The keys to effective IT governance in the digital era

EmblemHealth has spent the past several years modernizing its technology, moving off legacy systems and onto commercial platforms to drive the digital transformation that will keep the organization competitive.

It’s a common narrative these days.

But EmblemHealth is going one step farther by transforming its IT governance policies and procedures so they’re updated to reflect the new realities of today, says CIO Tom MacMillan.

EmblemHealth’s IT governance now involves both an investment committee and a steering committee, with the former determining what gets funded with the latter overseeing execution and progress. And the committees meet more often than in the past, with the investment committee generally meeting quarterly, the steering committee monthly.

IT governance also includes more input from executives throughout the organization so they can help steer what IT is doing to better meet their needs and market changes.

While still a work in progress, MacMillan says this more modern governance model helps IT focus on adding strategic value for the New York City-based nonprofit health insurance and wellness organization.

“It’s about both business and IT being able to bring an informed point of view about what we’re trying to accomplish so we can govern that to an outcome. In a digital age, you need that ongoing input to drive good outcomes,” he says.

For the past few decades, enterprise executives and leadership advisors championed robust corporate governance as a way to guarantee that best practices were followed throughout the organization. In a similar vein, they promoted IT governance as a way to guarantee that IT strategy aligns and supports the organization’s overall vision.

However, the digital era is testing the ability for traditional IT governance to deliver on that objective as the speed of both technology and business accelerates exponentially, experts say. As a result, IT governance needs a refresh.

CIOs need to work with their C-suite counterparts and board directors to bring governance practices into the digital age. They need to account for the fast-paced, cloud-based environment in which IT now works and incorporate the emerging requirements that go along with that environment into new governance policies, so that IT is able to work fast, stay secure and keep aligned with enterprise goals — even as elements in all three of those objectives rapidly change.

“To fulfill the digital ambitions of the board, executives, customers and stakeholders in the digital age, CIOs must create a new paradigm for IT governance. A traditional one-size-fits-all, command-and-control-based IT governance capability has neither the scope nor the agility to meet the needs of digital business,” says Remi Gulzar, research director and agenda manager with the Office of the CIO research team at Gartner.

Failure to keep pace

The digital era is now firmly in place, yet enterprise leaders still struggle with implementing governance to get the best value out of IT.

ISACA, a global association for information and technology audit, risk, governance and security professionals, in 2017 surveyed more than 732 organizational leaders from around the world and found that the governance of technology is now a board-level priority. And nearly all of survey respondents agreed that strong IT governance is essential to strong business performance.

More specifically, ISACA’s research report, “Better Tech Governance Is Better for Business,” found that 92 percent of respondents believe that better IT governance results in better economic outcomes while 89 percent believe it leads to more business agility.

Respondents also said they believe strong IT governance can lead to more efficient and leaner operations; increased responsiveness to customers and partners; more demonstrable returns on investments; and better project prioritization.

That high level of enthusiasm for good governance doesn’t mean IT governance is well practiced, however.

The same report found that 20 percent of respondents don’t use a governance framework and 69 percent said they still need to establish clearer connections between business objectives and IT goals.

Meanwhile, an IDG survey commissioned by technology solutions company Insight found that governance-related issues may play a role in stalled transformation. The survey, “The Challenge of Change: IT in Transition,” conducted in September 2018, showed that 62 percent of the 200 responding IT leaders “have failed to lay a strong foundation for IT transformation by both documenting and communicating their plans.” Another 44 percent haven’t yet taken action to support IT transformation, while 51 percent say challenges have stalled or stopped some IT transformation initiatives.

Similarly, Gartner, a technology research and advisory firm, found traditional IT governance problematic in the digital era, noting in its 2017 “Establishing Governance Fundamentals for the Digital Era” report that just as the evolution of technology is driving business model transformation, it must also drive changes in IT governance.

“Governance in its essence describes ‘who decides, and by which process.’ As simple as this may sound, designing and operating governance has been a challenge for a large number of enterprise since its inception,” Gulzar says.

He continues: “The purpose of governance is to empower leadership to drive coherent and transparent decision-making in order to achieve business outcomes, execute strategy, prioritize investments, value orientation, balance resourcing and determining risk appetite. Leading public and private organizations that master governance as a strategic capability achieve sustainable growth and performance.”

