Ten Principles of IT Governance

From studying and working with hundreds of enterprises, we have distilled the lessons from many outstanding leaders into ten principles of IT governance. We intend these principles to provide leaders with a succinct summary to use as a primer, refresher, or checklist as they refine their IT governance.

1. Actively design governance
   Many enterprises have created disparate IT governance mechanisms. These uncoordinated mechanism "silos" result from governance by default—introducing mechanisms one at a time to address a particular need (for example, architecture problems or overspending or duplication). Patching up problems as they arise is a defensive tactic that limits opportunities for strategic impact from IT. Instead, management should actively design IT governance around the enterprise's objectives and performance goals.

   Actively designing governance involves senior executives taking the lead and allocating resources, attention, and support to the process. For some enterprises, this will be the first time IT governance is explicitly designed. Often there are mature business governance processes to use as a starting point. For example, the Tennessee Valley Authority piggybacked its IT governance on its more mature business governance mechanisms, such as its capital investment process. TVA's IT governance included a project review committee, benchmarking, and selective chargeback—all familiar mechanisms from the engineering side of the business.

   Not only does overall governance require active design, but each mechanism also needs regular review. Focus on having the fewest number of effective mechanisms possible. Many of the enterprises we studied had as many as fifteen different governance mechanisms, all varying in effectiveness. Fifteen mechanisms may possibly be needed but it's highly unlikely. All fifteen will certainly not be very effective, integrated, and well understood. Many enterprises with effective IT governance have between six and ten integrated and well-functioning mechanisms. One goal of any governance redesign should be to assess, improve, and then consolidate the number of mechanisms. Early in the learning cycle, mechanisms may involve large numbers of managers. Typically, as senior managers better understand IT value and the role of IT, a smaller set of managers can represent enterprise needs.

2. Know when to redesign - Rethinking the whole governance structure requires that individuals learn new roles and relationships. Learning takes time. Thus, governance redesign should be infrequent. Our recommendation is that a change in governance is required with a change in desirable behavior. For example, State Street Corporation, JPMorgan Chase, Carlson Companies, and UNICEF all changed their governance to encourage desirable behaviors resulting from significant changes in strategy. All four enterprises designed governance to achieve their desired balance of business unit autonomy and commonality. State Street, JPMorgan Chase, and Carlson were all attempting to generate more synergies. UNICEF used IT to transform its operations and improve global sharing, information management, transparency, and communication. These transformations involve many other issues besides IT and take many months to implement.

   In these types of transformation, IT governance can be used as one of the levers to encourage change. For example, State Street Corporation introduced enterprise-wide IT budgeting, encouraging a shift in perspective from the business unit to the corporation. JPMorgan Chase's buy-hold-sell process accomplished the same objective at a technology level. These governance processes communicate and enforce new desirable behaviors to facilitate organizational transformations.

3. Involve senior managers
   In our study, firms with more effective IT governance had more senior management involvement. CIOs must be effectively involved in IT governance for success. Other senior managers must participate in the committees, the approval processes, and performance reviews. For many enterprises, this involvement is a natural extension of senior management's normal activities. For example, MPS-Scotland Yard used its strong existing management committee structure to improve IT governance and gain greater synergies across all its operations. The Information Management Steering Group (IMSG) is one of fourteen strategic committees that connect to the top-level executive committee. This interlocking committee structure ensures senior management attention to IT in the context of the whole enterprise.

   CIOs must be effectively involved in IT governance for success.

   Senior management necessarily gets involved in strategic decisions. This means that senior management is rarely concerned with the exception process. However, if an exception has strategic implications, it may reach the executive level IT Steering Committee. UPS CEO Mike Eskew explained the top management role: "At some point, if it comes to you, then you say, 'This is the answer.' It's part of our jobs to make those kinds of decisions. Our CIO, Ken Lacy, almost always has it solved by the time it gets to me."2 In firms like UPS, senior management occasionally gets involved in exception decisions because those decisions represent strategy decisions. If the exception request escalates to the CEO, then it's no longer a technology issue. At that point it's a strategic choice.

   Many senior managers are willing to be involved but are not sure where to best contribute. It's very helpful for the CIO and his or her staff to communicate IT governance on one page with a picture like the Governance Arrangements Matrix. The matrix provides a vehicle for discussing each senior manager's role and any concerns they have.

4. Make choices
   Good governance, like good strategy, requires choices. It's not possible for IT governance to meet every goal, but governance can and should highlight conflicting goals for debate. As the number of tradeoffs increases, governance becomes more complex. Top-performing enterprises handle goal conflicts with a few clear business principles. The resulting IT principles reflect these business principles. Old Mutual South Africa's (OMSA) six IT principles, or "nonnegotiables," as they are called, provide a useful framework or how to use IT. The first principle, which all OMSA business units must observe, states: "The interest and needs of the Group/OMSA come first when exploiting technology or when contracting with suppliers." Appropriate stakeholders must be involved in the approval process prior to contracts being signed.

