Weill uses the example of Carlson, a Minnesota-based organisation. Carlson has a division devoted to shared services, Carlson Shared Services. "CSS has a catalogue for division heads," Weill says. "You can have laptop service that's gold, silver and bronze." The gold service has better support and more features, but costs more than a bronze service. "Some of those services are then outsourced, because they benchmark them every year in terms of unit costs and then decide whether they want to do it internally or externally," he says.
Because costs are not equally variable across every service, not every service is suitable for the shared services model. Therefore, Weill recommends organisations "produce a service catalogue, and then within that big service -- for example a printing service -- have an index called the variability index, which varies from one to five.
"A high number like five means that the behaviour of the manager can affect the cost of the service," Weill says. "Printing's a five -- if you choose not to print you have a much lower bill for your printing. Whereas networking's a one. It is not very affected by how much you use it because it is per seat.
DECISION 5: What security and privacy risks do we accept?
"Security and privacy risks that are part of our everyday life -- you can't mitigate them all," Weill says. "In fact the question is: how much risk should you mitigate?"
As much as every organisation would love to be immunised against all security and privacy threats, executives must consider the return on investment. "The marginal return for an extra dollar spent on security risks gets smaller and smaller and smaller, so they're big decisions about how you should spend that extra dollar," Weill says. [For more on how to invest wisely in security, see 'How to Sell Security' on page 10]
Motorola has a good solution to this problem, he says. "Every year, Motorola chart a fairly simple graph and break it into zones to determine where they'll spend their money."
Motorola's chart compares the risk and potential impact on the business of a security risk to the probability of the threat affecting the company. High-risk threats with a high likelihood of affecting the company take precedence over any other threat.
Motorola is notable not just for how security spending decisions are made but also for who makes the decisions. "What's so impressive about Motorola's model is it's not an IT decision, it's a business governance decision," Weill says. "There's a group from across the organisation that sits and thinks about this problem and identifies the kinds of risks that they are willing to take and how much mitigation they're willing to invest in."
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.