CIO

Just Desserts*

When it comes to IT, sometimes organizations are their own worst enemy.

"I'm so glad you've come," he told Ann Moffatt, a director with the Australian Computer Society Foundation, as they sat down to lunch. "I've been looking forward to this lunch all week because I know that you will know why I signed a cheque for $800,000-plus this week for a new computer."

"Actually," Moffatt said, "I don't know. Why don't you ask your IT people?"

"They won't tell me!" he railed.

"When else do you sign a cheque for that amount without knowing what it is for?" Moffatt chided.

"Never," he said, "but IT says I won't understand."

So do organizations get the IT they deserve?

Well. One year Moffatt sat on an advisory board with an IT director from one of the big four banks, an elderly chap who knew nothing about IT but had been given the position and title to "keep an eye on" those IT people. Lunching with Moffatt he enquired whether she knew anything about system "X", the bank's new system that had regularly been the subject of media and industry speculation. Moffatt replied that she did not know much more than she had read in the newspaper or heard around the industry but would love to hear more about it from him.

"Oh dear," he said. "That's where I get my information from. I know you get 'round the industry so I'd hoped you could tell me all about it."

"Why don't you ask your IT staff?" Moffatt asked.

He replied he had asked, but they would not tell him. Soon after that lunch, the system was abandoned, costing the bank millions of dollars.

So do organizations get the IT they deserve?

Years earlier, Moffatt was put in charge of all development and a maintenance staff of 60-plus for the Australian Stock Exchange while a group of consultants from one of Australia's then largest management consulting firms was developing the new automated trading system, SEATS. When Moffatt insisted on integration testing, concerned about issues surrounding the docket numbers that recorded each trade, the executive resisted fiercely, insisting the consultants knew what they were doing.

"I dug my heels in and system testing was done with much harrumphing from the execs because more discrepancies were found," she says. "I was told that I had delayed the system for six months.

"With system testing complete, I insisted on user testing. 'Was I mad?' I was asked. This was late 1987 and huge volumes of stocks were being traded. I'd already stopped the system from going live for six months. Did I think that brokers would test a computer system? Hadn't my staff tested properly? Again I dug my heels in . . . More errors found!

"Seven months later the system went live the day before the October crash. Trading on that day was the highest ever on stock exchanges around the world. I was very proud that our system in Australia was one of the only systems in the world to stay 'up' on that day," Moffatt says. "Of course after that I was a hero but a weaker IT exec might have given in to 'the management', and guess who would have got the blame?"

So do organizations indeed get the IT they deserve?

You betcha.

Phil Windley, a US-based expert in using IT to add value to business and author of the blog Phil Windley's Technometria (www.windley.com), has been using just these words as a slogan since he was CIO for Utah from 2001 to 2002.

Time and time again, he says, he has seen organizations large and small that were their own worst enemies when it came to IT. Some were short-sighted, some were led by business leaders who did not understand what IT could and could not do, some refused to use best practices and other proven methods. The list went on. "There were a lot of reasons, but the end result was an IT infrastructure that didn't meet the business needs of the organization. Usually they blamed the wrong things or just lived with the results believing they were inevitable," Windley says.

It is easy, even natural, to point the finger at the CIO when IT goes wrong, but if the top end of the company does not understand IT or give the IT folks full support, and if the users at the other end have unrealistic expectations, just how fair is it for the CIO to cop all the blame?

Page Break

Painfully Aware

It is not as if CEOs are oblivious to their own IT policy and strategy weaknesses. According to the IT Governance Institute's 2004 IT Governance Global Status Report, although more than 91 percent of executives recognize that IT is vital to the success of their businesses, 76 percent also know that they have IT problems that could be resolved by implementing an IT governance framework. In addition, CEOs and CIOs alike named an inadequate view on how well IT is performing as their number one problem in their top 10 IT-related problems and priorities, and gave addressing operational failures as their highest priority.

The trouble is, recognizing the existence of a problem and identifying its root causes are two very different things. So, who is to blame when IT is not serving the company's needs and how does one decide accountability?

Terry Shipham, Bearing Point's managing director for Enterprise Solutions, who has spent approximately half his 25-year-long IT career in corporate IT and the other half in consulting, certainly thinks organizations, time and again, do get the IT they deserve. And they get those just deserts largely because of a stubborn refusal to learn from experience. "I think we see continued failures of implementation of systems, and you see the same reasons for those failures occur again and again," Shipham says. "You sometimes wonder why nothing changes to address that. It is very rare to see a proper engagement between the IT organization and the business in organizations."

One set of problems, Shipham says, comes about because the IT organization is either unable or unwilling to do sufficient planning or homework. Too often the IT group either fails to do requirements planning or fails to design systems properly, leaving people to operate by guesswork.

