by Jeanne Ross and Peter Weill

Recipe for Good Governance

Jun 15, 200411 mins
IT Governance

Companies with better than average IT governance earn at least a 20 percent higher return on assets than organizations with weaker governance. Why is this?

Just as corporate governance is critical for ensuring that key decisions are consistent with corporate vision, values and strategy, IT governance is critical for ensuring that IT-related decisions match companywide objectives. Simply put, good IT governance makes companies more successful by establishing coordinated mechanisms that link objectives to measurable goals.

So what constitutes good governance? We’ve been studying that question for the past three years, with more than 250 organizations in 23 countries. But before we share our findings, let’s define what we mean by IT governance: It is the decision rights and accountability framework for encouraging desirable behavior in the use of IT. Companies make five types of IT decisions:

1. IT principles decisions dictating the role of IT in the enterprise

2. IT architecture decisions on technical choices and directions

3. IT infrastructure decisions on the delivery of shared IT services

4. Business application requirements decisions for each project

5. IT investment and prioritization decisions

The Elements of Governance

Companies design governance mechanisms to make and then implement each of these decisions. There are many types of governance mechanisms and techniques. For clarity, we group them into three categories based on what they accomplish—mechanisms that facilitate decision making, processes that ensure alignment between technology and business goals, and methods for communicating governance principles and decisions. “Effective IT Governance Mechanisms” lists common IT governance mechanisms in these three categories used by the majority of the 256 chief information officers we surveyed. The numbers associated with each mechanism represent the CIOs’ rating of that mechanism’s effectiveness in ensuring good governance. Judging by these effectiveness ratings, you can determine (on average) the likely success of each mechanism.

But we must note that any of these techniques can contribute to effective governance if they are implemented well. Those with relatively low effectiveness scores were generally rated that way because CIOs found them harder to implement. For example, tracking the business value of IT is tougher than tracking IT project resources. But we have found that tracking the business value of IT can generate significant benefits. It just takes practice; early efforts are often frustrating. Likewise, architecture committees can be difficult to implement well. These committees often have responsibility for limiting developers’ choices and can easily become mired in insignificant battles that create bottlenecks in technology implementations. However, companies that persevere with architecture committees often find their efforts can improve cost, reliability and time-to-market.

Strength in Numbers

Individual governance mechanisms, no matter how well they are implemented, cannot alone promise effective IT governance. Top performing companies rely on a set of governance techniques that are simple, reinforcing, coherent and explainable, and that engage key decision-makers.

UPS, for example, has designed a coherent set of governance mechanisms. The company relies on its IT steering committee, a team of three senior executives (including the CIO), to establish IT principles, such as UPS’s commitment to standardization and scalability in any system that touches its 60,000 drivers. This principle ensures reliability, cost-effectiveness, consistent customer service and easy access for customers to their package data. An IT governance committee—a small team of IT executives headed by the CIO—follows the mandates of the IT steering committee in making key architecture decisions. But the IT governance committee represents only one step in the debates around technology standards. The top IT architect—a CIO report and a member of the governance committee—heads a standards committee of key technologists who determine when a standard has become obsolete or cannot meet the requirements of a specific application. This committee handles most of the daily negotiations around standards, but it escalates decisions up to the IT governance committee when members believe a standards decision has implications beyond the application in question. Similarly, in cases where the IT governance committee believes a standards decision will have long-term strategic implications for the enterprise, the CIO can escalate the decision to the IT steering committee. The objective is to gain the benefits of standardization without stifling business opportunities.

Road Map to Good Governance

From our research with top performing organizations such as UPS, we’ve gleaned the following principles of effective design and implementation of IT:

Limit the number of decision-making structures. Although all organizations want IT decisions to represent the interests of their varied stakeholders, the best companies assign clear responsibilities for each type of IT decision to individuals who can accept accountability for the outcomes of those decisions.

State Street has vested IT decision-making responsibilities with a small number of executives. The key decision-making body for IT principles and for investment and prioritization decisions is the IT executive committee (ITEC). Comprising the COO, the CAO, the CIO and senior executives from State Street’s various business units, ITEC clarifies IT objectives, establishes the annual enterprisewide IT budget, and negotiates the approved list of projects and IT infrastructure initiatives. ITEC relies on the IT leadership group, which consists of senior business unit and corporate IT managers, to convert its principles and investment decisions into infrastructure services. The IT leadership group is also responsible for architecture decisions.

While State Street limits high-level IT decisions to a small group of accountable executives, the company uses alignment processes and communication approaches (such as those listed in “Effective IT Governance Mechanisms”) to engage people up and down the ranks of the organization. State Street uses service-level agreements, chargeback, project-resource and business-value tracking, an enterprisewide budget process, and senior management announcements to clarify desirable behavior and individual responsibility for IT management and use.

Create overlapping responsibilities for IT decisions. The five types of IT decisions listed at the beginning of this column are interrelated, so while responsibility for making these different decisions might be distributed across the enterprise, companies need to ensure cross-coordination. Top performers in our study often rely on overlapping membership in their decision-making bodies. At Campbell Soup, the CIO sits on the executive committee that sets the company’s strategic direction. She also heads an IT leadership team responsible for IT principles that establishes mandates for Campbell’s IT architecture and infrastructure. In turn, Campbell’s architecture review board is headed by a member of this IT leadership team. The architecture review board works with the company’s project management office, as well as program review and compliance teams, to ensure projects conform to architectural standards and meet business objectives. These overlapping memberships coordinate decisions throughout the enterprise so that the strategic objectives filter down to decisions made on individual projects.

