Filling the knowledge gap
Murray Wills, managing director, Maxsys
Murray Wills is a ‘virtual CIO’ for a range of private and public sector organisations.
“Lately I have been presenting courses around the country in conjunction with the NZ Computer Society on the topic of IT Governance and, as part of this, raising awareness of the international IT Governance Standard (Corporate Governance of Information Technology ISO/IEC 38500:2008).
That this standard exists is often a surprise to directors, CEOs and CIOs, despite the length of time it has been around.
The standard raises some challenging questions on the skills and experience of the modern board in New Zealand, and to some extent the skills and experience of CEOs and CIOs as well.
The need for some board members with IT governance skills or a trusted independent advisor to the board, is something that I believe is an inherent responsibility that is not just raised by the standard, but mandatory for good organisational governance.
Some might say with the existence of the standard, directors risk being unable to defend themselves against not having IT governance structures and processes in place if something goes wrong.
From a corporate perspective the board makeup is clear and for some government agencies it is also, where they have a governing board.
For ministries and departments though, the ‘board’ would most likely be the relevant Minister, an agency such as the State Services Commission or Department of Internal Affairs or both, and the CEO.
The standard provides a framework of principles for directors to use when they evaluate, direct and monitor the use of information technology.
You cannot assume that your CEO, or even CIO, has all of the necessary background in all of the areas addressed by the standard either. The standard also provides guidance to those advising, informing or assisting directors. CIOs and CEOs need independent advice on the standard and on what they should have in place, what they should be providing to the board, as well as what the board should be asking for.
This is a positive thing, as through this process everyone can be educated in the standard’s requirements. Start providing some of what the board should know to ask for and see what happens. Some of the things that I think need to exist in any organisation before you even start to get into the details are:
— The board and senior management buy-in,
— An IT organisational structure that supports the organisation with the CIO reporting appropriately,
— A strategic business plan and an IS strategic plan that enables it,
— The right people in the right jobs (from the CEO downwards),
— “True” engagement with the business on a day to day basis brought about by having the right people in the right jobs, company culture and relationship management,
— A prioritisation process for initiatives and business as usual, which is right sized for the organisation and involves the right people (IT and other business units),
— Business cases for initiatives. They should refer to the strategic plan and involve all interested parties (no surprises),
— The use of scalable methodologies and processes that have been shown to work for IT operations and project management (PRINCE2 and ITIL are examples),
— Service level agreements with external suppliers and potentially with internal groups. (I find this is a good way of building relationships and expectations).
Given that the standard is only 16 pages, why not purchase one for all of the members of your board? Then you should engage with them about what issues it raises for your organisation.”
Making the critical connections
Alison Holt, founder and director, Longitude 174
Alison Holt is co-chair, together with Myles Ward, group manager of IT operations and services at Inland Revenue Department, of the International Standards Organisation’s working group for IT governance framework standards. She is working on a book, tentatively titled Beyond Twilight, on introducing IT governance into the organisation. The book, she says, acknowledges some of the “stickiest” IT governance decisions are around legacy systems that appear to cost nothing to run and yet everything to replace. The title refers to one of the themes in the book — “how to deal to the difficult decisions associated with IT systems and solutions that are beyond even twilight support”.
“When we published the governance of IT standard, 38500, in June 2008, our aim was to provide guidelines for boards and their associated CXOs for directing, evaluating and monitoring ICT related activities across their organisations. Three years on — three years spent acting as a virtual CIO for two organisations, advising and sitting on boards… I am older and wiser. Well, certainly older…
The standard we produced was short and succinct — aimed for an audience with little time to spend reading international standards. I believe that the principles listed in the standard are fine, and align with accepted governance best practice. The skill for the CIO though, is not in understanding the principles, but in applying them to his/her organisation.
So here are three simple steps for connecting with your board:
Step one: Understand your board, and what they are currently working to achieve. This is easier than it sounds as the material you need is readily available for most organisations. Through reading annual reports, statements of intent, media releases etc., you should be able to answer the following questions:
— Who is on your board and your senior executive team? Out of these people, who has had hands on ICT or technology experience? These people could be your greatest allies.
— What is the current published organisation vision and mission?
— What are the five top perceived organisational risks?
— What is your organisation planning to achieve over the next six months and over the next five years?
— What are the key market differentiators of your organisation’s output/
product set?
Step two: Get your head around the six principles listed in 38500: Performance, Conformance, Strategy, Human Behaviours, Responsibility, Acquisition. Now work through the examples listed in the standard showing how they could be applied. Stabilising these six aspects of IT delivery should align directly to your day job — i.e. everything you do should fit under one of these categories.
Step three: Now comes the difficult part — making the connection. Start by creating a table linking your key activity (the one that burns the most cash or the one that burns cash the fastest) in each of the six principle areas to meeting organisational goals or addressing risks.