Take the example of utilities billing systems, where many organizations have failed to implement new billing or customer information systems despite their competitors' high levels of success in doing so. Typically, the problems arise because there has been a lack of requirements specifications, because people have taken on tasks they do not have the skills base for or because they have failed to fully examine the options. Sometimes a failure of the CIO to communicate the complexity of the work and a failure to engage the business in what will be a significant change program is also at fault.

But then again, if IT is guilty of not performing adequate due diligence, too often that is because the business will not let them.

"Everyone thinks that IT can't be too hard," Shipham says. "So I think there is a lack of patience, or even tolerance, from the business for the IT guys to do sufficient homework or sufficient planning. But on the other hand I don't think the IT people do a good enough job of communicating and taking these challenges to the business."

Blame, in other words, lies as often with the business as IT. Although it may not always be the individuals filling key positions, but rather the organizational structure that is most at fault. Kathryn Cason, president and co-founder of Requisite Organization International Institute, points out CIO work is as diverse as the number of people holding the title; the situation for the CIO who works in banking can be quite distinct from that of the CIO who works in retail or manufacturing.

"Let's put [the question of blame] in a more positive light: Who is accountable for the result of the work that the CIO does? That is clearly the CEO. So if the CIO is failing, then the CEO and board haven't done something that they should have done. And the success of the CIO is most often hampered by the lack of an intact functional managerial system," she says.

Cason was in Australia last December to attend the first conference in this country to examine the work of the seminal organizational scientist, the late Canadian Professor Elliott Jaques, who developed a comprehensive, unified theory of people and organization he named "Requisite Organization". Jaques's work has found wide application in organizations as diverse as the military, police, churches, schools, banking, mining and manufacturing. His research helped illuminate the nature of work, human capability and trust-inducing social systems as the groundwork for building strong, resilient, competitive, socially responsible employment systems. Implications extend from corporate governance to specific managerial leadership practices, equitable remuneration, role clarity and increased mutual trust. Integrated management is the key.

"There are problems in every organization that we go into around the world," Cason says. "And that is that there are large pockets of people in all of the functions who really don't have a manager that integrates their work with all the other people's in the company. Because of that, information systems technology simply can't get pushed through the organization.

"If you [have] a CEO who says: 'I have a CIO who is going to give us, the company, this system that we need to compete in the marketplace', but the CEO and the CIO do not have a complete unbroken line, managerial line, from that top to the bottom of the organization, there is no way that either one of them can integrate. And that is what the CIO is asked to do in architecture: to integrate information and also drive many processes. And unless there is an unbroken line flow in the organization for that to happen, they cannot integrate."

The fact that IT has primarily been pushed into a project management corner has proved disastrous, and the tendency to transfer that format to the rest of the corporation has created even more disasters, Carson says. Why is it disastrous? Because project management does not integrate the whole system, she says. The only way to integrate all the systems of the corporation is through the managerial model. "And if there is a break in any of that vertical or horizontal basic structure you create a friction that can seriously eat away at the effectiveness of everybody in the organization," she says.

Cason claims there are barely a handful of CEOs anywhere in the world today who can announce a change to their organization and know that within 24 hours every employee - even if there are 60,000 of them - will get the update. CIOs, often acutely aware this is so, risk being made scapegoats for circumstances entirely beyond their control. She advises the CIO to first get his or her own house in order, because their own organization will certainly reflect the disorganization in the rest of the company.

"If [the CIO] has a managerial system within his own organization that allows him then to go to other parts of the organization in a way that makes it possible for them to respond . . . it helps him actually get response from the rest of the organization," she says.

Page Break

Who's to Blame

Closely related to managerial structure is the issue of managerial control. David Preston, assistant professor of Information Systems with Texas Christian University, is developing a paper - a spin-off from the dissertation work he completed last year - that is seeking to address the issue of accountability for IT failures.

Preston argues that while CIOs are intrinsically responsible - at least in part - for the success or failure of IS within the organization, their actual culpability is typically dependent upon how much control they are given within the organization. True, what happens with IT is the CIO's responsibility, he argues, but whether IS succeeds or fails depends on what role the CIO is allowed to play in the organization as dictated by the CEO and the top management team.

"The CIO defined as a top executive purportedly can influence success or failure," he says. "However, if the CIO is not a legitimate member of the top management team, or if they do not have a direct reporting relationship with the CEO, are they really a master of IS's destiny within the organization? This is critical to how much the CIO can control the success or failure of IT within the organization.

That said, Preston points out that CIOs, having been given a degree of power, are also held to account for that power and the impact they make on the organization.

