IT Governance

Getting IT Right!

by

This is an article that was written for the February issue of the Queensland Business Review.  It is partly promoting an upcoming ‘Getting IT Right!’ seminar to be held at BDO Kendalls on 21 February 2007.  More information is available on the BDO website www.bdo.com.au.

Introduction

Stories of failing information technology (IT) projects, IT teams that just ‘don’t understand’, lost spreadsheets that contain critical business data, and critical applications that seem to crash for no apparent reason are all too common scenarios. Information technology promises a great deal to all businesses, but often fails to live up to expectations.

These problems cause frustration for all concerned. Unfortunately ‘getting IT right’ cannot be achieved with a simple wave of a magic wand. The current skills shortage shows no signs of abating, and it is important for a business to use its staff effectively. Good business support from information technology is one of the keys to unlocking this effectiveness. Four essential business tactics exist that can assist:

  1. Understand the business strategy
  2. Have the right people
  3. Use standard processes
  4. Use the right technology

These tactics will have a positive impact on the success of your business in the context of the support received from information technology.

Understand the business strategy

An understanding of the business strategy, and the involvement of business in IT decisions, is necessary to avoid an IT team working on the unnecessary projects.

This common problem usually stems from a lack of understanding of the goals and vision of the business when it is tempting to implement technologies that seem to be the correct decisions at the time. Sometimes these decisions are right; frequently, they are not.

A business’s main strategy can be focussed upon product innovation, customer relationships, or operating excellence. Identifying the predominant strategy removes trivial distractions for the IT team. There is little point to significant investment in a customer relationship system where the main focus of the business is upon delivering the best products at the best price. Conversely, for a business focussed upon customer relationships, the priority will be to deliver and operate a customer relationship system.

The business strategy must be clearly communicated to the IT team. A written statement of the business IT strategy is useful (vision, mission, and objectives, together with supporting initiatives and milestones. Even more useful is a cultural emphasis on the importance of the role of IT in achieving the
business vision. Such a cultural emphasis can be achieved through concrete actions (e.g. declining projects that do not support the business strategy) and regular adherence to and acknowledgement of the IT strategic plan.

Aligning information technology to the business strategy will reduce distractions that arise through not having a clear direction of the role and purpose of IT in supporting business goals.

Have the right people

A common problem facing IT teams is that the staffing ratio is all wrong. The wrong staff are doing the wrong jobs for the wrong reasons. For example, a business that employs four network administrators and only one help desk person will likely have a network that works very well at a technical level. Unfortunately, there will be many frustrated end users not receiving the desktop support they require. The result can be business chaos.

IT roles that do not directly support the business strategy should be considered for removal or outsourcing. IT teams regularly have ‘legacy’ roles from the past that are no longer needed or appropriate. A regular review of the roles in the IT area and their alignment to business strategy is a potentially valuable approach.

In addition, end users need the training and skills to use the technology that is provided. Frequently no training is received by IT teams, or end users in the software on their computers, and – especially in the case of upgrades – continue to use the software as it has always been used, without using new features. Adopting a formalised and documented approach to training can be beneficial, but even recognition of the need for training through ad hoc opportunities will bring benefits to the business.

Use standard processes

Often IT teams have only one person who can resolve a problem. Or worse, each team member will resolve the problem in their own way. When the staff member leaves, no-one else can fix the piece of equipment. The end result is chaos and delays for the valuable staff member.

If the same task must be done more than once, the potential for developing a standard process exists. No IT team should be without good help desk software, and ensuring a discipline around managing problems and documenting resolutions will pay dividends. There are free help desk management tools available (e.g. open source solutions) and new social networking tools (e.g. ‘wikis’) for documenting and storing processes and procedures that are inexpensive, simple to use, and easily maintained.

Reviewing the use of help desk management software, and writing procedures for standard tasks (starting with the most common tasks) will repay the business handsomely.

Have the right technology

Technology that is simply wrong for the task at hand, or obsolete, costs businesses a great deal. Excel spreadsheets will frequently be used for tasks that really require a database. Or many technologies will be used where a single technology product would suffice. It is crucial that the right technologies are used for the task at hand. This does not mean that the ‘latest and greatest’ gadgets and gizmos should be adopted, but for a business that is reliant upon IT, it is necessary to have all technology covered by parts replacement warranties.

Technologies that are still supported by the original developers or manufacturers are fundamental to ensuring that the IT team is effective. Limiting the number of technologies to support will also help. Approaches to ensure that the right technologies are used include a statement of the preferred technologies to be used (e.g. identifying a single preferred database technology such as Oracle compared to SQL Server), maintaining warranties on all important business technology equipment, and limiting the use of customised and in-house developed software.

Conclusion

Effective information technology requires that the IT team be provided with the skills and equipment necessary to deliver upon the business strategy. Likewise, the business needs to provide strategic direction and input into decision-making for business information technology.

There are many more tactics that can be adopted by businesses to ensure that IT can deliver upon its promises. This article has highlighted those tactics that are common to most businesses and will have the most positive results. Nevertheless, there are many other tactics that can be adopted that are unique to individual businesses, and must be considered in light of the specific circumstances of the business.

