IT Governance and Leadership

Policy and Legislation - greasing the wheels or a slipper slide to demise

2010-08-03T06:23:00.000-07:00

I was reading the Washington Regulatory Update this week, and being a member of the ISACA Government and Regulatory Agencies subcommittee region three, we are exposed to movements in legislation re IT Governance in Europe, Middle East and Africa. There's a huge amount of activity at the moment, from changes at Basel, the Dodd- Frank Act et al.

For what it's worth, my pennies worth, or rather a word of caution. We must be very careful that we don't promulgate legislation and policy (even at business and professional level) that stifles the very source of capitalism it's designed to protect. There must be a balance. I'm concerned that we are striking a balance too far to one end of the pendulum. What happens when business is stifled and unemployment rises. Do we review what was put in place and then have an epiphany in the other direction. i.e. for the greater good...... which was probably the reason why we did it in the first place! At least this is why we hope this is being done, but sometimes one can't help but feel that it's political grandstanding.

Unfortunately, there's a very real fundamental that lawmakers seem to miss. The presense of policy and law does not make the problem go away or make companies and shareholders ethical. The real threat of consequence should be the kicker!!

At the same time, Boards and Management need to knuckle down and deal with the fundamentals- good sustainable business. If you're rotten, you deserve to get left in the orchard.

Making Time for the green.

2010-03-23T02:42:00.000-07:00

I was at a conference recently and a topic of conversation revolved around the implentation of a control framework. A couple of the delegates indicated that they would not have time to implement this as it was more important to "do" other stuff like delivering service, adding value. I was shocked to say the least. It's tantamount to going on holiday without planning. Let's all get in the car and go - Where you may ask?, doesn't matter, we're busy "doing"

It's this same attitude that causes the downfall of so many companies - we must be seen to do stuff, but we don't have the time to ensure that what we are doing, is the right thing. The C-Suite must take the time and effort to ensure that controls are in place, be it a formal structure, Performance Management, business plan or strategy. It's ludicrous to not do so. This should not be an option.

Do a formal corporate review annually - take a page out of the mergers and acquisitions handbook, a good due diligence can really raise the issues to the forefront. If you're going to debate, at least debate the most pertinent issues, and make sure that these get resolved within an agreed time frame. Makes and hold someone accountable. It's all a question of sustainability. Imagine if we played golf like we run some businesses. We'd never get onto the green.

Strategy for Nova Scotia

2010-03-23T02:32:00.000-07:00

I've recently started a new service to member of the NS Association of CBD's in Nova Scotia, offering free high level advice on strategy and business direction - specifically through the Greater Halifax Partnership. You can contact me directly or through the Association. Obviously, should detailed strategic plans and business review be required, a nominal fee will be charged.
I'm also available on Skype, and video/teleconferencing.

Leadership in tough times - should it be different?

2009-07-01T22:25:00.000-07:00

There are a number of articles recently that expound the theory that the current global meltdown requires new leadership at company level. What does this imply, that the current leadership was inadequate? Then who is to blame? Is this a valid argument?

I do believe that different management styles are required dependent on the maturity of the organisation, but this does not mean that the same management mentality must be pervasive throughout the organisation. You need to have a situation where a portion of the executive team tends toward a level 6 management style with an even balance through the rest.

Some need to innovate, some need to strategise, some need to be conservative, some need to be pragmatic and so forth. Irrespective of the economy, the organisation needs to remain sustainable and deliver to shareholder expectations. A good leader recognises this and guides and balances this team dynamic.

Why the sudden focus on cost optimisation, working capital and cashflow management, the mad scramble for customer retention in the form of innovation and close relationship management etc etc . This is company management 101, and should always be applied and the benefits maximised. If this was not done automatically, then you have the wrong management.

When the markets tough, the above just becomes tougher, not something we suddenly wake up to do to "save" the company..