The Gartner report added: “Traditional IT governance development processes do not provide sufficient guidance for creating a scalable and adaptable governance capability.”

Updates for the new era

The role of IT governance — that is, to align IT to overall enterprise strategy while establishing parameters that address risk and compliance requirements— hasn’t really changed, but experts say its value within any given organization has.

“Governance is more important than ever in today’s digitalized environment; informed decision-making is essential because of the growing dependency on IT. It’s always been important, but now it’s more prominent because the risks are greater,” says Mark Thomas, president of Escoute Consulting, which focuses on advising organizations on IT governance.

In order for governance to be up to challenges of today, experts recommend a number of updates.

1. IT governance ownership must shift from CIOs to the broader organizational leadership

“Governance is an enterprise capability and as such must be defined and championed by the senior leadership in the enterprise. Its ownership lies with the board of directors and executive team,” Gulzar says. “The role of the CIO is to advise or validate on the design of IT governance; they are a critical stakeholder on how governance operates across the enterprise.”

Thomas agrees, explaining that it’s up to the board to determine the guardrails around issues such as risk tolerance, security and compliance and determine the objectives that everyone needs to work together to reach.

2. Enterprise leaders must update their views on governance

Rather than seeing governance as a set of restrictions, Gulzar says leaders need to understand that good governance is actually a digital enabler.

Others agree. Thomas, for example, says executives (including CIOs) may mistakenly think that governance slows IT innovation and implementation, but in reality good governance promotes agility and speed by establishing decision-making authority at the right levels of the IT organization.

“In the past we had to wait for weeks for an advisory board to make approvals, but governance can delegate responsibilities to a party or individual who has the technical capability and the understanding to make a decision, so the decisions are made at the right level with the right competence [when needed],” he says.

The IT governance model at EmblemHealth works in that fashion, MacMillan says. The investment committee, co-chaired by MacMillan and several other executives, makes macro-level decisions but empowers managers farther down the chain to make micro decisions — a strategy that supports the agile development process that EmblemHealth and others have adopted to keep pace with business these days.

3. Governance should be focused on outcomes, not fixed processes

“As digital business, ecosystems and platforms gain increased momentum, they create decision-making requirements that can no longer be met by traditional governance practices. Traditional control-based IT governance cannot scale to meet the needs of fast-paced digital business,” Gulzar explains. “Leading digital enterprises exhibit an IT governance capability that is focused on outcomes that need to be achieved with the fluidity to change as frequently as necessary to take into account situational awareness (for example, of the competition, strategy, and so on).”

Take EmblemHealth. It devised a governance framework oriented to ensuring that IT work meets changing market demands, makes the organization a digital leader and drives top-line growth, MacMillan explains.

4. Automation can help promote adherence to governance

IT should leverage the same technologies that are automating businesses workflows and apply them to IT processes such as provisioning, incident management and problem management to enforce consistency and support the speed required to keep pace with business today, says Steve Zipperman, vice president of consulting services at Insight.

He adds: “That process layer has to be re-engineered for the digital age.”

5. Governance must be tailored to current, unique needs

Multiple governance frameworks exist, with many being updated to address enterprise needs in light of digital transformation. ISACA, for example, this fall refreshed its COBIT framework, which was first launched in 1996. But Thomas says organizational leaders often think that frameworks should provide answers to all their challenges when in fact that’s not their role.

“They’re really more of a blueprint for organizations to create a framework for themselves” he says.

EmblemHealth took this view. Instead of taking an established framework, it instead built its governance policies around the unique needs it had as it emerged from a multiyear investment in transformation technology implementation, MacMillan explains.

6. Governance must be adjusted more frequently than in the past

Experts say there’s no formula for when to refresh a governance program; rather it should happen whenever organizational principles change or evolve.

That’s happening at EmblemHealth right now. MacMillan says as the organization continues to mature in its digitalization, he and his executive colleagues continue to refine the governance model.

“We introduced so much technology, or are in the process of doing that, that we’re still figuring out what exactly we need to govern,” he says.

CIOs and their C-suite counterparts need to recognize that such ongoing work is a new normal for IT governance. As Gulzar notes: “Doing business at the speed of digital requires organization to continuously assess if their decision-making capabilities support their digital ambition.”