Involve senior management in major IT decisions. Senior management establishes strategic direction, and thus defines desirable behavior for the management and use of IT. Top management involvement is such an old chestnut that we often forget how important it is. If senior management is not involved in IT decision making, the organization is likely to experience a disconnect between business objectives and IT capabilities. In our study, top governance performers had more direct involvement by senior managers other than the CIO. The more involvement, the better the governance performance. “The Decision-Makers” (this page) lists managers in approximate order of their impact on governance when they join the CIO in decision making. The numbers represent the relative degrees of impact for each executive compared to the CIO, who we assigned a baseline value of 1.0. Thus, engaging the CEO in IT governance has more than twice the impact as the CIO acting alone.

The Decision-Makers

When they participate with the CIO in IT governance, other CXOs exert varying degrees of impact on IT decision making. The CEO is the real heavyweight, with more than twice the impact compared to the CIO alone.

Chief Executive Officer 2.1
Chief Operating Officer 1.7
Business Unit Leader 1.6
Business Unit Chief Information Officer 1.3
Chief Financial Officer 1.2
Corporate Chief Information Officer 1.0

The United Nations Children’s Fund provides evidence of the importance of senior management involvement. For many years, IT at Unicef supported administrative tasks at headquarters but was very limited and locally managed in the field offices where the needs of children were directly addressed. Unicef operates in remote and sometimes dangerous locations including sites affected by armed conflict, natural disasters and other tragedies. In the mid-1990s senior management recognized that the lack of IT in field offices was handcuffing operations. Led by CIO Andre Spatz, Unicef equipped remote locations with online access to critical data involving important tradeoffs among features like cost, reliability, speed and accessibility.

The CIO worked with the other C-level managers to take ongoing governance responsibility for principles, architecture, infrastructure and investment decisions. For example, an important mechanism involving the CXO team was a global IT portfolio management process to coordinate and align IT investments with Unicef objectives. Through the leadership of these CXOs, IT has fundamentally transformed the way Unicef operates and has improved global knowledge, information flow, transparency and communication. Field offices can serve their constituents based on transaction-level and value-added information they could not access only a few years ago.

Design exception processes into governance processes. Technology, data and business process standards can help enterprises reduce IT and business process costs, increase systems reliability and enhance security. But allowing for exceptions to technology and business process standards is just as important as establishing and enforcing standards. Governance exception processes give individuals an audience when they feel that standards are limiting business success. More important, by revealing when standards are inappropriate or out of date, exceptions create learning opportunities. In our study, organizations with effective governance had fewer renegade exceptions, but more exceptions approved through a formal exception process.

Companies have different needs for exceptions. MeadWestvaco, a global paper manufacturer, allows few exceptions to technology standards because it is pursuing a strategy of operational excellence. Operating at low cost means adopting and complying with standards. Accordingly, the CIO handles exception requests. UPS, in contrast, expects to innovate through IT. UPS’s layered exception process, described earlier, helps the business recognize opportunities for new technologies.

Change governance only when desirable behaviors change. The process of changing governance, communicating the changes and then institutionalizing the new approach is lengthy. Governance takes six months or longer to implement, according to our study. Top performers changed their governance on average less than once a year, and their intent was to do so even less frequently. Poorer performing organizations changed their governance method as much as three times a year. Because organizations need time to learn new governance mechanisms, changes should be rare. Once a company has designed a coherent set of mechanisms, governance can remain intact until a change in strategic direction redefines desirable behaviors.

For example, when J.P. Morgan Chase decided to seek synergies across its business units, management instituted governance structures to encourage the use of standardized technologies. With those mechanisms in place, the enterprise may occasionally tweak membership in decision-making structures, or enhance alignment processes or communication approaches. However, the basic set of governance mechanisms should be long-lasting.

Provide transparency and education. The most important predictor of top governance performance in our study was the percentage of managers in leadership positions who could accurately describe their enterprise’s IT governance. The higher the percentage of managers who could describe governance, the higher the governance performance. When more managers can accurately describe governance, it is more likely to be part of the enterprise’s management culture, and thus more likely to be followed—or better still, challenged and improved. Without an awareness of IT governance, there is no chance that it will be followed. Nearly half of all of the managers in the top 50 percent of governance performers could accurately describe their IT governance, while fewer than 30 percent of the managers could do so in the poorer performers. Proactively designing governance and then educating everyone in the enterprise as to how governance decisions are made reduces the mystery of IT and enables managers throughout the organization to accept responsibility for its effective use as a strategic asset.

While some companies fritter away their IT investments on tactical improvements, others target IT dollars on fulfilling strategic objectives. Not surprising, companies that use IT strategically demonstrate stronger financial performance. But strategic use of IT is possible only when companies design and communicate IT decision-making parameters and mechanisms. At the bare minimum, IT governance frees up the scarcest resource-management attention for the decisions that matter most.