   Some of the most ineffective governance we have observed was the result of conflicting goals. This problem was often observed in the government sector, where directives come from many agencies. The result was confusion, complexity, and mixed messages, so the governance was ignored. The unmanageable number of goals typically arose from not making strategic business choices and had nothing to do with IT. We observed that good managers trying diligently to meet all these goals became frustrated and ineffective.

5. Clarify the exception-handling process
   Exceptions are how enterprises learn. In IT terms, exceptions challenge the status quo, particularly the IT architecture and infrastructure. Some requests for exceptions are frivolous, but most come from a true desire to meet business needs. If the exception proposed by a business unit has value, a change to the IT architecture could benefit the entire enterprise. We have described the exceptions process of UPS, State Street Corporation, and other enterprises. All these exemplars have three common elements to their exceptions procedures:

   The process is clearly defined and understood by all. Clear criteria and fast escalation encourage only business units with a strong case to pursue an exception.

   The process has a few stages that quickly move the issue up to senior management. Thus, the process minimizes the chance that architecture standards will delay project implementation.

   Successful exceptions are adopted into the enterprise architecture, completing the organizational learning process.

   Formally approved exceptions offer a second benefit in addition to formalizing organizational learning about technology and architecture. Exceptions serve as a release valve, relieving the enterprise of built-up pressure. Managers become frustrated if they are told they can't do something they are sure is good for business. Pressure increases and the exceptions process provides a transparent vehicle to release the frustration without threatening the governance process.

6. Provide the right incentives
   There has been so much written about incentive and reward systems in enterprises that we feel the topic is well covered and understood. Nevertheless, a common problem we encountered in studying IT governance was a misalignment of incentive and reward systems with the behaviors the IT governance arrangements were designed to encourage. The typical concern: "How can we expect the governance to work when the incentive and reward systems are driving different behavior?" This mismatch is bigger than an IT governance issue. Nonetheless, IT governance is less effective when incentive and reward systems are not aligned with organizational goals.

   A major governance and incentive alignment issue is business unit synergy. If IT governance is designed to encourage business unit synergy, autonomy, or some combination, the incentives of the executives must also be aligned. For example, in a large consumer products firm, the CEO wanted to increase synergies between business units to provide a single face to the small number of important customers that did business with several business units. The CEO and CIO worked together to design IT governance to align the enterprise IT assets to support the new objective. The new IT governance encouraged sharing of customer information, contact logging, pricing, and order patterns across business units. However, it was not until the business unit executives' incentive system was changed from being nearly 100 percent based on business unit performance to being 50 percent based on firm-wide performance that the new IT governance gained traction.

   Avoiding financial disincentives to desirable behavior is as important as offering financial incentives. DBS Bank in Singapore does not charge for architectural assistance to encourage project teams to consult with architects. Whenever incentives are based on business unit results, chargeback can be a point of contention. Enterprises can manipulate charges to encourage desirable behavior, but chargeback pricing must be reasonable and clearly understood.

   It is hard to overestimate the importance of aligning incentive and reward systems to governance arrangements. If well-designed IT governance is not as effective as expected, the first place to look is incentives.

7. Assign ownership and accountability for IT governance
   Like any major organizational initiatives, IT governance must have an owner and accountabilities. Ultimately, the board is responsible for all governance, but the board will expect or delegate an individual (probably the CEO or CIO) or group to be accountable for IT governance design, implementation, and performance—similar to the finance committee or CFO being accountable for financial asset governance. In choosing the right person or group, the board, or the CEO as their designate, should consider three issues.

   First, IT governance cannot be designed in isolation from the other key assets of the firm (financial, human, and so on). Thus the person or group owning IT governance must have an enterprise-wide view that goes beyond IT, as well as credibility with all business leaders.

   Second, the person or group cannot implement IT governance alone. The board or CEO must make it clear that all managers are expected to contribute to IT governance as they would contribute to governance of financial or any other key asset.

   Third, IT assets are more and more important to the performance of most enterprises. A reliable, cost-effective, regulation-compliant, secure, and strategic IT portfolio is more critical today than ever before. The person or group owning IT governance must understand what the technology is and is not capable of. It is not the technical details that are critical but a feel for the two-way symbiotic connection between strategy and IT.