So, should leadership change? I think not. Just lead in the right direction. There is no such thing as a leader for War and a leader for Peace. Leadership transcends management style. Leaders show the way in tough times, and give the the glory to others when the going gets good. Its what we do.

2 Web or not 2 Web - What was the question?

2009-06-17T04:57:00.000-07:00

Just the concept of Web 2.0 and the Employee 2.0 must drive the avergae CIO up the wall. A recent article on ATLANTA, GA, Jan 09 (MARKET WIRE) -- The growing popularity of so-called Web 2.0 sites is proportionallyincreasing the risk of malware attacks and data leakage for companies thatallow employees to access social networking sites through corporate computers. "Web 2.0 sites are vital to those we're calling 'Employee 2.0' -- the nextgeneration of employees entering the workforce that expect the technology theygrewup with and routinely use to be part of their working environment," said SteveSheinbaum, VP of Americas for Marshal. "While managers and senior employeesmight not think of text chat as a vital part of their lives, young employeesprobably can't live without it, which means that companies are now facingdecisions about their corporate culture and security with Employee 2.0 inmind."

So where's the business rationale in all this. I'm inundated with calls to have access to this site and that technology and this latest gimmick blah blah blah! Where did the business sense go? The article above neglects to address the question - will this make the business better, will it give a better return to the shareholders?, give us competitive advantage? gives us long term sustainability?

New technology must have a place in the business fabric, but unless it serves a business purpose or addresses a business requirement, why have it. The challenge of course for the CIO and CTO, is to take that intuitive leap forward to find that reason. You have to lead from the front!

Strategy & Leadership - removing the hype

2009-05-25T00:51:00.000-07:00

The views on strategy range from alignment (Passive following adherence) to transformation ("strategic" intervention). Strategy and the formulation of it have become such a hyped process that senior executives are paralysed into inaction.

I'm not going to labour the point on what strategy is, or what makes it good or bad. It's really a pragmatic approach to what is in essence a bunch of simple questions:

What are the shareholders expectations?
Is what you are doing now sustainable, or is what you are going to be doing in the future radically different ( for whatever reason - market forces, new technology, competitors, divestment, integration etc)? - don't whitewash the reality.
Put it on the table - not the solution, just the facts of where you are now, and where you want to be ( a combination of short, medium and long term goals)

Get you executive team to put their experience together and create a workable plan to get you there. It doesn't have to be perfect. We all fall into the trap of trying to create the perfect strategic plan, when it is in fact a living, breathing process, adapting and adjusting to change.

What you don't know (the gaps), get your professional staff to fill in, i.e. what process needs to be developed , would new technology be required, is it going to change the way you market, are you're customers going to be interacting with you differently? etc.

Don't discount the use of tried and true basics, adapt if you must, but don't have a knee jerk.

Make the time with your executive team to actively engage and set in motion the plans to make the strategy come true. Do it! I'm sure I'm not the only executive that has attended strategy workshops and seen little or no action come from them (Its all about strong leadership here) and ensuring the operations are being dealt with by competent staff, and allowing the executive to get on with making the future happen.

If things change, as they will, have the maturity to change with it, you can't predict the future nor is it likely you will sail straight to the goal. A little bit of tacking will be required. At least you will be reaching your destination.

Having a "good" strategy and doing nothing, equals a "bad" strategy with lots of activity. The saving grace of the latter is that there is at least a chance that you will recognise your errors and fix them as you proceed.

Tactical Business Intelligence - its about fit and choice

2009-05-19T23:21:00.000-07:00

CIO's often face ongoing criticism about technology services, the "IT doesn't give me what I want" versus the " But its designed to do it this way - best practice" syndrome. So who's fault is this, and what can be done to remedy the disparity in view points, as obviously this is a road to knowhere?

There is no one size fits all approach to business intelligence. Perhaps I have a more simplistic, practical view (don't underestimate the complexity behind delivering "simple") of the approach to BI. I've spent a lot of time with the executive team in defining the requirements, but at this level, the focus appears to be limited to historical results. A well presented Balance Sheet offers no value in terms of proactive management, it is what it is.

