Organisations need smart governance mechanisms that keep IT and government agencies jointly accountable and responsible for linking technology to their most important strategies.
Everyone has a favourite story about IT accountability gone wrong. Take Glenn Miller, the managing director of security software distributor Janteknology.
In July 2001 as the Code Red virus swept corporate networks around the world, Miller got a phone call at his Sydney home on a Friday night from the chairman of an Australian financial services company whose Web site had been crippled by the killer worm. Miller asked the chairman what security the company had in place. In a pompous tone the caller said an investigation was under way, logs were being checked, heads would roll, yada, yada, yada. When the chairman finished his spiel, Miller said: “So in other words there is no security.” The chairman answered: “That’s correct”, and asked Miller for help.
It cost more than $10,000 to get that e-commerce operation back online. However, it was offline for a week. That cost the company millions more. Miller was stunned that a management team would leave itself so vulnerable and a board member could know so little about the IT fundamentals of his organisation.
While this type of exposure is not often part of the IT risk profile of Australian governments or their agencies, it depicts the danger every public or private sector enterprise courts when it ignores due diligence. Would the Department of Defence be so nonchalant about our naval weaponry? Would any state government take such a cavalier approach to purchasing? Would a shire council run its vehicle fleet uninsured?
The gurus at management consulting firm McKinsey dispense with diplomacy when they say that one of the main reasons for such poor IT performance is that business managers and IT managers often have different goals, different styles and different attitudes — sometimes to the point of suspicion and contempt. McKinsey says this impasse creates an environment where business managers refuse to be accountable for technology investments and IT ventures fail to match organisational demands. In short, there is no IT governance.
Track RecordAustralian governments are no worse than those in other countries when it comes to IT governance. In fact, a new study by strategy and technology consultants Booz Allen Hamilton, called The World’s Most Effective Policies for the E-economy, identifies Sweden, the US, Canada and Australia as having the strongest e-government development in the world. Australia was named with the US and the UK as having a favourable regulatory environment and strong institutions to support e-commerce.
Booz Allen said the most successful approaches consist of strong government leadership and a dual focus on back-office integration and front-office service delivery. Australia was complimented for its extensive use of IT within government and its high level of government interaction with citizens and businesses. The report also noted that Australia is one of the few countries making progress in measuring the impact of its government IT initiatives. All of these findings suggest sound IT governance in Canberra.
But there is no room for complacency. The Information Systems Audit and Control Association (ISACA), an international group of more than 26,000 IT professionals, says that as an integral part of enterprise governance, IT governance rests at the top. Best practice IT governance defines the issues and the strategic importance of IT; it ensures an enterprise can sustain its operations; and it helps implement the strategies required to guarantee a bright future.
McKinsey says that to get more value from IT investments, organisations must persuade business managers — not technologists — to set the IT agenda and hold them accountable for results.
Conversely, selected IT managers should be drawn into business units and be made more accountable for that unit’s performance. Describing the task of building stronger relationships between business units and IT departments as “extraordinarily difficult”, McKinsey says it has identified four major hurdles: entrenched cultural differences, too much bureaucracy, decisions made outside normal channels and too many junior managers. Until organisations ensure their IT managers are business literate and the business involves senior managers in IT, there is little chance of the two sides working together effectively.
Susan Dallas, a research director with Gartner Research, says to maximise the effectiveness of IT governance, enterprises must ensure that their fundamental IT principles and decision-making authority are clear and have wide support. Organisations that fail to establish effective IT governance will continue to suffer from low esteem and the CIOs whose operations lack credibility will need to keep their CVs dusted.
Diverse DomainsIT governance can be categorised by: domains (the “what” of decisions about IT), authority (the “who” responsible for making key decisions) and structures and processes (the “how” of decision-making). Gartner points out that the notion of five IT domains — the “what” of IT decisions — is drawn from Peter Weill and Richard Woodham’s work published in April last year by the MIT Sloan Centre for Information Systems Research, Don’t Just Lead, Govern: Implementing Effective IT Governance. The domains embrace the ways IT is used in the enterprise — its principles, architecture, infrastructure, business applications and prioritisation.