Use this table to guide your high level reports to the board and your fellow CXOs, and if you avoid the use of acronyms and technical specifications in your high level executive summary, all will be well. Guaranteed.”
Communicating the message
Subrato Basu, vice president Asia Pacific, The Research Board, a ‘CIO think tank’ operated by Gartner
“CIOs are ideally positioned to educate executives as several significant events (e.g., an increased regulatory environment, transparency focus, globalisation, stricter controls and the increasing accountability of corporate officers) have put the topic of governance (corporate, IT and others) in the spotlight. CIOs should create a bridge of common understanding in this area can help better integrate business and IT management, thereby gaining more business participation in demand-side governance and driving the approach and policies of supply-side governance. It can lead to clearly establishing IT governance as a component of corporate governance.
I have observed some creative measures that have worked well to obtain the involvement of the board as well as educate the importance of holistic governance to executives.
CIOs are delivering a key message to their business leaders that ‘business is getting social’ — a new business reality that cannot be overlooked due to greater voice of the business audience where people are being empowered over technology and process.
IT is securing business executive sponsorship for all projects’ end goal that initiates from initial decisions of deliverables, timelines, shifting the personnel and final authority on the disputes thereby giving business more in-depth engagement on the project that would be executed by IT. This process is ensuring that governance is outside-in. The business teams are empowered to make decisions about applications specific to their business units.
CIOs are integrating available resources (such as enterprise architecture, security and compliance, infrastructure, and operations and project management teams, corporate governance team) to craft and send coordinated messages to the board where executives understood the purpose thereby reflecting the importance of balancing internal and audience intimacy.
In conclusion, it is common to claim that ‘executives are the weakest link in the adoption of governance chain’. Therefore, a better understanding of executive behaviour with clear focus on awareness, attitude and how they influence the organisation is critical to maximising the efficiency and effectiveness of enterprise governance. Good governance relies on good communication, especially at the start.”
Getting more IT execs into the Board
Dr. Rick Boven, director, New Zealand Institute
“The first thing in getting more IT literate people on boards is, you need to think about the nature of the board. The people appointed to it come with certain qualifications — wisdom, judgement, business understanding. And within those boards, you want a mix of people who have CEO experience, broad based operating experience… You may want to bring some younger people as well. So if you want an IT literate person on the board, they need to be bringing something more than their IT skills.
The question you would ask yourself is, how many IT managers who aspire to be on the board have gone through the process of doing the Institute of Directors one-week training programme? I am not saying the training gets you the seats on the table. It is your judgment, your character, it is those things that get you those seats at the table… The guidance that I will give to an IT manager is to gain an understanding of what it is they need to know that they don’t know… The people who are on the board are really good at working out how to deal with things that they don’t do.
“In the sense it is, how do I smell the smoke if something is going wrong? How do I understand what is happening in the culture? How do I respond to this issue that is completely outside my experience? It is those kinds of talents that you probably need to nurture in order to become a fully rounded board member, not building more strengths in the thing that you are good at.”
Creating the environment to succeed
Owen McCall, director and founder, Viewfield Consulting
Owen McCall has more than 25 years of experience as management consultant and CIO, more recently at The Warehouse. He is a member of CIO New Zealand’s editorial advisory board.
“Rather than thinking about IT governance specifically, the ideal situation is the technology agenda is part of the overall business strategy and overall business governance model. And then, any investment decisions or security and risk decisions are taken in the context of that business strategy/business risk discussion. It is making sure you are seen as someone who can contribute to business strategy, making sure whatever IT investment decision that needs to be made gets understood by your peers.
At the Warehouse, we set up departmental-based steering committees and we ran most of our governance processes through those committees. We found departmental ones worked for us than whole of organisation ones. You have got a better level of engagement because the issues that you are dealing with are specific business issues. Every six months, we would go back and review the investment agenda as an overall executive team.
My concept is as a senior leader in an organisation, which is what a CIO is or should be, you are not paid directly to produce results. That is why you have a team. What you are paid to do is create an environment in which the team can be successful. And generally you can do that by talking to people, interacting with people. It is very hard to lead without interacting with people. That is easy to say, though, not so easy to do.
Some of these meetings are one-on-ones, some are workshops, some are steering committees, some are corridor conversations. From a governance perspective, what you get is clarity of an agenda. The main types of meetings I would attend obviously are executive meetings as part of the executive team, IS leadership team meetings, meetings with direct reports, departmental steering committee meetings and informal get-togethers with other executives as well on an as need/ad hoc basis.
The other meetings that took quite a lot of my time is being out in the business — in the stores doing the store processes so I understand how they work; and talking with the store managers and the team on the floor and understanding how the technology does and doesn’t support them.
I think the more IT literate people you have on the board, the better off you will be, absolutely. If people want to head in that direction, that is something that should be encouraged and they talk to the Institute of Directors and do their courses. [But] I see that as a personal choice.”