Creating stakeholder value in the information age

Sarbanes-Oxley, risks, controls, compliance. These are some of the most common terms being used in many boardrooms these days. They join the old favourites of value and performance.

The landscape of corporate governance has changed immensely since the emergence of recent corporate failures and resulting legislation and regulations. The sheer volume of new requirements, coupled with responsibilities placed by legislation and stakeholders, is overwhelming C-level executives, board members and audit committees.

The simple message about information technology governance is that it needn`t be complicated. After all, the IT department is no different than any other part of an organisation and should be governed with the same diligence and control focus that is exercised in other areas of the organisation, such as finance and human resources.

Unfortunately, many discussions about IT (and its governance) are often disjointed, laced with lingo, and muddled by unclear messages, which only serves to bewilder the very people who need to understand how to govern IT.

Many common business concepts, such as a common language, defined decision-making and accountability structures, and reporting processes, if applied to IT would assist greatly in the governance of the IT function. When asked how they do it, executives at businesses with good corporate governance have a common answer: run IT like a business and you`ll be governing IT as it ought to be governed.

The results of a survey recently conducted by KPMG showed how far businesses still are from mature IT governance. Set out below is a summary of the survey, as well as our thoughts on a modern response to implementing proper IT governance.

A global KPMG IT governance survey relating to the adequacy and depth of implementation of formalised IT governance procedures in organisations was carried out during the first half of 2004 by 198 participants in 19 countries, including SA. The respondents included the chief executive officer, the chief operating officer, the chief information officer and similar members of organisations.

The overall conclusion from the results of the survey is that IT governance "just happens" in many organisations. The main factor that appears to contribute to the informal nature of IT governance is a general lack of understanding surrounding IT governance concepts. Contributing to this is the growing knowledge gap between board executives and the information available in the IT profession and industry. There is enormous strain on C-level executives to bridge the gap between technical issues and business issues, but this is an important requirement to ensuring that adequate IT governance structures are put in place.

The KPMG IT governance survey revealed that the majority of the respondents felt IT governance was not an integrated part of the corporate governance structures of their organisation. In fact, the majority of the organisations had some form of board representation for information technology but still indicated that there was room for improvement in their governance structures.

Many respondents indicated that although some form of IT governance was in place, it was essentially informal in nature. Additionally, this informality may be less robust than expected from regulators and the requirements of various legislation such as the Sarbanes-Oxley Act of 2002. The survey also highlighted the fact that the level and quality of IT governance in place did not vary significantly by industry and even heavily regulated industries, such as the credit and insurance industry, do not have sufficiently mature IT governance frameworks.

The survey also highlighted the fact that the majority of the organisations did not use recognised IT governance frameworks and COBIT and ITIL had fewer adopters

The survey also highlighted the fact that the majority of the organisations did not use recognised IT governance frameworks and COBIT and ITIL had fewer adopters than expected. The general sentiment among participants was that in order to achieve the implied requirements of good governance, a flexible approach in the implementation of an effective framework needed to be followed. This may be true but these best practice guidelines serve mainly as a response to management`s need for control and measurability of IT. Therefore, these guidelines serve as a tool to assist organisations with conforming to a formalised IT governance structure as needed in many organisations.

Respondents also indicated that there is a general lack of sophistication in the management and governance of outsourced arrangements. The survey reinforced the fact that although outsourcing has been a significant trend in the IT industry during the past few years and one that has challenged those organisations that have embraced it, the management of outsourced arrangements was generally achieved through informal arrangements. This poses a risk to the organisation, as management may not be able to determine if they are receiving value from their service providers. Informal agreements also make it difficult to manage and measure the risks of these arrangements and could possibly lead to management losing control of the outsourced functions to the outsource provider.

The benefits available to companies implementing formalised IT governance procedures are tangible as shown in a 2003 study carried out by Governance Metrics International. The study encompassed 1 600 companies and showed that businesses with strong IT governance policies outperformed those with weak policies in terms of shareholder return. They also appeared to be better prepared to deal with the regulatory requirements that are increasingly becoming a part of our day-to-day life in business. A success story related by Ludo Vandervelden, Vice-President of Toyota Motor Marketing Europe, indicated that IT governance enhanced their operations, provided tools for cost control, reduced adverse budget impacts and helped make all parties more accountable.

