Culture is the new IT governance.
No. It isn’t. Not yet. Culture should be the new IT governance.
The IT Governance Institute’s definition of IT governance is as good as any: “… leadership, organizational structures and processes to ensure that the organization’s information technology sustains and extends the organization’s strategies and objectives.”
Nothing wrong with the concept. IT’s priorities should be driven by business considerations. Setting them through the consensus of its stakeholders seems sensible.
It is sensible. Where IT governance goes sideways is where oversight usually goes sideways: A failure to understand that Homo sapiens has two subspecies: Steven Spielberg and Jeffrey Lyons. Either you helped make the movie or you’re a critic.
In most companies, most of the time, the IT Steering Committee is Jeffrey Lyons. It doesn’t really exist to set IT’s priorities. It exists to review, critique, and for the most part reject suggestions as to what IT’s priorities might be.
The IT Steering Committee, that is, isn’t a strategy-setting team that collaborates to decide how the company can best take advantage of what IT has to offer. Instead it’s become a group of critics, who see their job as ensuring IT doesn’t go off and waste precious company resources on pointless technological extravagances.
In case the problem still isn’t clear, too often, the IT Steering Committee’s mission isn’t to help put good ideas into practice. It’s to prevent bad ideas from becoming bad practice. The result: It makes sure the business never tries anything except the safest ideas.
Which is one reason, and a very important one, that shadow IT is on the rise: Departments commissioning their own information technology don’t have to jump through any of the IT Steering Committee’s flaming hoops.
There’s another, related reason: The company has to be careful how it allocates its “scarce IT resources” so they provide the maximum return.
This sounds convincing, until you ask why IT resources are so scarce. Usually, they’re scarce for one of two reasons, or both.
The first has been pointed out in this space several times before: Companies try to cut costs by trimming the IT budget, not realizing this is like trying to cool a room by blowing cold air at the thermostat. The more cold air you blow, the more everyone swelters.
The second reason is a terrible trend: IT’s resources are scarce because of the fondness boards of directors and top-level business executives have for financial engineering.
Here’s the math: In its most recent year the Fortune 500 will have earned an aggregate $945 billion in earnings. But as reported by Bloomberg last fall, they’ll “invest” 95% of it in stock buy-backs, leaving only $47 billion for all forms of reinvesting to achieve competitive advantage. All new IT spending has to come out of that residue.
If IT resources are scarce, it’s an artificial and deliberate scarcity. Rather than fight for these artificially scarce resources, business managers at all levels are increasingly walking away from the struggle, instead rolling their own IT through a combination of SaaS solutions and cloud-hosted custom systems written by outside developers.
As pointed out last week, this avoidance of formal IT oversight results in three very real risks: Re-keying of data that should automatically flow through IT’s integration mechanisms; exposure of sensitive corporate data to outsiders who have no business seeing it; and failure to adhere to the company’s painstakingly arrived at set of official data definitions, which will, in turn, make both re-keying and automated integration problematic.
Which in turn leaves only three possible solutions. The first is to live with the problems — probably not a good idea, as they are preventable without all that much additional effort.
The second is to apply existing enforcement mechanisms to shadow IT. They’ll work, but they’ll slow down something whose principle virtue is that it speeds things up.
That leaves the best alternative: Culture. Members of cultures enforcement them through social coercion, greatly reducing the need for official sanctions. It’s efficient, because everyone in the company internalizes its culture without any formal training. Employees know the rules.
The downside: Establishing and maintaining the desired culture is hard work — not hard the way nuclear physics is hard, but hard the way laying cinder block is hard.
But it’s worth it. The right culture delivers the right results without the heavy hand of enforcement, letting leaders apply a much lighter touch.