   The CIO owns IT governance in the majority of sizable firms today.4 Other enterprises have chosen either another individual (the COO or occasionally the CEO) or a committee (say, of senior business and IT leaders) to own IT governance. We have not observed any one approach that always works best. It takes a very business-oriented—and well-positioned—CIO to deliver on the first consideration and a very technically interested COO or CEO to deliver on the third. Committees have the problem of meeting only periodically and dispersing the responsibility and accountability.

   Our recommendation is that the board or CEO hold the CIO accountable for IT governance performance with some clear measures of success. Most CIOs will then create a group of senior business and IT managers to help design and implement IT governance. The action of the board or CEO to appoint and announce the CIO as accountable for IT governance performance is an essential first step in raising the stakes for IT governance. Without that action, some CIOs cannot engage their senior management colleagues in IT governance. Alternatively, the board or CEO may identify a group to be accountable for IT governance performance. This group will then often designate the CIO to design and implement IT governance.

8. Design governance at multiple organizational levels
   In large multi-business unit enterprises it is necessary to consider IT governance at several levels. The starting point is enterprise-wide IT governance driven by a small number of enterprise-wide strategies and goals. Enterprises with separate IT functions in divisions, business units, or geographies require a separate but connected layer of IT governance. JPMorgan Chase has IT governance at the enterprise, division, and business unit level. Usually the demand for synergies increases at the lower levels, whereas the need for autonomy between units is greatest at the top of the organization.

   The lower levels of governance are influenced by mechanisms designed for higher levels. Thus, we advocate starting with the enterprise-wide IT governance, as it will have implications for the other levels of governance. However, starting enterprise-wide is sometimes not possible for political or focus reasons, and starting at the business unit level can be practical. Assembling the governance arrangements matrixes for the multiple levels in an enterprise makes explicit the connections and pressure points.

9. Provide transparency and education
   It's virtually impossible to have too much transparency or education about IT governance. Transparency and education often go together—the more education, the more transparency, and vice versa. The more transparency of the governance processes, the more confidence in the governance. Many firms like State Street Corporation use portals or intranets to communicate IT governance. State Street's portal includes under the section "IT Boards, Committees, and Councils" a description of the Architecture Committee and all the other governance bodies. The portal includes tools and resources, such as a glossary of IT terms and acronyms and the "Computer Contract Checklist." Often portals include lists of approved or recommended products. Templates for proposing IT investments complete with spreadsheets to calculate the IT business value are often available.

   The less transparent the governance processes are, the less people follow them. The more special deals are made, the less confidence there is in the process and the more workarounds are used. The less confidence there is in the governance, the less willingness there is to play by rules designed to lead to increased firm-wide performance. Special deals and nontransparent governance set off a downward spiral in governance effectiveness.

   Communicating and supporting IT governance is the single most important IT role of senior leaders. The person or group who owns IT governance has a major responsibility for communication. Firms in our study with more effective governance also had more effective governance communication. The more formal vehicles for communication were the most important. For example, CIOs on average assessed their enterprises' documentation of governance processes as ineffective. However, the firms with successful IT governance had highly effective documentation. Highly effective senior management announcements and CIO offices were also important to successful governance.

   When senior managers, particularly those in business units, demonstrate lack of understanding of IT governance, an important opportunity is presented. Working with managers who don't follow the rules is an opportunity to understand their objections. These discussions provide insight on whether the rules need refinement as well as a chance to explain and reinforce the governance.

10. Implement common mechanisms across the six key assets
    We began the book by describing how IT governance fits into corporate governance. We contend that enterprises using the same mechanisms to govern more than one of the six key assets have better governance. For example, executive committees that address all enterprise issues including IT, such as the one at MPS-Scotland Yard, create synergies by considering multiple assets.

    Recall the exercise (in Chapter 1) of listing all the mechanisms implementing each of the six key assets. Each asset may be expertly governed, but the opportunity for synergistic value is lost. For example, a firm implementing a single point of customer contact strategy must coordinate its assets to deliver that uniform experience. Just having good customer loyalty (that is, relationship assets) without the products to sell (IP assets) will drain value. Not having well-trained people (human assets) to work with customers supported by good data and technology (information and IT assets) will drain value. Not having the right buildings and shop fronts to work from or in which to make the goods (physical assets) will drain value. Finally, not coordinating the investments needed (financial assets) will drain value.

    Put this way, the coordination of the six assets seems blindingly obvious. But just glance back at your six lists of mechanisms and see how well coordinated—and more importantly, how effective—they are. Many enterprises successfully coordinate their six assets within a project but not across the enterprise via governance. In designing IT governance, review the mechanisms used to govern the other key assets and consider broadening their charter (perhaps with a subcommittee) to IT rather than creating a new, independent IT mechanism.

These ten management principles highlight many of the key findings in our work with enterprises. Attention to all of them should lead to greater value from IT. The leadership of the CIO is also critical to creating IT value.