HomeLeadership

The new IT governance

Like Tweet Pin it Share Share Email

Culture is the new IT governance.

No. It isn’t. Not yet. Culture should be the new IT governance.

The IT Governance Institute’s definition of IT governance is as good as any: “… leadership, organizational structures and processes to ensure that the organization’s information technology sustains and extends the organization’s strategies and objectives.”

Nothing wrong with the concept. IT’s priorities should be driven by business considerations. Setting them through the consensus of its stakeholders seems sensible.

It is sensible. Where IT governance goes sideways is where oversight usually goes sideways: A failure to understand that Homo sapiens has two subspecies: Steven Spielberg and Jeffrey Lyons. Either you helped make the movie or you’re a critic.

In most companies, most of the time, the IT Steering Committee is Jeffrey Lyons. It doesn’t really exist to set IT’s priorities. It exists to review, critique, and for the most part reject suggestions as to what IT’s priorities might be.

The IT Steering Committee, that is, isn’t a strategy-setting team that collaborates to decide how the company can best take advantage of what IT has to offer. Instead it’s become a group of critics, who see their job as ensuring IT doesn’t go off and waste precious company resources on pointless technological extravagances.

In case the problem still isn’t clear, too often, the IT Steering Committee’s mission isn’t to help put good ideas into practice. It’s to prevent bad ideas from becoming bad practice. The result: It makes sure the business never tries anything except the safest ideas.

Which is one reason, and a very important one, that shadow IT is on the rise: Departments commissioning their own information technology don’t have to jump through any of the IT Steering Committee’s flaming hoops.

There’s another, related reason: The company has to be careful how it allocates its “scarce IT resources” so they provide the maximum return.

This sounds convincing, until you ask why IT resources are so scarce. Usually, they’re scarce for one of two reasons, or both.

The first has been pointed out in this space several times before: Companies try to cut costs by trimming the IT budget, not realizing this is like trying to cool a room by blowing cold air at the thermostat. The more cold air you blow, the more everyone swelters.

The second reason is a terrible trend: IT’s resources are scarce because of the fondness boards of directors and top-level business executives have for financial engineering.

Here’s the math: In its most recent year the Fortune 500 will have earned an aggregate $945 billion in earnings. But as reported by Bloomberg last fall, they’ll “invest” 95% of it in stock buy-backs, leaving only $47 billion for all forms of reinvesting to achieve competitive advantage. All new IT spending has to come out of that residue.

If IT resources are scarce, it’s an artificial and deliberate scarcity. Rather than fight for these artificially scarce resources, business managers at all levels are increasingly walking away from the struggle, instead rolling their own IT through a combination of SaaS solutions and cloud-hosted custom systems written by outside developers.

As pointed out last week, this avoidance of formal IT oversight results in three very real risks: Re-keying of data that should automatically flow through IT’s integration mechanisms; exposure of sensitive corporate data to outsiders who have no business seeing it; and failure to adhere to the company’s painstakingly arrived at set of official data definitions, which will, in turn, make both re-keying and automated integration problematic.

Which in turn leaves only three possible solutions. The first is to live with the problems — probably not a good idea, as they are preventable without all that much additional effort.

The second is to apply existing enforcement mechanisms to shadow IT. They’ll work, but they’ll slow down something whose principle virtue is that it speeds things up.

That leaves the best alternative: Culture. Members of cultures enforcement them through social coercion, greatly reducing the need for official sanctions. It’s efficient, because everyone in the company internalizes its culture without any formal training. Employees know the rules.

The downside: Establishing and maintaining the desired culture is hard work — not hard the way nuclear physics is hard, but hard the way laying cinder block is hard.

But it’s worth it. The right culture delivers the right results without the heavy hand of enforcement, letting leaders apply a much lighter touch.

Comments (5)

  • So right about ‘scarce IT resources’!

    I will, however, quibble with your final analogy – laying cinder block is heavy lifting, but not too many things can go wrong, it gets done, and you can move on. Establishing and maintaining culture is hard like farming – lots of unpredictable environmental issues, lots of repetitive things, and it never really gets ‘done’ – there’s always something else that needs attention. At if you don’t pay attention, things can get pretty bad pretty quickly.

  • I love this week’s issue. I’ve said for years that the best process is one that the users actually WANT to follow-when it’s seen as a good way to get things done, rather than the way to avoid making mistakes. Maybe the IT dept should focus on the back-end plumbing – protecting data, avoiding re-keying, that sort of thing, and leave the business functionality to the business.

    PS – are you channeling Douglas Addams with that statement about nuclear physics and cinder block? That seems like the way he might have described it!

  • I have to say I’m a bit disappointed in your article this week. In my opinion, what you wrote was 1/3 of a great article. But, you didn’t define what you meant by “culture” that IT is to be exercising governance over. Secondly, you didn’t give a few concrete examples of how an IT department could actually do this.

    In my experience, to have influence over the direction of a culture, you have to be seen by the members of that culture as being a member of that culture, or else you will be seen as a Jeffry Lyons outsider that the culture has to defend itself against.

    Your approach may be great one, but I’m not seeing concretely how an IT manager or department would implement it in a business. An example or two would be helpful.

    • Sorry to have disappointed you In my defense, adding a couple of examples of culture change would have turned an article into a book.

      If you want an excellent example of how to change a culture, get hold of “It’s Your Ship.” Not an IT example, but the techniques are universal.

      • Thanks for your response…I do expect you will somehow survive the shock of my disappointment only to go on the to even greater heights!

        Still, thanks for bringing up the idea.

Comments are closed.