So when you start exploring the alternatives and asking "What would be the key things that if you knew them, would make a fundamental difference to you ability to respond proactively?", you see the blank stares. Its not easy. What is that prescient feeling that senior executives develop over time to say " there’s something wrong here" to be proved correct on further investigation? How do you translate that into tactical business intelligence?

At one stage of my career I could walk through an industrial plant and sense quite clearly if there was a problem. I've developed the same sense over the years with IT infrastructure and delivery, and reading financial statements. If something doesn't gel, I follow my gut instinct. I’m not often wrong.

You have to develop an early warning system at tactical level, sensors as to the quality of business you are doing now, in real terms. You can’t rely on history to trigger proactive management. What these will be are dependent on the type of business you manage, but here’s a clue – put yourself back in the position where you were at operational level. Try and remember the challenges you had, the information you would have killed for to make you job easier, that little bit of advance notice that would give you the edge. If you can do this, you’re on the right track.

An example of this in a service environment would be a “potential late delivery” sent out as an email of flashed to a website/ dashboard/ display. Perhaps this is not so simple, as it does imply you have the right data in place to do this i.e. lead times, routings, capacity planning etc. This is in all likelihood the source of the issue – no basics in place.

As I said before, simple tactical reporting is not simple, it requires a level of operational capability that to a large degree has been diluted through apathy and neglect. Companies that have a solid core of operational professionals are well aware of this secret.

In conclusion, Tactical BI=solid operational core, this is where you get the value. Executive dashboards are exactly that, dashed.

Getting Value from Compliance

2009-05-13T05:09:00.000-07:00

I read through the draft of the King 3 Corporate Governance code recently to contribute my comments. (See IODSA). What was mentioned (in my own words) was the large cost of "forced" compliance incurred relative to the initial events that triggered it, and I refer here to the Enron/SOX relate issues.

There is little mention of a value added approach to compliance, instead of compliance for the sake of it. I would rather advocate a semi marketing approach to implementation i.e. look for ways of improving competitive advantage for your organisation, making you slicker, more innovative, more responsive and more profitable. I think that it was Sir Adrian Cadbury who intimated that good governance is good business, although I suspect that this had more to do with the higher share premium than the effectiveness of management.

If you follow the apply or explain principle,

then involve your colleagues in the process
define what the positive result will be or how it can be achieved
look for the sweet spots how it can contribute to competitive advantage
don't do it if there is no real justification for it in terms of the above
Obviously, don't be stupid and ignore the risks in the process or the spirit of compliance in the first place
Remember your duty of care as a CIO to sustainability, you shareholders and stakeholders
Turn compliance into an investment, not a cost

Software Licensing - the death of an era

2009-05-11T05:01:00.000-07:00

Software licensing as a viable model for customers should be placed under scrutiny. It's strange that CIO's spend a lot of time and effort in RFQ's, RFP's and ROI's to put software in place without sometimes reviewing the total cost of ownership. It struck me this morning that like an insidious disease, you could inflate your "fixed" overhead IT component over a period of time, and wake up to find that your available spend is being consumed by "maintenance" fees.

Lets assume that 55% of your budget is for maintenance and and infrastructure, less you salary and depreciation, this does not leave much room for any kind of intervention e.g. BPA, process innovation, tweaking etc. It places you as the CIO in a state of maintenance, which is the reverse of where you really want to be - making a strategic difference to business.

In my opinion, CIO's need to question the value add of ongoing license fees. Why pay them at all?

An option is to save the annual fees and plough that back into innovation and leveraging what you have. By the time you have reached the end of life of the software, the latest and greatest release, on another platform, a new set of infrastructure, open source alternatives or even a web2 environment will be available. By then, you may be in a better position to evaluate the next move.