"Are there other elements as well? Certainly," says Preston. "What I looked at in the case of IS success or failure is a shared understanding of the role of IS in the organization. Sometimes, if the CIO is not on the same page as the CEO and the top management team, IS has got to be ineffective."

Black Widow Projects

Many organizations have suffered "black widow projects" - projects that should never have been given the green light but that went ahead anyway because there was a feeling there were business reasons they should be pushed forward, says Jo Stewart Rattray director of information security for Vectra Corporation. However, CIOs in too many organizations have equally been somewhat misplaced because they do not really hold a seat on the executive board even though they are in a C-level role, she says.

Rattray believes having that seat is paramount to an organization getting the IT it needs.

"There needs to be that strategic buy-in at the governing level as well, which means IT and the governance of IT are part of the organization's core objectives and corporate governance profiles," she says.

"There was a classic example with a large international retailer where they had been moving down the path in which it appeared they were in good shape governance-wise, but it actually was not until a couple of the C-level people left that they realized they were actually in a very bad position. They had good IT input into the organization but the governors and their security position were indeed compromised. Had there been some more openness and that seat at the executive level for the CIO, it would have been averted. Strategy should be meeting operations in those situations," Rattray says.

"The other interesting thing I have often seen is the incredible project that goes on and on and on because of a political need to go on regardless of the money that it has cost. I have seen this in some of the very large not-for-profit organizations, because there is politics in every sense of the word going on, and because there is going to be a change in legislation. So they are trying to play both ends against the middle to make sure that they are in the right position at the end of the day."

Australian Craig Watters, the CEO of Management Simulations, who teaches at DePaul University Chicago and has been in Chicago for the past 22 years, says not all the CIOs of his client companies - very large organizations, typically in the top 100 - have or need a seat at the executive table. For instance the CIO of Caterpillar, the world's leading manufacturer of construction and mining equipment, does not. He says he is not convinced a failure to grant enough responsibility to the CIO is necessarily a factor where the IT organization is seen as failing to address business needs. In fact, he says he can cite "glorious examples of organizations where the problems with the organizations have emanated from the CIO's area of direct responsibility, but that that doesn't necessarily mean the CIO should cop the blame".

Watters says two clients of his demonstrate the extremes. At one, one of the largest companies in the world, there is a training centre backed by an IT system "par excellence" with Web access via high-speed broadband, while at the other, also in the Dow Jones top 30 and one of the largest car manufacturers in the world, they cannot even guarantee telephone line access.

"The problem is twofold," Watters says. "Firstly, the IT department is not necessarily seen in the full light of strategic deployment: That is, I do not believe there are enough conversations about practical steps that we all need to take in the information technology domain, to be consistent with a particular deployment strategically. If you have got a strategy over the next five years that says: 'We are going to achieve this level of success by concentrating ourselves on these axes', then one of the questions needs to be: 'What are the support tools that we put in place for that?' And too often you go looking for a big IT strategy piece in the strategic plan and you do not find it because there is not one."

Yes, there are times that can be "unquestionably" the CIO's fault, he says. But more often than not it is because much of the leadership in these organizations does not understand the need for that kind of high-level IT intervention as it was not required when they were doing those kinds of jobs 10 or 15 years ago.

"For one thing, in too many cases the dominant coalition in the organization does not have the skill set to really recognize the desirability of a true IT strategy. And I do not think we have got enough CIOs who have got the clout and the balls to actually push it through as hard as they should. I also think that what CIOs do not do well is to beat their own drum. If you are looking for good PR CIOs, well, good luck to you."

When Watters gave the 30 senior executives of one Dow Jones top 10 company their manuals for a new system on a memory stick, more than 20 had to ask how they could get those manuals onto their computer. "Now these are the people that are making the senior strategic decisions for the deployment of company resources and they cannot even run a laptop," Watters says. "And several of them were quite open about it. One guy in particular said to me: 'Oh no, I never touch the computer - my secretary does that'. Well how is that bloke going to understand that information technology tactics make a huge difference to the quality of the strategy deployed?"

Watters believes as more senior executives become "IT-conversant" such problems will partially ease. But he argues the best way to turn such situations around sooner is for the IT department to be able to claim some "raging success stories". It is very rare still for companies to be able to attribute any element of their success to an IT strategy that really differentiates them from the competition.

"We need tonnes more of those success stories," he says. "Just the growing [numbers] of IT-conversant people is going to make a huge difference; but on the other hand I think some of those IT-conversant people are going to start kicking the asses of IT departments that are very reactionary."