Establishing credibility is vital. Forrester Research says in these fiscally challenged times IT’s centralisation of control and focus on infrastructure leaves new opportunities unrealised. This creates the impression among business units that IT is unresponsive. The remedy is for IT governance to reconcile three conflicts: budget timing, resource flexibility and accountability for results. It has to balance IT and business control and build trust between the two groups.
But this can be harder to achieve than might be imagined at first blush. Tom Worthington believes the first barrier to sound IT governance is simply staying its course. As a past president of the Australian Computer Society and a Visiting Fellow in Computer Science at the Australian National University, Worthington knows something of IT governance. “What surprises me isn’t a lack of a systematic approach to IT decisions, but the lack of process for non-IT business decisions,” he says.
“The IT industry has no end of qualitative methodologies for making decisions, but most business people aren’t trained to work that way. There is still a tendency to search for silver bullets and move from extreme to extreme. The danger now, for example, is to dump outsourcing in favour of insourcing. Where is the long-term strategy? There are many things that organisations have done well in the past yet some of these successes get lost in the implementation of the next new thing. We should keep the things that worked well and address in a new way those that didn’t,” Worthington says.
The disconnect between technology, strategy and business frustrates Worthington because it creates undue pressure on CIOs. They blame the seductive nature of technology — how it constantly creates new ways to do old things more efficiently or fools people into thinking that old rules do not apply. “We’re not overcoming the laws of nature or economics,” says Worthington. “A dollar still costs a dollar. But we’re all subject to this temptation. It’s a natural reaction. So we have to keep reminding ourselves that most IT software never works and most of what does work is never really of much use. You’re never going to be able to give a guarantee to management about software. Creating great software is a very complex and difficult process and I’m surprised when the stuff actually works as it should.”
The Big PictureWorthington says another major barrier to sound IT governance is the lack of respect for the Australian IT industry. This will surprise the National Office for the Information Economy (NOIE) as it seeks to play a lead role in fostering sound IT governance within government. Its recent report, Australian Government Use of Information and Communications Technology: A New Governance and Investment Framework, is designed to create a more strategic approach to information and communication technology (ICT) governance in Commonwealth agencies. The report is the result of a year-long review of the government’s ICT investment arrangements by a NOIE committee that comprises public service managers at secretary and CEO level.
The CEO of the NOIE, John Rimmer, says recommendations in the report will help make the implementation of ICT across departments and agencies more efficient and lead to better delivery of government services. Rimmer believes that while agencies should make decisions about their own ICT investments, a new “big picture” approach is essential to ensure government service delivery remains focused on community needs.
The NOIE report has evoked mixed reactions from Australia’s IT community. Some claim it lacks context and does not acknowledge what worked in the past. Others say the need for a centralisation strategy is identical to the need for a decentralisation strategy: if you are at one extreme, the other extreme looks attractive. Worthington suggests that a suitable subtitle for the new NOIE framework might be: “Those who refuse to look at history’s mistakes can get away with repeating them.”
“There seems to be about a five-year decentralise/ centralise cycle with IT governance in the federal public service,” Worthington says.
“The day I arrived at the Defence Department I attended a wake for the disbandment of the central IT organisation, done to improve accountability and efficiency. A few years later IT was re-centralised, again to improve accountability and efficiency. Perhaps the cycle is linked to the length of time a senior executive stays in a position or to how long it takes a project to fail. Each time IT projects start to go wrong, the bureaucracy can say: ‘We have a great new idea, we can fix the problems with those old projects by [de]centralising.’”
Integration ChallengeJohn Roberts, vice president and research director of Gartner Asia-Pacific, says the real challenge of IT governance for government is that government is not just one entity. However, what Roberts sees of IT governance across Australia’s three tiers of government makes some of the larger organisations world leaders.
“Take Centrelink or the Tax Office,” he says. “Both have become very sophisticated in their use of IT and the CEOs of those types of organisations understand and play a significant part in IT governance. The smaller government departments are almost policy type groups. Their IT use is low in comparison so IT governance is of less significance to them.”
