VideoLast year, when the state of California sought to remedy a massive technology headache — canceling a $95 million contract with Oracle Corp. when projected savings, bidding procedures, and even campaign contributions raised red flags — four state officials resigned and California dismantled a statewide information technology organization. Drastic as these measures may seem, California legislators are now considering a bill that would create a state board for IT oversight. If passed into law, it would bring the state into the brave new world of "IT governance."
The intent is to bring a high-level view to IT planning and spending that keeps it on track and on strategy. "There was so much IT activity in the '90s that didn't produce any value," says Jon Oltsik, founder and principal of Hype-Free Consulting, in Acton, Mass. "IT governance is a way to go back to a disciplined approach focused on process, procedure, and results."
In fact, a mini-industry has sprung up around the idea of IT governance, including the IT Governance Institute; consultancies; software start-ups offering IT-governance suites; and even rigorous specifications, including one, called COBIT (for control objectives for information and related technology), that is already in its third edition. And the consensus among all those involved is that CFOs should sign on for IT governance, whatever it might be. "The CFO must ensure the investors' satisfaction," says Vani Kola, president and CEO of Nth Orbit, a software vendor that introduced governance software in May. "That's why they should do IT governance — not just to follow the law."
It's a law, however, that's driving the IT-governance trend. Within the Sarbanes-Oxley Act of 2002, there are three sections especially relevant to IT: Section 404, which requires officers to attest to the effectiveness of internal controls for financial reporting; Section 302, which requires officers to sign statements verifying the completeness and accuracy of financial statements; and Section 409, which requires that "material financial events" be reported in real time. And it's a real challenge for CFOs "to fully comply without some really good IT governance in place," insists Paul McFeeters, CFO of governance-software vendor Kintana Inc.
A Continuous View
Of course, there's hardly a software maker today that doesn't claim to solve some aspect of Sarbanes-Oxley, so how does IT governance fit in? And how does it differ — if in fact it does — from other long-standing approaches to managing IT, such as IT oversight committees or IT project portfolio management?
It's largely a matter of purview. Oversight committees and portfolio-management methodologies tend to focus on approving and prioritizing IT projects, while governance formalizes a continuous look at strategy and execution: Should we be doing this project at all? If so, what financial returns should we expect, and in what time frame? What milestones will determine whether the project is still on track? That is, IT governance takes the highest-level view possible, which is why, in theory anyway, it may help firms understand whether they have the proper systems in place to meet regulatory requirements.
So far, IT governance is not widespread. In a survey conducted late last year, Meta Group analyst Louie Boyle found that fewer than 5 percent of large firms have implemented "integrated" IT governance, which involves what he calls a "linked cascade" of business, information, and IT policies. The future looks brighter in Boyle's eyes: he expects 40 percent of large firms to have at least started IT-governance initiatives by 2004; by 2007, according to Boyle, that figure will reach 70 percent.
A more encouraging snapshot comes from the IT Governance Institute. Using its own measures, the organization finds 35 percent of companies already operating at the highest level of governance, which it defines as the corporate board having an IT strategy committee and approval for overall IT strategy.
One IT-governance pioneer is DTE Energy Co., a Detroit-based diversified energy company. Two years ago, the company formed the IT Prioritization Steering Committee, composed of nearly all of its senior vice presidents, CFO David Meador, and CIO Lynne Ellyn. The group meets four times a year to approve and prioritize new IT projects, review on-going projects, and adjust funding levels.
Companies have long had "steering committees," of course, and DTE has not seen fit to rechristen this group of executives as a "governance" committee. Nonetheless, Ellyn says she knew the high-level view of IT strategy that governance implies was taking hold when two things occurred. First, a financial quarter passed in which no new IT projects were launched. "There were lots of projects proposed, but they all died due to a lack of a business case or a payback," she explains. Second, an orphaned project actually got funded. "I had two division VPs offer to give up part of their critical projects to fund something that was for the good of the enterprise," recounts Ellyn. "I thought that was profound."
Who's Driving This Bus?
That's the sort of big-picture view that underpins "governance," but before it can make an impact at most companies, it has obstacles to overcome. For one, skeptics wonder if IT governance isn't essentially old wine in a new bottle. "There is a sense in which governance is a trendy word for something people have always done," says Robert Austin, assistant professor of technology and operations management at Harvard Business School.
Reader Comments» Post a comment