the board in consultation with the CIO. This framework would normally include a service level agreement (SLA) that would allow the business to measure the performance of the IT department.

The starting point is to make sure that there is at least one board member with responsibility for IT governance who, as Mr Jennings puts it, “understands the big picture in terms of compliance, understands the process issues, and perhaps may not understand the fine detail of the technology but can liaise with the CIO.”

The role of the CIO itself has to change, too – no longer should he or she be someone with a narrowly focused IT-centric view of the business. According to Mr Campbell, “An IT director is about 80 per cent understanding the business and 20 per cent understanding IT. It’s not someone who’s concerned with wires and bits of paper flying around; it’s someone who actually understands the business and what it’s trying to achieve.”

The central plank of the IT governance strategy should be about understanding the risks to the organisation and putting procedures in place to manage them. This includes both the risks to business continuity and project risk. “The organisations that have an effective way of dealing with risk deal with all forms of risk,” says Mr Heiser. “They treat regulatory issues as just one more form of risk, just like they treat flood and lighting damage as one more potential form of risk. They set up a consistent framework for identifying all the potential bad things that could happen and set priorities.”

The strategy should also include portfolio management, which is about identifying the different elements of IT spend in the organisation, such as infrastructure, applications and projects, and understanding the way they are used. “Project portfolio management is an important way of getting the big picture – undertaking the right projects in the first place, identifying the rogue projects going on that often happen in large organisations of which people aren’t aware, and providing better visibility to projects as they go through,” says Mr Jennings. One way of doing this, suggests Ms Babiak, is to avoid giving IT departments huge chunks of money to carry out a project. Instead, she says, some businesses now give the IT department money to meet each milestone, and as the milestone is successfully met, money is handed over for the next phase of the project. This avoids the common problem of IT projects that drag on for years, while more money is poured after them.

The dangers of this top-down approach to IT governance are that business units will resent the loss of autonomy and that the business itself will lose flexibility. It is important, therefore, that heads of business units are involved in decision-making about IT, such as which applications are taken forward and which are abandoned. The process of implementing governance needs to go hand-in-hand with a programme of change management, without which the organisation will fail to gain stakeholder buy-in.

If IT governance is about the business gaining greater control over the IT function, it is also about developing a greater awareness of the direction of the business. Without knowing where the business is going, it is impossible to align IT with the business. “The disciplines you need to have good IT governance actually align with the disciplines you need to have good business strategy and governance,” says Ms Babiak. “I’ve seen many IT departments that could do a good job of figuring where we’re going to be in five years, but when the business is in disarray, you have a lot of problems deciding where that big infrastructure spend is going to go.”

Copyright The Financial Times Limited 2009. You may share using our article tools. Please don't cut articles from FT.com and redistribute by email or post to the web.

  • Print article
  • Email article

Jobs and classifieds

Jobs

Search
Type your search criteria below:

Executive Director

Harvard Shanghai Center

Global Head of Aftersales

Material Handling Capital Equipment

Deputy Finance Director

Department for Work and Pensions

Chief Executive Officer

Financial Services Group

Recruiters

FT.com can deliver talented individuals across all industries around the world

Post a job now

Related Services