Failing this, at least you would have leveraged your investment and got the value out of your software that was always the "unreachable" promise. The easy route is to muddy the waters and get something "better". Real CIO's make what they have work! after all, they were responsible for the RFP in the first place!"

Governance and ICT – a pragmatic approach to getting value

2009-04-28T22:26:00.000-07:00

1. Introduction
Executives are tasked by government, boards and in some cases by law to exercise the necessary controls over the organization, be it public, private or not for profit. While traditionally the Audit Committee has oversight over the controls that are in place to mitigate risk (particularly in Finance) , often, those controls over ICT are loose and misunderstood. The aim of this chapter is to provide a broad non- technical framework that will enable the Audit Committee and Public Service Executives, specifically tasked with the oversight of risk, to ask the right questions, and not necessarily to be experts in the technology involved.

2. Technology and Organisational Complexity
The use of technology in organisations vary. Consider the difference between a financial services organisation, a not for profit organisation and a manufacturing concern.

It is to be expected that the financial services organisation will operate in a highly regulated environment. Access to its systems and security issues would be high priority. Audit trails of data changes would be mandatory. Perhaps real time business continuity and disaster management would be high on the agenda. The spend on ICT would form a larger part of turnover. Systems are complex and varied. The ICT management team is skilled and specialised.

A medium size, not for profit organisation may have a more simple environment involving donor management and disbursements. A simple accounting infrastructure may be present with perhaps some contact management software for fund raising initiatives. Access and security ,while important, are perhaps less important than that of the financial services organisation. Verification of controls would also be less complex. It may have a small ICT support staff or perhaps be outsourced.

A manufacturer on the other hand could use very complex enterprise resource planning software to plan and manage the organisations supply chain. These may have many modules including a financial transaction layer, procurement, sales, inventory and manufacturing planning and control. Often support here is a combination of highly skilled internal ICT staff and external applications support.

The public service is understandably one of the more complex environments, as it contains elements of a service organisation, procurement, project and contract management, treasury and finance, with a large footprint in both delivery to its constituency, as well as performance management within its own organisation, notwithstanding the political complexities within it operates.

It can be seen from the above that depending on the type of organisation, the complexity of its ICT environment, and its reliance on these systems for survival and daily operation, Audit Committees have different questions to ask. They may also need to have external assistance when verifying that risk is mitigated.

3. The Governance role of the Public Service Executive
We are concerned here with Governance as opposed to Political Governing, which in the case of a public service professional, may be a juggling act. A recommended approach would be to equate the governance role in the same light as the duties commonly ascribed to directors of private and public companies, broadly:
-Take the necessary steps to practice due care in the management of the department , organisation or ministry
-Verify that the steps taken are adequate to achieve the delivery and service objectives, inline with policy, legislation and cost
-The actions taken, when measured against a reasonable man, should stand up in the light of public scrutiny
-Implement continual processes in due diligence, accountability and responsibility
-Implement the appropriate activities to monitor protection mechanisms
-And finally, maintaining the mechanisms put in place

Delivery in public service is often the largest area of concern, with public service professionals almost in a state of paralysis or limbo, waiting for decision to be taken by the government of the day. Alternatively, public servants might hold too much power in the opinion of politicians, thus delaying the implementation of policy if it is in conflict with the public servant’s political affiliations.

A non partisan public service is in truth probably not a reality, but, if the same principals of good governance in company law and responsibilities of directors is applied, by inference, the “right” actions will be taken. One must recognise the symbiotic relationship between the politician and public service staff, and to a large degree the unequal power sharing arrangement in place i.e. the politician should by democratic rights hold more power.

However, there is little reason not to create and implement the optimum mechanisms for delivery to streamline the implementation process, while waiting for decisions to be reached. Politicians come and go, but governments need to have a sense of permanence.

