IT Governance
By Andre Griffith
“Ah, to hell with it, its your decision anyway. “ With these words I gave up on arguing with my boss over his reluctance to immediately table proposals for an Information Technology Policy at the executive committee. There were certain hurdles with relation to organizational politics that he deemed to be too important to ignore at that time. I disagreed vehemently, however, at the end of the day it was his decision to make. He was the one that sat at policy level in the company. My capitulation was not so much to him as to his “decision right”. It is these decision rights and their concomitant responsibilities that are the heart of Information Technology Governance and indeed in any sort of governance. Peter Wiell and Jeanne Ross, two researchers at the Centre for Information Systems Research (CISR) at the MIT Sloan School of management define IT Governance as;
“Specifying the decision rights and accountability framework to encourage desirable behaviour in using IT. IT Governance is not about making specific decisions – management does that – but rather, determines who systematically makes and contributes to those decisions”
The questions of interest are who has the right to make the decisions, who has the right to contribute (or be consulted), who will be held accountable for the decisions, and how the decisions are to be implemented.
There were a number of areas in the overall adoption and management of Information Technology that were considered by Weill and Ross influenced no doubt by their earlier work on another MIT briefing entitled “Six IT Decisions your IT people shouldn’t make”. That briefing argued that IT decisions are after all business decisions, and just like decisions involving the disposition of an organization’s material, financial and human assets, senior executives needed to be equally concerned about, informed about and involved in decisions relating to information assets. In plain language, the six decisions are:
(1) How much should we spend – This essentially is the IT budget and this component makes what seems to be an obvious point that the IT budget cannot be unilaterally decided by the IT executives. While this may seem obvious, it is amazing how many times an IT executive may be given carte-blanche to spend, just because IT is seen as a magic bullet. At the end of the day, the IT budget decision should essentially be subjected to the same capital investment criteria as any other investment. At a subsequent time, we will visit some models of appraising the IT investment.
(2) In which areas should we spend the IT dollars – This component first of all concedes the concept of scarcity, thus asks which business functions and/or processes should receive priority for spending. Sometimes the answer to this question may be tactical, as in investment in an HR application may give us the immediate benefit of reducing cost by more effectively managing the payroll, or it may be strategic if for example investing in a quality control system gives us the springboard into entering markets in the medium and long-term where competition based on quality is the only strategy option available.
(3) Which IT capabilities need to organization-wide – This really speaks to the decision between centralisation and localisation that is, what systems should be standard across the organization, and what systems can be developed and deployed within individual business units. Reflexively, I would think that there are few companies in Guyana that would require much localisation. Exceptions may be the conglomerates such as DDL, Banks’ DIH, The Beharry Group etc that have subsidiaries that are in distinct business lines. Standardisation generally reaps benefits associated with economies of scale, while localisation will afford flexibility in dealing with the peculiar environment of each business unit. The case of central government is one where this component of IT strategizing would be non-trivial.
(4) How good do our IT services need to be ? – This is perhaps the question that will resonate most with IT practitioners on the local scene. How good does the service really need to be ? How much does an hour of system unavailability or downtime cost us. This will be readily answered by looking at what it costs us (if anything) to catch up on lost time. Can it be done during normal working hours (in which case your true cost is that you have considerable spare capacity in use of human resources), or will you have to pay overtime to catch up on work not completed because of system outage. If you have a significant e-commerce operation, and many of your customers buy your products or services over the Internet, then lost sales may be significant. In reality however, I can think of few businesses where the immediate impact of system downtime justifies the expectations of the principals and the executives. Most executives might accept a figure of 95% uptime because it sounds instinctively really good. In terms functioning of a computer system however, this figure corresponds to 1 ½ days of downtime in a typical working month (more for business that work weekends) and more importantly will not usually occur in one continuous block but rather at random in smaller amounts of time. The latter is an issue of reliability and will be dealt with subsequently. However, at the end of the day, the point is that the determination of the question “how good do the services need to be” is one that the Senior Management needs to confront squarely since the achievement of availability in the region of 99% and beyond is definitely not a trivial matter and implies that much more resources need to be allocated to achieve it.
(5) Which Security and Privacy risks will we accept ? – This is another big one that executives usually shy away from. Many people instinctively equate questions of IT security and privacy with some hacker trying to penetrate your network in order to steal the family jewels. However in fact the most likely threats are invariably within, from people who may abuse privileges or may unwittingly give access to unauthorized persons. In the example I gave at the opening, the policies in question related to acceptable use of the organization’s information assets by its employees. This includes, but is not limited to considerations such as care of computer hardware, theft of information, viewing of pornography and circulation of offensive material the latter of which could expose organisations to legal action and considerable costs in some jurisdictions. My position is that we should not wait for Guyana’s legal environment to catch up before cracking down on undesirable behaviour even if such behaviour is not expressly illegal in our local context. A standard risk management framework will examine the likelihood of security events actually occurring, and the potential impact of each event. The combined effect of the likelihood and potential impact are used to determine what stance the organization takes to each risk. Again this is a responsibility of the executive management and not solely the IT executive.
(6) Who is accountable for the success of IT initiatives – The original work by Ross and Weill frames this question as “Whom do we blame if an IT initiative fails ?” however, I think that this framing immediately evokes the wrong impression. The originators really wanted to suggest that a non-IT executive should be assigned to ensuring that the business benefits of an IT initiatives are realised. This implies two things. The first is that the functional executives would have been convinced that worthwhile business benefits were realizable in the first place, and secondly, there would have been acceptance that the responsibility for ensuring their realisation was best placed with the executive who is in charge of the particular business function whether it be marketing, operations, finance or any other.
I have a more personal view of the accountability question versus decision rights, which is that having exercised decision rights, the executive has a right to expect that his or her subordinates will take ownership of and embrace the decisions even if they were initially not in agreement, but conversely if things go wrong, the person exercising the decision rights must stand by those same subordinates and accept the responsibility. These two traits in subordinate and superior alike need to be developed and encouraged in our public and private sectors.