Getting Great ICT Service Delivery

by

I am prompted to write a post around ICT Service Delivery as I have a request-for-proposal from a prospective client to review their ICT Service area.  Without giving too much away, they seem to have a reasonable number of people in their IT area (about one staff member for every 20-25 PCs) which by every benchmark I’ve ever read is probably twice the normal benchmark.

And yet, the users aren’t happy.  In fact, they’re quite unhappy, it would seem – almost to the point where boiling oil, pitchforks, and tedious jokes about broken coffee-cup holders are considered necessary.

It just highlights to me, I think, that the area of ICT Service Delivery is one that businesses still haven’t got right – particularly SMEs, I think.  I consider that this is due to a distinct lack of engagement between the business and the IT service area.  It’s a governance problem – business doesn’t tell IT what it needs, and so IT guesses and fills in the blanks.  And good on IT for trying, but it doesn’t help much, even if they’re really good at guessing.  Really, the need is for the business to give direction to IT and identify what the needs are.  The current situation that all too often arises is that IT gives the correct answer to the wrong question.  One client had four network administrators and one person on the help desk.

Not surprisingly, at a technical level the network worked very well (packets were not lost, data was transported around) but users were exceptionally unhappy (no application maintenance people, apparently, results in applications that don’t get maintained).

Anyway, the answer to great ICT service delivery seems to be:

  1. Know why you are doing something
  2. Know what it is you are trying to achieve
  3. Know who is responsible for achieving which aspects of the service
  4. Be informed as to how performance is going.
  5. If you are tempted to go beyond points 1-4, have a Bex and good lie down.

This means that you have to get the planning component right (links with the business – do what is needed), and then have the best practice components together for your building and managing components of the IT function (some version of ITIL/COBIT/PRINCE2/PMBOK) and THEN focus on the ‘running’ of IT.  In my experience problems in ICT service delivery really relate back to problems in the governance of IT – but it’s usually easier and more satisfying to yell at IT than to fix the real problems of the business.

Cyberinsurance, what’s that?

by

I recently (OK, apparently nearly two months ago!) had an interview with Darren Pauli of Computerworld on Cyber-insurance – insurance against ‘cyber attack’ such as denial-of-service attacks and and data loss. The article can be found here: http://www.computerworld.com.au/index.php/id;261018472;relcomp;1. and the pdf version can be found here.

My basic thesis that I tried to communicate to Darren – although I don’t know that I was all that successful – is that your window of opportunity for evil-doers is larger because virus-writers and ‘cyber-terrorists’ become aware, these days, of a vulnerability almost as soon (if not sooner) than the software vendor themselves. They therefore have more time to write software to attack the system before it is patched. This issue is compounded by issues of patch-issuers sticking to a ‘once-a-month’ patch regime that gives a window of a month for a vulnerability before it is patched (so if you launch your attack immediately after the patch was last released, you have better opportunity for success – er, business failure).

The problem with cyber insurance I think would be that the incentives are all wrong- if I buy insurance for my data, my incentive is to be a little more lax about my data protection (I’m the only one who can really impact it and make it work), and the insurer doesn’t want to take on this risk – so therefore they want their clients to implement security standards and approaches (and audit this) so that the insurer knows that a certain minimum standard is being met.

And, that’s difficult (and expensive) to do – just ask anyone in the US about Sarbanes-Oxley compliance for their information systems.

Professor Wim Van Grembergen and IT Governance

by

The professor spoke today at the Gardens Theatre at Queensland University of Technology (great facility by the way) on the topic of IT governance. He focussed on the actual mechanisms for ensuring that IT and business are in alignment.

He focusses on structures, processes, and relational mechanisms.

He noted that relational mechanisms are often missed by consultants putting in a new IT Governance framework.

Structures and processes are fairly straightforward, but relational mechanisms are a little different. Relational mechanisms are mechanisms that ensure that the relationships that underpin the other two tools are effective. Examples include co-location of business and IT, aligned incentive programs, cross-functional business/IT training and job rotation.

The presentation was very interesting, and linked nicely to COBIT. He also noted balanced scorecard to measure corporate contribution, user orientation, operational excellence, and future orientation. A nice rule of thumb for operational measurement presented is that 33% of time should be spent on maintaining existing systems, 33% should be spent on enhancing existing systems, and 33% should be spent on building new systems.

Sherrena Buckby also presented on IT Governance. Sherrena is a PhD candidate at QUT and is writing her thesis on IT Governance. The topic of her presentation is ‘Why IT Governance is important for boards?’. Sherrena is doing significant research on IT governance on what are the tools that the board could use to cover off on iT Governance issues. Her presentaion was very interesting and holds some promise for a practical tool that may assist boards in addressing IT Governance.

A very worthwhile session today.

IT outsourcing – selecting the ‘best’ infrastructure model

by

This article was published on CEO Online a month or two ago, and I did promise I would post it here eventually.  And as I am of course absolutely certain that there is a raft of readers out there who would like to see the full article on the basis of that promise (delusionment is a wonderful thing) I am posting the article here.

In order to keep us all sane, you will need to click through to see the full article.

Read more