Page Break

It Takes Two to Tango

How reasonable is it to demand CIOs be well versed in the business, as most businesses now do, while excusing business from knowing anything about IT? Bruce Campbell, a lecturer at the Faculty of Information Technology at University of Technology Sydney, is currently conducting PhD studies into the enablers and inhibitors to IS/business alignment, having interviewed both business and IT managers across a range of companies and industries. He says the perceived attitude to the IT role by senior business managers will, to a large extent, dictate the type of IT service provided. And changing that attitude is almost impossible.

IT is often regarded as a service but few business managers wish to become involved in either understanding or managing that service, Campbell points out. "It appears that, worldwide, IT management subjects are becoming less popular in business degrees at both undergraduate and postgraduate levels," he says. "A complaint of CIOs is that, in contrast, they are expected to have a reasonably in-depth knowledge of all other business functions. There is a double standard in operation."

Further, Campbell notes, the performance measures applied to business units and managers have a significant impact on the IT service that is provided. Most incentive and measurement schemes have a short horizon. This often results in IT-related decisions taken by business managers to maximize their own performance in the short term that are often detrimental to the organization in the long term. And the situation is not helped by the habit of many organizations of purposely putting various business units into competition with each other, making a corporate-wide IT response difficult to plan and implement.

"Each of these situations leads to different IS 'strategies' being implemented at different levels of an organization and in various business units," he says.

"The structure of most organizations makes it almost impossible to develop trust between IT and other personnel," Campbell says. "This, then, retards the development of shared domain knowledge, which has been shown to be vital in the provision of a superior IT service."

Peter Bars, partner, CIO Services with Deloitte, agrees the key to IT optimization lies not in the types, uses and cost of technology, but in the governance models used to manage and integrate IT within the business. It is not what you spend but how you govern IT that unlocks value.

Bars defines IT governance as the organized capacity to guide the formulation of IT strategy and plans, direct development and implementation of initiatives and the oversight of IT operations works well in order to achieve competitive advantage for the corporation. He says it comprises six key tasks: leadership; planning; capital allocation; policy setting; coordination and compliance; and monitoring and qualitative benchmarking. Governance goes to the heart of the IT infrastructure, Bars says: It is not static but continually evolves in line with shifts in the market and business environment.

"CIOs face two challenges: keeping the lights on, or the utility level, and pushing the strategic agenda. If the CIO can win credibility and respect at a utility level, there's more likely to be support, from the bottom up, for more innovative IT projects. Good governance means distinguishing the utility or must have elements of IT from the innovative components, which are essential for competitive advantage, in order to achieve value. Both elements need to be sufficiently dynamic to cope with increasingly unpredictable commercial environments.

"The CIO has the opportunity to give organizations the IT they deserve by using appropriate governance to unlock the value of IT and secure a seat at the top table."

Page Break

Turning It Around

So what is the remedy and how do you make your organization deserving of excellent IT? Bearing Point's Shipham believes the one change that can have the most impact is to get the people within the business and technology groups to be engaged in an appropriate way. This is not a question of engaging any particular organizational model or structure - Shipham says he has seen all manner of structures deployed - but of looking at the way the two groups engage and communicate and work together.

"I think that is number one: The IT department needs to do measurement and long-term planning, it needs to have a good sense of where the business is heading, and therefore what type of systems and platforms may be needed," he says. "Forward planning is probably number two. Number three is the need to do a realistic assessment of what they [the IT department] are doing. The fact that they can do one implementation of technology very well doesn't mean that they can do another.

"You continually see organizations take on things which in essence have as much an element of research and R&D as they have a project implementation. They are learning as they go. It's very hard to gain measures around time, cost and quality if you're still learning what the project is all about."

CIOs must also recognize that a person who is able to build a 10-storey commercial building is not the right person to build a 100-storey building or a tunnel or a bridge. The CIO needs to do realistic assessments and have the best possible management processes in play. "And the tools to some extent are not the issue here," Shipham says. "It's about having a realistic assessment of what your capabilities are and what the risks are around the project, so that you can work out where you might need to do things differently.

"What is it that the CEO and top management team expects? What are their expectations? If they don't think IS can do too much at all well, the CIO is not going to be able to get strategic initiatives off the ground. He or she needs to educate them and manage their expectations.

"On the other hand, if the senior executives in top management think IS can revolutionize everything that the organization is doing, then it is the CIO's role to inform and educate the top management team about the true capabilities of IS within the organization. You both manage them upwards and bring them back down to a realistic viewpoint on what IS can legitimately do for that organization," he says. Then the CEO and top management team will be much more deserving of excellent, purpose-built IT, and it will simultaneously become much easier to provide.

And that's a situation you'd think any savvy CEO would appreciate, especially if you believe that an organization indeed gets the IT they deserve.

* For nit-pickers: Yes, I know that the expression is actually "just deserts", but you try finding a picture of a desert. However, in the interest of fair play I did leave the correct version in the story itself. - Ed