Sharing the Load

Peter Weill, the director of MIT's Center for Information Systems Research, says there are six key IT decisions that CIOs and the business must collaborate on. Ignore them at your peril . . .
Asses Your IT Governance Performance

Asses Your IT Governance Performance

CIOs are used to shouldering the burden of IT budgetary and process decisions on their own but new research suggests it is time senior business executives started sharing the load.

With IT now integral to the success of every organisation, the question of who makes important budgetary and process decisions is vital. Professor Peter Weill from MIT in the US says important IT decisions should be made jointly by CIOs and senior business executives.

"We've been studying hundreds of companies, trying to understand what it is that differentiates them in terms of getting the kind of value they want from an IT investment," Weill says. "One of the signatures [of high IT performers] is the key decisions that are made are made jointly between people who run the technology and the people who run the business."

An Australian expatriate, Weill is the director of MIT's Center for Information Systems Research (CISR). Weill argues that CIOs and the boardroom should collaborate on six key IT decisions. Without this collaboration, he says, the consequences could be dire. "If senior executives don't participate in these six IT decisions -- if the IT organisation makes them alone -- the IT organisation takes on too much risk for itself and assumes that risk for the organisation," he says.

On the other hand, he says, when IT decisions are shared with business executives, "decision making becomes joint accountability". Weill's six key IT decisions are listed below.

DECISION 1: How much should we spend?

"In the end it all comes down to money," Weill says. "I think one of the hardest decisions we face is how much to spend on IT."

According to Weill, this is a question that is perennially on boardroom executives' lips. "I spend a lot of time working with boards and senior executives and that is the question they always ask me. As if there is one number that we could name and say, 'That is how much you should spend on information technology'."

Weill says two equally important corollaries to this question are "who should make these budgetary decisions?" and "how do we hold those people accountable for results?"

To ensure productive IT discussions at the boardroom level, it is necessary to alter the way IT investments are conceptualised. "We think of [IT investments] as a portfolio, in the same way as you would think of a personal investment portfolio in your own investment regime. We have come up with a framework that breaks information technology investments into four asset classes." The four asset classes are: transactional processes, information management processes, strategic development or innovation, and infrastructure. Importantly, any given project can be any combination of the four asset classes.

Page Break

Dividing IT investments in this fashion helps stimulate discussion among senior executives, Weill says. "Each one of these four asset classes has a different risk/return profile. Balancing risk and return gives a really good basis and common language for a debate around spending on IT, because it borrows on something that's very well understood by senior executives -- financial portfolio management."

With that common language established, the next step is for organisations to reweigh their investment in each of these areas according to their goals.

"For the spending question there's no one answer, but the discussion to be having is: 'Do we know enough about what we want to do to be able to have confidence in spending?'"

DECISION 2: Which business processes should receive your dollars?

For an answer to this question, you may have to rethink the IT budget allocation process for your organisation.

"We phrase [the question] as which business processes -- not what departments, not what functions, not what country or part of Australia," Weill says. "If your organisation doesn't allocate IT dollars along business process lines, this question could prove impossible to answer."

An insurance company, for example, may consider order entry, billing/payment and claims as three distinct business processes. The insurance company can then determine which of these processes requires the most IT investment.

To use this paradigm well, your organisation should also have a clear vision of the future that can be succinctly summarised on one page, Weill says. "The companies that do best with this have a vision of how they want to be 10 years from now. That vision is a one-page picture. Each project -- IT or otherwise -- will deliver value in its own right but adds up to more than the individual projects alone."

According to Weill it is important that this vision is shared by all those involved in the decision-making process. "If you don't have an agreed upon vision," he says, "then the best salesperson in the room wins every time."

DECISION 3: Which IT capabilities should be firm-wide?

"One of the big issues that comes up in IT is what should be standardised and shared and what should be local or unique to the unit," Weill says.

Page Break

Weill maintains that the traditional model of having only a thin layer of shared services -- with every department otherwise having their own IT processes -- is untenable because it drives up legacy maintenance costs. Under CISR's alternative model, all publicly available infrastructure and most shared and standard applications should be shared services. Data management processes unique to a department or business unit should remain separate.

Large or long-standing organisations may struggle with this step, due to the huge number of extraneous IT systems and processes that organisations naturally tend to accumulate. However, Weill says executives should be forever working to weed out the extraneous processes. "I believe that [streamlining] is within our power and would argue that if we don't do it, it is malpractice." Using Weill's model helps to sort the wheat from the chaff by identifying the extraneous processes.