Roberts says the clarion call to get all government services online raised the profile of IT in Australia’s public sector. Now, NOIE and many state governments are trying to decide what comes next. The Victorian government recently provided an example with a new position stating that its future focus will be on putting people at the centre of its IT initiatives.
“The concept here is that even though each agency has made its services available online we still need to know which agency to go to,” Roberts says.
“So the new challenge is to get services integrated. That has major IT governance issues. NOIE has started grappling with it by trying to bring together a cross-agency council. And that’s also happening with state governments — central groups trying to coordinate IT. But these groups can’t simply dictate proceedings. They need to persuade and cajole and get consensus. The challenge is to break down the barriers that exist between each department — which have their own IT operations and their own minister — and recognise the greater good. It’s no different in private enterprise. Every large organisation has silos.”
Private sector enterprises use IT to reduce costs and reach customers in more innovative ways to gain competitive advantage. But while government is also driven by operational efficiency, it does not have the profit motive or the competitive impetus. Instead, Roberts says government agencies have two other driving forces — politics and community service.
“Sometimes things are done in government because it involves a political return,” Roberts says. “Other times, it’s for total value to the community rather than for internal efficiency. Each individual government agency has to make these trade-offs. That’s what makes IT governance more difficult in government than in the private sector.”
And what of local governments, especially the city councils of our major capitals or those big budget councils of growth areas like western Sydney, northern NSW or the Gold Coast? The president of the Australian Local Government Association (ALGA), Mike Montgomery, says given their limited resources, IT governance is even more important to local government. The ALGA estimates the average spend by councils on IT is 5 per cent of budget, compared to 10 per cent for state governments and 15 per cent for the Commonwealth government.
“The main issues concern the lack of resources and the diverse nature of local government in Australia,” says Montgomery.
“Most decisions are made at the local council level and there is as yet only limited cooperation between councils. The state local government associations are starting to address these issues and Networking The Nation funding has provided resources to develop new approaches to IT in local councils. However, NTN funding only runs until June 2004.”
Other barriers vary according to the size and location of councils. Small, regional, rural or remote councils struggle with a lack of awareness of IT issues, inadequate training and over-dependence on vendors and consultants. Larger councils battle IT’s complexity and pace of change.
The ALGA is currently working on two NTN projects that are relevant to improving IT governance for local government. The State and Territory Information Sharing project (STATIS) is developing a Web-based system to share information about the range of local government online initiatives across the country. It provides a forum to develop and discuss standards, principles and benchmarks for all local e-government activities.
The second NTN project will produce a business architecture to improve the interoperability of ICT systems and services within local government, and between local government and state and Commonwealth governments. The framework will include standards, guidelines and best practice on IT governance.
Setting the StandardMarc Englaro, a project manager with boutique IT consultancy Si2, is heading a Standards Australia (SA) committee seeking to establish a recognised standard for IT project management. This is part of a wider SA project on IT governance that aims to produce an Australian guideline covering the technical, business and contractual elements of IT projects and management. Englaro says the audiences being targeted by SA are boards of directors because while there are many methodologies on how IT projects and software development should be conducted, most are focused at the technology professional.
“There is a gap between the boards that control an organisation and the people who are actually implementing its IT strategies,” Englaro says.
“This gap is the root cause of those $50 million project failures that strike without any warning. There are not many areas of a business where you can be surprised like that. Unlike other areas where strategies are tried and true, IT has an intrinsically higher level of investment risk because of rapidly changing technology. So risk management or risk analysis is more important, yet it is not done nearly as much as it should be.”
Everyone agrees that the governance of IT, like any other critical business function, must come from the top — just as policies for production, services, sales, marketing or distribution are made by the board and filtered down. As the professor of software engineering at RMIT University, Fergus O’Brien, says: “We need to give boards of directors the ability to ask the right questions of their IT departments, and to understand the answers.”
Only then perhaps, will the horrors of multi-million dollar mistakes and frantic Friday night phone calls truly become a thing of the past.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.