Owners Deserve a Better Deal

Drucker said, "In every single business failure of a large company in the last few decades, the board was the last to realize that things were going wrong." In fact the owner was the last to realize.

Protecting the interests of the owner and ensuring that the owner achieves the goals for their investment, ethically and transparently, is the fundamental purpose of corporate governance. By extension, this is also the purpose of corporate governance of IT.

"Top management must take charge if profits are to result" - John Garrity, 1963

Boards of directors and business leaders, over the last 50 years, have failed to ensure that IT related investments create value, despite these investments being responsible for up to 50% of capital expenditure for businesses worldwide.

Consider Cranfield University's study of IS/IT investment appraisal processes of large UK firms (described in Ward and Daniels, "Benefits Management"):

• Only 30% of investment appraisals have adequate involvement of business managers
• Just 10% consider the implications of business changes
• Only 25% of decision makers understand the business case
• Not surprisingly, just 27% of projects deliver the benefits that justified the investment.

If managers are not doing their job then neither are the directors, whose job it is to make sure that management does its job.

"In law. all directors are responsible for the stewardship of the company’s assets. All directors, therefore, whether or not they have executive responsibilities, have a monitoring role and are responsible for ensuring that the necessary controls over the activities of their companies are in place - and working." - Report of the Committee on the Financial Aspects of Corporate Governance, Sir Adrian Cadbury, London, 1992 ("The Cadbury Report").

An effective system of corporate governance allows owners to direct and control the organization within a framework of effective transparency and accountability. It enables the owners to provide input into the organization's overall strategy and direction and receive assurance that the organization is growing in value, fulfilling its responsibilities to stakeholders, and limiting risk exposure to tolerable levels. It is the enabler of improved business performance.

After 50 years it is time to re-frame governance of the use of IT in these terms. We must start using language and concepts that business leaders at the very highest levels readily understand and can adopt. 

The ISO/IEC 38500 standard provides guidance for doing that. It is a business leaders’ framework, free of jargon, for managing risk and maximizing the value of IT. Business leaders that follow its guidance give owners assurance that managers are doing their job.

Consider the Benefits

John Garrity was the first to observe that, in firms with the highest returns on IT investment,  executive management dedicate their time to system projects in proportion to the cost and potential of the systems. They:

• Evaluate the plans for these systems; 
• Make the major IT decisions;
• Monitor and follow up on the results achieved.

In 2006, Dr Raymond Young, Macquarie University, analysed a variety of authoritative literature and reasoned (in "What is the ROI for IT Project Governance?") that currently:

• Overall Return on Investment (ROI) for IT related projects is 30%
• 2/3 of projects deliver no benefits whatsoever
• Overall, every effective dollar of IT investment is producing four dollars of tangible financial benefit to offset the failed and challenged projects. 

Dr Young further reasoned that improved IT project governance practices would ensure that more projects either realized their promised benefits or get put out of their misery. Doing so would:

• Increase overall ROI for projects to between 135% and 240% 
• Increase national GDP by between 1.6% and 3.1% (for Australia).

When governance considers the whole IT investment portfolio, the benefits are even more substantial. MIT Center for Information Systems Research found that the top five percent of firms, in terms of "IT Savvy," earned an average of $250 for each dollar invested in IT infrastructure in the year following the investment. (Weill and Aral, 2005).

These studies highlight that the way most organizations govern their IT investments is denying their owners, and the national economy, a considerable opportunity to create value. Business leaders and stakeholders that elect to do something about it stand to reap huge rewards.

"To remain competitive in a changing world, corporations must innovate and adapt their corporate governance practices so that they can meet new demands and grasp new opportunities." - OECD Principles of Corporate Governance, 2004

A National Offender - The Same Old Lessons Have Not Been Learnt

The Public Accounts Committee (PAC) have released their report on the The National Offender Management Information System (C-NOMIS) project.

The C-NOMIS project, originally expected to be delivered in January 2008 for £234 million, was stopped in August 2007 because costs had trebled. Astonishingly, £161 million had been spent but the National Audit Office was unable to determine what the money had been spent on. The scope and benefits have since been reduced and the project is now expected to cost £513 million and be delivered in 2011.

"The way the C-NOMIS project was managed and monitored was completely unacceptable. It is deeply depressing that after numerous highly critical PAC reports on IT projects in recent years, the same mistakes have occurred once again. We question the purpose of our hard work if Whitehall accepts all our recommendations but still cannot ensure a minimum standard of competence. In this report we make further recommendations for how other organisations can avoid the mistakes made on C-NOMIS through identifying risks, monitoring progress properly and taking action to mitigate risks as they emerge."