How do you achieve these benefits?

Although there is no one-size-fits-all IT governance framework, there are some key principles that need to be applied to ensure that the objectives of IT governance are met. To assist executives to understand IT governance, the diagram below sets out the context and definition of good IT governance.

Good IT governance principles can be illustrated using the above diagram which is in the form of a racing car wheel...

* Corporate governance is where the rubber meets the road so to speak. It`s what drives the company. For an organisation to achieve its key business objectives through the use of information technology, IT governance should be an integral part of the fabric of the governance of an organisation.

* IT governance is not "another wheel on the car" - not a separate function in the company. IT governance is part of corporate governance, and perfectly aligned to it.

* At the hub of the wheel is the core objective of IT governance: to release value from IT.

* Like brakes on a car allow the racing car to perform at its limits without losing control, so risk management allows IT to perform at its limits without the business losing control.

* The spokes of the wheel are the key IT governance operational areas that need to be implemented effectively to ensure the objectives are met while managing risks effectively and efficiently.

A structured approach needs to be followed to implement good IT governance in an organisation. The top down approach detailed below ensures that an organisation does not just jump head first into implementing some form of framework, and considers the factors that may influence the success thereof:

* Obtain the necessary sponsorship: All members of the executive management team should "buy into" the IT governance process.

* Understand your current IT governance: The context in which a business operates, the informal IT governance structures that may already be in place, the manner in which decisions are taken and possible improvements that may enhance the current IT governance in an organisation should be considered.

* Creating a design for moving to where you want to be: Short, medium and long-term projects should be defined. Performance measurements and strategies to ensure buy-in from all levels of an organisation should be taken into account at this stage. Structured meetings that include all business units should be held and IT policies and procedures should be communicated throughout the organisation.

As part of the approach to good IT governance in an organisation, the key would be to achieve the most appropriate balance between value, risk and cost.

This balance dictates the manner in which IT is defined, measured and monitored within the organisation and executives should bear in mind that getting value from IT is not about reducing IT spend. Value could be customer satisfaction, staff morale, competitive advantages, process efficiencies, etc. The correct balance between value, risk and cost will lead to the business achieving its key objectives more effectively and efficiently.

You know that IT governance is working in your organisation when you`re able to say that:

* Your board of directors receives credible, balanced and accurate information about IT risks and performance.

* Your executive team adopts a value and risk-based view in their IT decision-making and management processes.

* Your management teams converts IT risk information into competitive value.

* Your cost structures and revenues consistently achieve their projected targets.

* Your assurance processes demonstrate that your IT risk controls consistently function as intended.

* Your audit committee are asking appropriate IT questions.

* Your market capitalisation increases because the investment market respects your good corporate governance.

Noted IT observer and author Nicholas Carr reinforces the very important point that, whether or not an organisation believes that IT adds value to the firm, IT executives need to start figuring out how to measure and demonstrate that the IT function adds value or they will see their IT budgets dwindle. The easy days of IT funding, if there was such a thing, are gone. Enterprise resource planning (ERP) systems, Y2K and e-business have impacted the credibility of IT, and it is becoming increasingly difficult to credibly justify that the next IT development will change the world.

Instead, CIOs need to consistently deliver return on investment (ROI) on IT investments so that the business will be asking for the next opportunity to save it money or improve its operation. This point was driven home recently in a BusinessWeek magazine article, which noted that spending on IT must occur along "with organisational changes to achieve real productivity gains".

In the same article, Hewlett-Packard CEO Carly Fiorina noted: "CIOs will spend money on information technology only to raise ROI."

While it is easier said than done to consistently deliver ROI on IT investments, that is the challenge that faces the person in the CIO`s hot seat. And, it is the responsibility of the CEO to support his or her CIO to meet that challenge.