by Harvey Okin

Houston, We Have an IT Governance Problem

Apr 16, 20126 mins
CIOIT GovernanceIT Leadership

Anticipating potential pitfalls, detecting warning signs and acting at the first signs of trouble are the keys to a well-functioning governance framework. KPMG's Harvey Okin offers advice on how to identify governance issues before they become real problems.

“Houston, we’ve had a problem&.” With these understated words, Apollo 13 astronaut Jack Swigert announced a crisis whose resolution would become a signature example of how to manage on-the-fly. But it also demonstrated how better advance planning and coordination among the space program’s contractors and NASA could have averted many of the ensuing difficulties the space crew faced.

As with space flight, so it is with IT Governance. Planning ahead— and driving adequate collaboration, understanding and alignment between business needs and technology investment—can mean the difference between the success and failure of mission-critical technology. Simply put, organizations can ill afford to get it wrong.

Yup, There’s a Problem Alright

At one major financial institution, end-users were frustrated with their central IT organization’s inability to respond to business needs and repeatedly took matters into their own hands. Using tools such as spreadsheets and end-user databases, they cobbled together critical systems literally “on the side of their desks.” Without management approval, the employees created a “shadow IT” organization operating more than 800 individual spreadsheets (and other one-off databases) performing vital business functions with no controls—or even a master list of what workarounds the employees built.

In cases like these, often only one employee knows how to use the ad hoc solution, and if that employee leaves, the organization is left with a knowledge gap. Such rogue “solutions” create a high level of duplication and manual data reconciliations, which repeatedly result in operational failures, regulatory citations, and unknown and undesired risks. In basic terms, tools developed in the shadows lack robustness, operational stability, support and the capacity to recover in the event of a disaster.

Anticipating potential pitfalls and detecting the warning signs of trouble are the keys to a robust and well-functioning governance framework. Successful IT organizations rise above the technology turmoil by acting at the first signs of trouble. There are several tell-tale signs of looming problems. Sometimes, the indicators can be quite clear—if you know to look for the following:

  • Lack of Metrics
  • Senior Business Leaders Dissatisfied
  • IT Misses Delivery Expectations
  • Employees Avoid Central IT
  • Duplication Between Central IT and Business Unit IT
  • Rising IT Cost Without Commensurate Return
  • Excessive Duplication and Complexity
  • Poor Vendor Performance

Key Components of Robust IT Governance and Control

To avoid these pitfalls, organizations should put in place and sustain a practical governance framework focused on fostering a partnership with the business, maintaining control, prioritizing, and making decisions. Although compelling in theory, this framework can be difficult to implement in practice. Inertia, existing power structures, an entrenched bureaucratic culture, or just plain overwork can get in the way of implementing robust IT governance and control.

While employees must be held accountable, they first must clearly understand what is expected of them and where to go. Management can set the right tone by designing a comprehensive governance expectation under a single coherent framework, but buy-in is vital at all levels of the IT hierarchy.

Here are some strategies that can help you make the changes your business needs to survive and thrive:

Executive Engagement: The tone is set at the top, with senior business and IT executives visibly and actively committed to mandating and enforcing policies, leading by example, keeping staff informed, and taking appropriate and timely action. This will show employees that implementing the framework is not “extracurricular work.”

Policies as Strategic Tools: Formally adopting strong IT-related policies produces an optimal balance of clear guidance and direction along with some necessary flexibility to address practical day-to-day needs.

Defined Hierarchy of Governing Bodies: Although the tone and direction will be set at the top, the lead decision-maker must delegate implementation responsibility to the managers and technical experts best equipped to handle normal operations. Leadership should create formal governing bodies, each with its own charter and scope of authority, to provide the necessary structure to make these decisions in a clear, transparent, and predictable manner. Committees such as the IT Executive Steering Committee, IT Risk Management Committee, and Architecture and Technology Selection Committee have the requisite expertise, participation, consistency and authority to respond accurately and promptly to changes in marketplace conditions.

Delegation of Authority and Precedent: Delegate decisions to individuals uniquely equipped to make them based on their position, experience and skills. Clearly document the scope of authority, guidance and considerations for all common decisions.

Business Alignment: IT project prioritization and budget development decisions should always support business strategy and priorities.

Proactive Liaison and Communications: IT should establish a liaison so each business unit has a least one senior IT executive to advocate for it. The most senior of the business liaisons should sit on the IT Executive Steering Committee.

Metrics and Reporting: The “holy grail” of effective management is the ability to passively gather and objectively report balanced metrics capturing the key aspects of IT performance and delivery, such as revenue and operation costs, reliability, customer satisfaction, project delivery, spending, risk and security, quality, and compliance. The highest-level summaries should be presented regularly to the IT Executive Steering Committee, with drill-downs reported more frequently to appropriate line managers.

Appropriate-Weight Procedures, Standards and Controls: Document clear and practical procedures, standards and controls (especially passive preventative ones) that can be readily implemented and objectively observed. Resist the tendency to design in the highest degree of control at every point along the process flow. Instead, evaluate potential controls to determine if they provide sufficient marginal benefit to justify the additional costs.

Independent Scrutiny: Self-reported information can be less transparent into potential problems than independently obtained data. Management should establish policy monitors to review day-to-day activities for compliance.

Training and Awareness Program: Through computer-based training, regular reminders and management discussion forums, employees must be instructed on their specific roles and responsibilities in the governance and control framework. Training should leave employees knowing exactly what they need to do and why, and where to go for help.

Easy-to-Use Tools: Create a “light touch” tool set for capturing only the must-have information to promote proper governance. When possible, data should be automatically captured from pre-existing sources, key strokes minimized and response times accelerated.

Mission Accomplishes, For Now

Getting IT governance and control right is essential for CEOs, CFOs and CIOs looking to establish predictable IT performance to deliver cost-effective value to the business. The core message is to establish effective decision-making and enforcement to optimize business impact, manage cost and reduce unacceptable risks. Successful governance and control frameworks can take many forms, but the consistent factor among them will be the ability first to assess where your IT organization is today, and then be able to provide a practical blueprint for building and sustaining long-term improvement.

Harvey Okin is director, IT Strategy & Performance at KPMG LLP Advisory. The views and opinions are those of the author and do not necessarily represent the views and opinions of KPMG LLP.