The Chairman, Edward Leigh, who has reviewed other out of control projects, most notably the NHS Connecting for Health Programme (aka NPfIT), started the proceedings by expressing his exasperation:

"I have had all this before and I just do not know whether there is any point really carrying on frankly...Why did these problems re-occur, the same old lessons have not been learnt; over ambitious, weak project management and all the rest."

The problem was that it was seen as an IT project rather than as a programme of IT-enabled business change and it was badly managed. An analysis by the National Audit Office of the underlying causes of the costs increases and delay indicated that C-NOMIS suffered from seven of the eight common causes of project failure - four in full and three in part.

"In scales of comprehensiveness of incompetence it is largely unmatched."

The recommendations from the report are fundamental to successful delivery of IT-enabled business change:

• Major projects should be reviewed by senior management with sufficient rigour and scepticism to ensure that proposals are well-focused, realistic and take full account of uncertainties. "As usual it is key managers and what key managers do that makes a really big difference."
• Do not wait for blame to follow failure. Ensure proper performance management at all levels.
• A plan showing how business change and new IT are to be integrated should be upfront in the Full Business Case for all major IT projects.
• The organisation's capacity to manage major projects should be assessed and, where appropriate, strengthened.
• Monitor projects closely using reporting systems that are fit for purpose, based on actual evidence of performance.
• Take swift and robust action when reviews, such as OGC Gateway reviews, identify concerns or shortcomings in the management or progress of a project.
• Use existing guidance to avoid repeating the mistakes of the past.
• Negotiate contracts to ensure suppliers match expenditure against deliverables.
• Record and validate benefits and financial savings.

"Clearly this project was handled badly, it achieved poor value for money, many of the causes of delays and cost overruns could have been avoided. I could make some grand eloquent statement about how we never expect to see this happen again in the Civil Service but I suspect I would be wasting my breath." - Edward Leigh

How the Mighty Fall

Mark McDonald, in his article How CIOs can sense if their companies are getting ready to fall, draws on Jim Collins book, How The Mighty Fall: And Why Some Companies Never Give In, to provide some useful insight into how five stages of company decline manifests in leadership attitude and use of IT.

Collins' five stages of decline are:

1. Hubris Born of Success.
2. Undisciplined Pursuit of More.
3. Denial of Risk and Peril.
4. Grasping for Salvation.
5. Capitulation to Irrelevance or Death.

McDonald maps these to five stages for IT:

1. A breakdown of investment and technology management disciplines.
   
2. Multiple and competing business unit initiatives pursuing more IT.
   
3. IT budgets increase focus on current operations as support requirements consume resources. Executives begin to doubt the ‘value of IT’ as they challenge the need for costs that seem to be rising faster than revenues.
   
4. Hope that a single integrated application system and infrastructure will erase systemic weaknesses. The silver bullet solution mobilizes IT resources and gives IT an apparent new relevance coming from the prior stage.
   
5. Good talent moves on and there are challenges attracting and retaining market leading talent – leading to reduced expectations for IT.

According to one reviewer of Collins' book, the book does a particularly good job of describing dysfunctional leadership behaviors of companies in decline.

I think McDonald does a good job describing the stages of dysfunctional leadership in the use of IT.

"Senior management teams often question the value they get for their IT investments....which sustain - but do not improve - [business] performance. Among the many knee jerk management team responses to these frustrations, firing the CIO and outsourcing all of IT have emerged as perennial favourites. The problem with these two solutions is that, for most enterprises, they do not attack the cause of the problem - poorly designed IT governance, often with a corresponding lack of business leadership participation in the key IT decisions...If IT is not generating value, senior management should first examine its IT governance practices - who makes decisions and how the decision makers are accountable." - Weill & Ross, MIT Sloan School of Management, in their book "IT Governance", p147.

Waltzing with the Elephant

Mark Toomey's latest newsletter is a good, easy to read summary of the major issue in getting value from IT; that business leaders must be engaged in directing and controlling their organisation’s use of IT to achieve their business goals. That is fundamentally what governance of IT is about.

The article refers to Sir Peter Gershon's address to the ISACA Oceania conference in Canberra, where the Elephant in the Room was identified in the context of public sector governance of IT but applies equally in business:

"Realising the dream of world class governance of IT in the public sector largely depends on the behaviour of those at the top."

The article goes on to explain why leadership in governance is needed; Directing and controlling the use of IT is part of the much bigger picture of directing and controlling the business.

"IT is an enabler of radical change. But, the mere act of buying or building an IT solution does not of itself deliver the change – a reality that has been proven again and again through the failures of projects where there seems to have been a delightfully naïve expectation that this would indeed be the case."

After reading the article I'm looking forward to reading Mark Toomey's new book, Waltzing with the Elephant.