Practical examples of this could be:
-A defined tender and request for quote process that does not need to be redeveloped every time a project is agreed upon.
-A pre qualification process for major projects
-Processes and procedures in place to ensure that delivery is expedited
-Financial governance and control
-Health and pensions systems

The point here is that there is always a framework, business process, pre design, broad scoping exercise, information gathering, some or other pro-active activity etc that can be done while awaiting a government decision (good management needs to take place). Also, there is existing policy that will guide a proactive executive. Waiting and inactivity increases the chance of poor delivery.

4. Role of the Audit Committee in the Public Service
Traditionally Audit Committees remit is focussed around the evaluation of Risk. The question is however whether this will be appropriate in the future or whether the scope needs to be expanded. For example, if the strategic focus is around the effectiveness of services delivery, then the Audit function must be geared to ask the right questions, understand what the outcomes should be, understand the value drivers and make recommendations to improve delivery where it is lacking.

Another area which is often overlooked is non financial audit for example, effective provisioning of the military, effectiveness of government ministers, how good is the public service performance management system, or are public records secure from identity theft?

Often the dilemma is faced whether to play an active or passive role in audit. If the objective is to improve value delivery, drive effectiveness of government, improve performance of public servants, then being a passive reporter is totally inadequate. The future role of the public service audit function as an active participant in public service governance, responsible for playing a value added role in is self evident. The Chairman of the Audit Committee should not lose the opportunity to influence and contribute to the success of the organisation and of government. It may well be that the status of the Chairman of the Audit Committee be elevated to one of the highest and most influential political or public appointments in government. The skills here are in the areas of commercial, financial, program management and corporate governance acumen. Its not a legalistic approach if the intention is to get value delivery.

While it might not always be appropriate to drive standardisation of business processes, the Audit Committee needs to understand the value of a solid baseline of delivery. It’s all about alignment to achieve the objectives. An example of this would be a single, agreed upon, transparent and auditable process for procurement. All public service departments buy, why should it be different?

The role and responsibility of the Audit Committee in the Public Service needs to be redesigned if it is to drive and enable change.

5. Understanding ICT
It is not necessary to have to specialise or be an expert in the detail of the organisations deployed technology in order to ask some sensible questions. Ask any Managing Director of a company with diverse operations if this is true. However, it does make sense that the more complex the environment, the more assistance will be required. Also, the larger the organisation, the more chance there is that you have a Chief Information Officer, Chief Technology Officer , Chief of IT Governance or a combination of the above to provide the necessary ICT input.

What is important is that there is a framework in place to guide the Audit committee to ask the right questions. It may be feasible to develop a tool from scratch, or use one or a combination of the many frameworks or tools for ICT governance that are available to guide the process. It is never a decision about which one is used, although they have different areas of focus which you would need to be aware of, but more about how the tool is used, and what are the objectives being pursued. Remember that ICT is a changing environment, and therefore the tools need to be dynamic as well.

Fortunately, there are many well developed tools that are available, with good support to ensure that the tools are updated and reflect changing trends in ICT. The figure below seeks to position the toolsets /frameworks in an understandable way.

6. COBIT Example
Control Objectives for Information and related Technology (COBIT)[1] is a set of best practices (framework) for information technology (IT) management. Because of its pragmatic framework, it may be used to address Governance, process improvement and most importantly of all, service delivery. Even if public servants just manage each area mentioned below at a high level, i.e. ask the right questions, ensure that mechanisms are in place to rectify shortcomings, and measure results, there may be an immediate improvement in service delivery.

7. Information Systems are part of the solution
Historically when new governments or individuals are placed in power, the knee jerk reaction is to throw out the old and in with the new.

A policy change or new political appointment is not an excuse for doing away with good practice. As an example, a new individual heads up Finance. Nothing changes in the principles of good accounting practice, GAAP, IFRS etc remain the same. Financial prudence and control of risk, fiduciary duty remains the same.

Lets expand this to ICT. What makes ICT good is the existence of sound business practice, well identified business processes, solid measurement and remedial action of outcomes, and most importantly of all, the political and managerial gravitas to enforce compliance and discipline. Here politics must be separated from the responsibility of employees in public service to actually be held accountable for performance.