Weill admits that shared services can be a tough sell to division or area heads. "Anybody who's worked in any shared service in an organisation will know as soon as you approach someone who runs a division and say, 'We'd like you to follow this shared service way of doing things', they say one thing to you -- 'Oh no, we're different'." But Weill says if you can convince division heads that costs will go down and efficiency will increase, even the most reticent among them will soon see the benefits.

CISR's model also has benefits for innovation. Weill recommends innovation occurs at the division-specific level. "When innovation occurs on top of the platform, it's got a high failure rate," he says. But this means innovations that do succeed are effective and worth incorporating into the organisation as a whole.

"[Innovative processes] that fail should be cleaned up. The ones that succeed then drop into the infrastructure if they have enterprise-wide capabilities. This gravity process is the way of dynamic learning in an organisation -- innovate, succeed, drop into the infrastructure, consolidate, free up money, innovate again."

Having effective accountability mechanisms in place is vital for the success of this model. "If you don't have accountability to figure out whether or not there are pay-offs, then you never know what was good about the innovation and what wasn't."

DECISION 4: How good do your IT services need to be?

"You get what you pay for but we can't fund everything," Weill says. "One of the things that we decide in IT is how good our services should be."

This question is best answered not by CEOs but by heads of individual divisions. "Most organisations, government agencies and others have services that have SLAs," Weill says. "Division heads can then pick and choose the best level of service they can achieve within their budgets, emphasising the services that the division uses the most."

Page Break

Weill uses the example of Carlson, a Minnesota-based organisation. Carlson has a division devoted to shared services, Carlson Shared Services. "CSS has a catalogue for division heads," Weill says. "You can have laptop service that's gold, silver and bronze." The gold service has better support and more features, but costs more than a bronze service. "Some of those services are then outsourced, because they benchmark them every year in terms of unit costs and then decide whether they want to do it internally or externally," he says.

Because costs are not equally variable across every service, not every service is suitable for the shared services model. Therefore, Weill recommends organisations "produce a service catalogue, and then within that big service -- for example a printing service -- have an index called the variability index, which varies from one to five.

"A high number like five means that the behaviour of the manager can affect the cost of the service," Weill says. "Printing's a five -- if you choose not to print you have a much lower bill for your printing. Whereas networking's a one. It is not very affected by how much you use it because it is per seat.

DECISION 5: What security and privacy risks do we accept?

"Security and privacy risks that are part of our everyday life -- you can't mitigate them all," Weill says. "In fact the question is: how much risk should you mitigate?"

As much as every organisation would love to be immunised against all security and privacy threats, executives must consider the return on investment. "The marginal return for an extra dollar spent on security risks gets smaller and smaller and smaller, so they're big decisions about how you should spend that extra dollar," Weill says. [For more on how to invest wisely in security, see 'How to Sell Security' on page 10]

Motorola has a good solution to this problem, he says. "Every year, Motorola chart a fairly simple graph and break it into zones to determine where they'll spend their money."

Motorola's chart compares the risk and potential impact on the business of a security risk to the probability of the threat affecting the company. High-risk threats with a high likelihood of affecting the company take precedence over any other threat.

Motorola is notable not just for how security spending decisions are made but also for who makes the decisions. "What's so impressive about Motorola's model is it's not an IT decision, it's a business governance decision," Weill says. "There's a group from across the organisation that sits and thinks about this problem and identifies the kinds of risks that they are willing to take and how much mitigation they're willing to invest in."

Page Break

DECISION 6: Who should you blame if an IT initiative fails?

"We should have someone to blame and therefore we should have some accountability," Weill says. "But it seems to me that's already too late in the decisions process. Organisations that do this well focus on what I call governance. To me IT governance is about decision rights and accountability. Who has the rights to make which IT decisions, and how do we hold them accountable?"

There is a fairly widespread perception that IT governance frameworks do nothing but add an unnecessary layer of bureaucracy to the process. This could not be further from the truth, Weill says. "It should be empowering, not bureaucracy," he says. IT governance decisions are needed, "because senior executives have limited bandwidth and so they shouldn't be the hub of every IT decision. There's a synonym to the word 'hub', and that's 'bottleneck'."

Weill also says organisations can easily adapt the financial governance models they likely already have in place for IT decisions. "The CFO of your organisation doesn't sign everything or improve every investment," he says.

"There's a financial governance model that says, 'Here's how we spend money, here's the budget, here's the audit, and so on'. Those tools are used by organisations that are really good at IT governance as well."

According to Weill, simplicity is key for any governance model. "Companies that do it well have a few mechanisms. They endlessly simplify and remove the obstacles and drive towards IT governance on one page."

An effective IT governance model pays off, Weill says. "We see companies who are in the top third of our measure of IT governance are 20 percent more profitable."