Creating Effective Corporate IT Governance

By Lisa Ferri

While CIOs are ultimately accountable for the success -- or failure -- of a company's IT infrastructure, there's good reason CIOs shouldn't shoulder that burden alone. As the use and management of information spreads throughout the organization, it follows that oversight should also be more widely held, making aspects of IT the responsibility of other C-level peers, too. However, board members often view IT governance as an initiative outside their domain. "They'll say to the CIO, 'You decide (on IT governance) and get back to me.  Why should I be involved?'" explains senior Gartner analyst Susan Dallas. But the responsibility for IT governance must be shared across the company -- and the boardroom -- for two simple reasons:

1. The stakes are high. As Dallas puts it, "Follow the money." For most companies, the most significant amount of money on the expense ledger is the IT line item. When that much money is at stake, the company's very financial stewardship is in question -- and that responsibility falls squarely within the scope of the boardroom.
   
   
2. IT isn't just "support," it's "strategic business support." IT, at its best, promises to fuel business strategies. "But in order for IT to fully deliver on its promises," warns Dallas, "we need to move IT from the back office into the strategy sessions in the boardroom." Therefore, those making business strategy decisions need to be involved in the IT decision-making process as well.

A recent Harvard Business Review study found a correlation between senior level involvement in IT strategies and the IT infrastructures that go the distance. According to HBR's "IT Governance" study, enterprise success hinges on sharing the burden with other C-level peers and integrating accountability across the boardroom. The HBR study suggests directors become involved in IT approval processes, as well as "exception" scenarios (breaches and other situations that fall outside of normal business practice), and performance reviews. 

Michael Cangemi, president and COO of The Etienne Aigner Group, a leading designer of women's footwear and accessories agrees with this philosophy. He insists his board be involved in IT oversight. "In today's economy, with our reliance on IT for competitive advantage, we simply cannot afford to apply to our IT anything less than the level of commitment we apply to overall governance."

IT governance boils down to one fundamental question: Who makes IT decisions? It's a question that must be answered, though few companies have answered it well. Dallas estimates that roughly 75 percent of all corporations have an IT governance system in place that is "so ineffective and in such bad shape, they'd be better off starting over because (their IT governance) will never get them where they want to go." Here's what Dallas says they're doing wrong:

• The Silo. The most common mistake Seems to be that IT exists in a silo, with the CIO operating that way, too -- calling all the shots on his or her own. That's just the kind of alienation that can be the demise of IT governance, according to Dallas. Within a silo, CIOs incorrectly assume IT governance exists by and for IT. And they don't get the board involved. 
  
  
• Talking Heads. In companies where CIOs do have board involvement, it's often in the form of a high-level board steering committee. These steering committees very quickly devolve from decision-making bodies into communication vehicles, says Dallas.  "The board members get together and talk about the problems, but without the expertise to solve them, so they just talk and are never able to move forward."  

The good news from Dallas, is that there are several steps CIOs can take to safeguard against these classic pitfalls:

• Break up the responsibility. Create different executive-level teams to advise on IT governance, but give each very specific missions and different sets of decisions. One team may decide what kind of business strategies are supported through IT, while another is charged with technical architecture issues. Yet another team may answer the question: Which employees get dispensations from following the IT rules?
  
  
• Communicate the benefits. Clearly state your company's principles on IT governance -- or "IT road rules" as Dallas says -- which articulate the decisions your firm has made around the desirable usage and role of IT in the past. "Road rules" may range from whether you'll have "gold standard" IT support to which business strategies IT will support.

"If you get these (principles) right," says Dallas, "then the CIO's job is much easier." And, the benefits can be substantial for everyone. Dallas predicts that laying out IT governance principles achieves three outcomes: cutting down on decision-making time and "false starts" in terms of projects; setting the stage for better scrutiny of costs; and helping a firm "squeeze every dollar" in profits out of IT projects. It also allows CIOs to readily marshal resources around business decisions.

Of course, this is easier said than done. Dallas recommends the CIO first draft principles with a subset of senior-level directors. The next step is to confer, through an iterative process, with business unit leaders, as well as the CEO and CFO. The final step, says Dallas, is to get the board's "blessing."

Ultimately, effective corporate governance over IT may be a matter of boardroom perspective. In its most recent study of the subject, the IT Governance Institute found that those companies at the head of the pack had certain things in common: Their boards understood the strategic importance of IT and put IT governance on the agenda; and their executives understood IT risks and exploited IT benefits. Fundamentally, all levels of management understand IT governance is not an "isolated discipline" or "something (to be) practiced in remote corners or ivory towers." 

Lisa Ferri is a freelance writer living in New York.