ICT alone cannot make up for or be the elixir to the absence of good governance.

8. Steps to Excellent Service Delivery
-Don’t get rid of useful things when discarding inessential things (Knee Jerk)
-Complex is not always the answer
-Know what is the most important public requirement and build your outcomes around this.
-Remember that there is balance between a wish list and practical reality
-If it cannot be articulated on paper, and I mean down to the last detail, it cannot be translated into technology, not ever.
-ICT fails because of this “we need a system to do “this”, but what “this” is we’re not sure”
-Kick butt and expect excellent results

[1] Toolsets and frameworks referred to may be trademarks of their respective owners.

Leadership and Governance - missing link?

2009-04-16T00:06:00.000-07:00

I find it interesting that there appears to be a disconnect between Leadership and Governance. Board members are responsible for governance or the lack thereof, with the elements of governance being delegated down to total ineffectiveness. In effect, governance is being "managed" with no real accountability by the board.

If you bring leadership into the equation, you will agree that it doesn't fit at all!! So why is this? Surely strong leadership should be the cornerstone of good governance?

Historically, weak and ineffective leadership results in the abuse of power and lack of governance. You can witness this in failing economies and companies going under. So where does leadership extend to? Just the Board? I think not. While it is right that the CEO and directors display and practice good leadership, surely shareholders and stakeholders also carry some responsibility?

In all the times where there has been economic crisis's, where were the shareholders? Its OK to reap the profits while the going is good, but you can't tell me that shareholders are oblivious and naive that they do not suspect dirty dealings, especially with the woppers we have been subjected to recently. Its convenient to look the other way!

Perhaps company law should be rewritten to include shareholders or those who manage indirect shareholders money e.g. pension funds etc, in joint responsibility (and liability) for good governance and therefore corporate failure.

Imagine in the current crisis that instead of the State paying out taxpayers funds to prop up companies fraught with mis-management and poor governance, the shareholders were requested to payback all the dividends earned as a result of these actions.

We would see an exponential improvement in good governance, and an active improvement in good leadership. After all, if you as a shareholder were held jointly responsibile for mismanagement, you'd make damn sure that you have the best leadership in place.

Audit - Time to add value

2009-04-15T23:20:00.000-07:00

I should have perhaps titled the article - Audit - What Value? In a recent presentation I did on behalf of the South African Chapter of ISACA (Information Systems Audit and Control Association), as is my provocative bent, I challenged the group to review the value proposition offered by the audit function, not only IT, but all the elements of good governance.

Where there is a legislative framework in place that forces companies to use a service, its inevitable that a certain amount of service ethic falls by the wayside (Why should you when companies are forced to use your services anyway?). This in turn effects value delivery. Given that the current global economy is shaky, the focus on cost and value is now suddenly at the top of the board agenda. If good governance was the order of the day, and boards actively practiced their duty of care, this would already be a way of life!

However, back to the point. The days of an audit firm attaching itself like a bloated leech to
a company at year end, and completing the required audited statements in a detached fashion, without actively contributing to the good governance of the entity, are over.

Shareholders and boards should view this kind of activity and behaviour with circumspection and downright suspicion. After all, you pay a fortune for the service, and for what - to rubber stamp? Why not go to the CA down the road and do the same thing at a fraction of the cost? Better still, force your board to instill good governance at source, it will save you a lot in the long term.

This is not a singling out of auditors in anyway. We should apply the same rigour when selecting any vendor or service provider. We should look for value, we should question the return on investment and we should look to it supporting our strategy and sustainability. Above all, we should look for practical solutions that fit our market and culture. Why should we not expect the same from the audit function?

The challenge is for auditors to look inside of their own organisations and develop a value proposition. Why would I look to you as a valued partner? What makes you different and why shouldn't I use the CA down the road?

Shareholders and boards are well advised to rethink their relationships with their partners, and Auditors are no exception.