Last year, when the state of California sought to remedy a massive technology headache — canceling a $95 million contract with Oracle Corp. when projected savings, bidding procedures, and even campaign contributions raised red flags — four state officials resigned and California dismantled a statewide information technology organization. Drastic as these measures may seem, California legislators are now considering a bill that would create a state board for IT oversight. If passed into law, it would bring the state into the brave new world of "IT governance."
The intent is to bring a high-level view to IT planning and spending that keeps it on track and on strategy. "There was so much IT activity in the '90s that didn't produce any value," says Jon Oltsik, founder and principal of Hype-Free Consulting, in Acton, Mass. "IT governance is a way to go back to a disciplined approach focused on process, procedure, and results."
In fact, a mini-industry has sprung up around the idea of IT governance, including the IT Governance Institute; consultancies; software start-ups offering IT-governance suites; and even rigorous specifications, including one, called COBIT (for control objectives for information and related technology), that is already in its third edition. And the consensus among all those involved is that CFOs should sign on for IT governance, whatever it might be. "The CFO must ensure the investors' satisfaction," says Vani Kola, president and CEO of Nth Orbit, a software vendor that introduced governance software in May. "That's why they should do IT governance — not just to follow the law."
It's a law, however, that's driving the IT-governance trend. Within the Sarbanes-Oxley Act of 2002, there are three sections especially relevant to IT: Section 404, which requires officers to attest to the effectiveness of internal controls for financial reporting; Section 302, which requires officers to sign statements verifying the completeness and accuracy of financial statements; and Section 409, which requires that "material financial events" be reported in real time. And it's a real challenge for CFOs "to fully comply without some really good IT governance in place," insists Paul McFeeters, CFO of governance-software vendor Kintana Inc.
A Continuous View
Of course, there's hardly a software maker today that doesn't claim to solve some aspect of Sarbanes-Oxley, so how does IT governance fit in? And how does it differ — if in fact it does — from other long-standing approaches to managing IT, such as IT oversight committees or IT project portfolio management?
It's largely a matter of purview. Oversight committees and portfolio-management methodologies tend to focus on approving and prioritizing IT projects, while governance formalizes a continuous look at strategy and execution: Should we be doing this project at all? If so, what financial returns should we expect, and in what time frame? What milestones will determine whether the project is still on track? That is, IT governance takes the highest-level view possible, which is why, in theory anyway, it may help firms understand whether they have the proper systems in place to meet regulatory requirements.
So far, IT governance is not widespread. In a survey conducted late last year, Meta Group analyst Louie Boyle found that fewer than 5 percent of large firms have implemented "integrated" IT governance, which involves what he calls a "linked cascade" of business, information, and IT policies. The future looks brighter in Boyle's eyes: he expects 40 percent of large firms to have at least started IT-governance initiatives by 2004; by 2007, according to Boyle, that figure will reach 70 percent.
A more encouraging snapshot comes from the IT Governance Institute. Using its own measures, the organization finds 35 percent of companies already operating at the highest level of governance, which it defines as the corporate board having an IT strategy committee and approval for overall IT strategy.
One IT-governance pioneer is DTE Energy Co., a Detroit-based diversified energy company. Two years ago, the company formed the IT Prioritization Steering Committee, composed of nearly all of its senior vice presidents, CFO David Meador, and CIO Lynne Ellyn. The group meets four times a year to approve and prioritize new IT projects, review on-going projects, and adjust funding levels.
Companies have long had "steering committees," of course, and DTE has not seen fit to rechristen this group of executives as a "governance" committee. Nonetheless, Ellyn says she knew the high-level view of IT strategy that governance implies was taking hold when two things occurred. First, a financial quarter passed in which no new IT projects were launched. "There were lots of projects proposed, but they all died due to a lack of a business case or a payback," she explains. Second, an orphaned project actually got funded. "I had two division VPs offer to give up part of their critical projects to fund something that was for the good of the enterprise," recounts Ellyn. "I thought that was profound."
Who's Driving This Bus?
That's the sort of big-picture view that underpins "governance," but before it can make an impact at most companies, it has obstacles to overcome. For one, skeptics wonder if IT governance isn't essentially old wine in a new bottle. "There is a sense in which governance is a trendy word for something people have always done," says Robert Austin, assistant professor of technology and operations management at Harvard Business School.
While Austin says that governance amounts to competent people making competent decisions, other factors also enter in. "A lot depends on the relationship between the CFO and the CIO, which often isn't what you'd call optimal," says Barbara Gomolski, a research director at Gartner. Adds Joshua Pickus, CEO of enterprise portfolio management software vendor Niku Corp.: "If I'm a CFO, then by definition I'm interested in cost control, and IT is going to hit me in the face because of the magnitude of the spend."
One way out, advises Gomolski, is to make sure that whatever form your company's IT-governance initiative takes, business units are included. As a CIO, she says she wouldn't want finance alone driving the IT portfolio. "All three entities — the CIO, the CFO, and the business units — need to be represented."
|Governance Grows Up|
Companies reporting various maturity levels of IT governance.*
|Level||Description||% of cos. reporting|
|5||Board has IT strategy committee and approves IT strategy||35|
|4||Board has IT strategy committee or approves IT strategy||28|
|3||Board is regularly informed on IT projects||23|
|2||Board occasionally asks questions about IT projects||10|
|1||Board does not address IT||3|
|*Total does not equal 100%, due to rounding.|
Source: IT Governance Institute Survey of 205 senior officers worldwide
Fighting Fire with Fire
While it may sound like faulty logic, a growing number of software vendors say that one approach to IT governance is to buy more IT — namely, software designed to facilitate governance efforts. And they, along with their customers and market analysts, say the products work — if you're willing to do more than simply plug them in.
Kintana Inc. (newly acquired by Mercury Interactive Corp.) sells a suite of governance products for between $100,000 and $3 million, with an average implementation costing about $300,000. The software works in part by providing a variety of "IT dashboards" that allow different people to monitor IT projects. These views can be customized depending on job function, and the alerts — for example, timing or budget — can be adjusted to reflect what's most meaningful to the user.
Mike Carlson, director of business transformation and policy at Minneapolis-based Xcel Energy, says his company installed the software in the hope that "business-value assumptions [from IT projects] will [automatically] tie into the CFO's financial forecasts, enabling him to validate investment returns while also creating accountability back to the groups that built those assumptions."
Niku Corp. has sold governance software to some 180 companies, including Barclays Bank, Royal Caribbean Cruises, and Warner Bros. Prices vary depending on configuration, but a 100-user license starts at $90,000. "We're trying to provide one integrated system that will give the CIO — and, by extension, the CFO — insight and visibility into what's going on in IT," says CEO Joshua Pickus. "Where is this money being spent? Who's working on it? Where are various projects in their life cycle? And do these projects even matter anymore?"
But before you plunge in, remember that "the software can't succeed in and of itself," says Barbara Gomolski, a research director at Gartner. "These tools transform the way work gets done, so they work [only] if people are willing to invest the time in making the cultural and process changes to support them."