VideoThese days, many CIOs in Asia are in a frenzy over America's Sarbanes-Oxley Act, or Sarbox. Not Daniel Lai, chief information officer of Hong Kong subway operator MTRC. In mid-2000, he and his team started developing an enterprise-wide IT governance system that aimed to document, monitor, and control all IT processes that deliver and sustain sources of business value—which means practically everything at IT-enabled MTRC. So when KPMG started its audit work in August, including the examination for the first time of internal-control systems under Sarbox, the IT department had everything in hand. "All the documentation and controls already exist," says Lai.
If only others in Asia are as well-armed. According to the non-profit IT Governance Institute, only 17% of the world's companies have implemented an IT governance solution, with another 19% in the process of putting such a framework in place. The findings are contained in the IT Governance Global Status Report 2006, the result of a survey of 695 CEOs and CIOs, of whom 38% are in the Asia Pacific. A whopping 36% of respondents are not considering instituting IT governance at all. Observes the report: "Implementing IT governance is not as easy as organizations might have thought."
Maybe so, but companies may not have much choice going forward. Across Asia, legislation similar to Sarbanes-Oxley is wending its way through parliaments and congresses, with places like Australia, Korea, and India already requiring Sarbox-like regulations. In Japan, the Financial Instruments and Exchange Law passed in June this year requires companies to evaluate and certify internal controls by 2009 as part of the law's "J-Sox" provisions. This means that the IT systems used to generate, amend, store, and transport data must be governed by controls that help assure external auditors the financial statements are accurate and reliable—and ensure that CEOs and CFOs who sign off on the numbers stay out of jail.
Beyond compliance, an even more powerful tide is the growing alignment of IT with the business, what the Economist Intelligence Unit (EIU) in a recent report calls the "expansion of IT's mission from cost cutting to revenue generation." In a survey of 288 executives from 58 countries, the EIU found that 83% of CEOs and board members polled believe that IT's predominant strategic role in three years will be to enable revenue growth, rather than to drive cost efficiency as is the case today. With its focus not only on controls but also on transparency and return on investment, IT governance can play a key role in accomplishing this far-reaching mission.
Expectations Gap
Here's the rub. While expectations about the role of IT in growing the business and governance are expanding dramatically, CIOs are cautious about how quickly they can rise to the challenge. The EIU detects an expectations gap between the executive suite and the IT troops, particularly in the Asia Pacific. While both C-level executives and IT managers in North America agree that IT's primary role in the next three years will be revenue generation rather than cost reduction, IT specialists in Asia still see their contribution as chiefly enhancing operational savings. The EIU measures the gap between the two sides in Asia at 23 percentage points, compared with 13 points in Europe and just three in North America.
The cautiousness may spring from IT's recognition of the realities on the ground. IT governance cannot be implemented overnight, warns MTRC's Lai, who spent more than a year adapting various international standards such as ISO 9001:2000, SEI CMM Level 2, and modified system development life cycle and project management methodologies. Solutions must be tailor-made for the MTRC, which is something of a hybrid enterprise. A public utility majority-owned and regulated by the government, it also answers to private-sector investors, having listed in Hong Kong in 2000, and to holders of debt notes it floated in the US (which is why MTRC must comply with Sarbox).
For all its seeming finished state, IT governance at MTRC is still evolving. While guidelines, procedures, and benchmarks are in place, most reports are prepared and analyzed manually using customized spreadsheets, and there is no dashboard that tracks IT services performance versus targets in real time. "We are looking at what are some of the suitable [commercial IT governance] products, but so far we have not seen any that provides an overall end-to-end solution," says Lai. He reckons that the current system is working well enough in keeping IT projects on track, including an upgrade of the enterprise asset management system—MTRC's assets now total more than HK$113 bn, up 76% from 1996.
MTRC's system appears to fit the classic definition of IT governance. According to KPMG, it is "a set of business processes that imposes a performance discipline over investment decisions, investment management, resource management, risk management, project (value) management, and communications" across the entire organization, not just the IT department. The processes require "many layers of organizational commitment, from senior executives' business sponsorship to the management of detailed project services and individual project resources." They may or may not be automated, even though vendors like CA, Mercury and Compuware are coming out with software suites that promise to create real-time IT governance dashboards.
Reader Comments» Post a comment