At many companies, information technology costs are second only to those for staffing. Yet many executives are unclear on exactly how that money is spent and how much value is delivered as result. While tracking the value of IT investments can be complex, it is not impossible. In fact, it is critical, as IT can be one of the most significant value drivers within an organisation.
According to the IT Governance Institute’s (ITGI)’s IT Governance Global Status Report more than 93 percent of business leaders recognise that IT is important for delivering an organisation’s strategy, (see box story “What’s wrong with this picture?”). On the other hand, poorly chosen IT investments can lead to value erosion, financial or reputational damage, and competitive disadvantage. To ensure that IT adds value – and doesn’t diminish it – organisations need to ensure that their IT is carefully governed. strong IT governance programme will mitigate risk and facilitate the strategic direction of the business.
IT governance, which helps ensure that IT sustains and extends an organisation’s strategies and objectives, is an integral component of overall enterprise governance. However, because the pervasiveness of IT has created dependency upon it, IT governance merits specific focus by the board of directors.
The first step for CEOs and boards to take in establishing effective IT governance is to ask some basic questions about IT within their organisation to uncover existing IT issues, identify present IT management practices and self-assess current IT governance practices. ITGI’s CEO’s Guide to IT Value @ Risk, complimentary download for executives available at www.itgi.org advises CEOs and boards to ask the following questions:
Uncovering IT issues
• How often do IT projects fail to deliver what was expected?
• Are end users surveyed about the quality of the IT service and if so, what are their responses?
• Is IT regarded as an enabler or as an inhibitor of change?
• Are sufficient IT resources, infrastructure and competencies available to meet strategic objectives?
• What has been the average overrun of IT operational budgets? How often and by how much do IT projects go over budget? How does this impact the achieved versus expected ROI?
• Do IT-related investments meet the ROI criteria of the enterprise?
• How much of the IT effort goes toward system maintenance and fire fighting, and how much to enabling business improvements? Is this ratio acceptable and representative of the industry?
Finding out how management addresses IT issues
• How and how well are enterprise and IT objectives aligned with each other?
• How is the value delivered by IT being measured? Are the assumptions reasonable, and are intangible benefits verified?
• What strategic initiatives have executive management taken to manage IT’s criticality relative to maintenance and growth of the enterprise, and are they appropriate?
• Is the enterprise clear on its position relative to technology: pioneer, early adopter, follower or laggard?
• Is it clear on risk appetite: risk avoidance or risk taking?
• Is there an up-to-date IT risk register relevant to the enterprise? What has been done to address those risks?
Assessing the board’s IT governance practices
• Is IT regular item on the board’s agenda? If so, is it addressed in structured manner?
• Does the board articulate and communicate the business objectives for IT alignment?
• Does the board review and approve the IT strategy?
• Does the board have clear view on the total IT investment portfolio from risk and return perspective?
• Does the board receive regular progress reports on major IT projects?
• Is the board regularly briefed on the IT risks to which the enterprise is exposed?
• Is the board getting independent assurance on the achievement of IT objectives and the containment of IT risks?
When answers to those questions have been established, executives will have clearer view as to where the organisation currently stands in terms of IT governance and in what direction it should head. Then, key actions can be taken to begin implementing successful IT governance programme, including integrating IT governance within enterprise governance, defining IT governance roles and responsibilities, and developing an IT governance implementation plan.
According to the CEO’s Guide, implementation can be broken down into the following steps:
• Set up an IT governance organisational framework. The framework will take IT governance forward and own it as an initiative, with clear responsibilities and objectives, as well as participation from all interested parties.
• Ensure that IT goals enable and support business goals. What are the current business concerns where IT has significant influence (eg, cost reduction, competitive advantage, merger/acquisition)? Obtain good understanding of the business environment, risk appetite and business strategy as they relate to IT. Identify the top IT issues on management’s agenda.
• Define and understand the risks. Consider previous history and patterns of performance, the size and scope of the existing or planned IT environment, the nature of the IT initiatives being considered, outsourcing considerations, etc.
• Define target areas for improvement. Identify the process areas in IT that are critical to managing risk.
• Analyse current capability and identify gaps. Determine where improvements are most needed.
• Develop improvement strategies. Define specific IT governance projects based on the benefits, ease of implementation and focus on important IT processes.
• Measure results. Establish balanced scorecard mechanism for measuring performance. Monitor the results of new improvements.
• Repeat steps two through seven on continuous basis.
By asking the right questions and following these steps, boards will be well on their way to achieving an effective IT governance programme. To accomplish all this, it is essential that boards possess, or have access to, proper skills that will enable them to ask the right questions, fully understand – and possibly challenge – the answers, take the precise actions needed, and sufficiently monitor the results. This does not mean, of course, that every board member must become an expert in IT.
Instead, the necessary knowledge and expertise can be achieved through one or more of the following:
• The chief information officer (CIO) sitting on the board (especially appropriate in highly IT-dependent organisations).
• board member with IT-related business skills to whom the CIO reports.
• An IT steering committee chaired by an IT-savvy board member.
• Formal IT-related business education of all board members.
• Appointment of non-executive director with the appropriate skills.
Attaining good IT governance – and thus, adding value to the enterprise – does not happen by accident or by merely telling the CIO to make it happen. Instead, it happens as result of preparation, proper implementation and continuous monitoring. However, only half of boards have IT on their agenda on regular basis, according to the IT Governance Global Status Report.
This statistic is worrying, especially given the significant rewards that organisations may achieve if they make IT board priority.
• Southwest Airlines’ supply chain transformation improved the forecast of demand, reduced procurement costs and increased service levels while costs fell.
• IBM saved US$12 billion over two years by linking up disparate pieces of its supply chain, thereby reducing inventory levels.
• Extensive IT synergies form significant part of the financial success at Great-West Life’s several acquisitions.
If value creation through IT governance is to be achieved, the tone must be set at the top. CEOs and boards must appreciate the risks and opportunities inherent in IT. With strong commitment from leadership, IT governance can transform an