'IT Risk Management' Emerging as Strategic Corporate Initiative

Any effectively developed strategic plan must involve consideration and management of risks. According to this research report by EMA (http://www.enterprisemanagement.com), appreciation for the value of IT risk management is increasing. What I find in general lacking is the integration of risk and compliance objectives and initiatives to value creation initiatives to form a cohesive strategic plan.

"Putting a Strategic IT Risk Management program into place can provide substantial benefits for the enterprise, not only in controlling threats to critical IT services, but also in giving the business a stronger competitive edge through more effective technology discipline."

Today, new approaches to risk management are delivering strategic corporate benefits by tying once disparate IT initiatives into a more unified and integrated program that helps organizations achieve business objectives. These initiatives play a critical role in shaping an IT governance strategy, enabling the business to define governance priorities and to measure and prioritize enterprise IT risk management more effectively.

In the study, "Governance, Risk, Compliance and Beyond: The Emergence of Strategic IT Risk Management," EMA explores how the convergence of IT domains ranging from performance, availability, configuration and change management to business risk, trust and security controls is defining an entirely new class of solutions. These new approaches are providing critical insights needed to develop a comprehensive operational risk management strategy -- where business goals are aligned with IT.

"Today's enterprise faces a daunting range of IT risks -- from security, business malfeasance and insider threats to business-critical IT service availability, performance and integrity issues. Regulatory requirements intended to curb these risks have also driven the pursuit of more effective IT governance. IT risk management has become the lynchpin of all these demands," said Crawford. "Putting a strategic IT risk management program into place can provide substantial benefits for the enterprise, not only in controlling threats to critical IT services, but also in giving the business a stronger competitive edge through more effective technology discipline."

"The concept of a 'strategic' approach brings coherence to the enterprise. IT risk management is no longer limited to one technology or meant to meet a single regulatory mandate," continued Crawford, "It seeks to unify and integrate siloed approaches to managing security, business, technology and trust risks -- aligning them with strategic business objectives to enable the enterprise to consistently manage and measure their control."

Technorati Tags: IT Risk Management

IT Governance Critical in M&As

Having an effective governance in place is always important, but it is even more so to help companies successfully implement mergers and acquisitions. Both companies need to quickly establish the structure and the decision making approach that will be used in making decisions. They also need to establish who has the right to make what decision and what criteria will be used to navigate the tough trade-offs ahead. The teams typically freeze after a change like this as they often do not know who to go for even simple decisions such as signing a license maintenance agreement.

A recent report from Forrester on mastering M&A recommends the following:

• Be brutally honest about jobs. CIOs need to quickly and clearly state how staffing decisions will be made. Identify which positions and staff members to keep and ways to retain them. Adopt a retention bonus program closely tied to the integration plan, with bonus kickers for meeting milestones and savings goals.

• Move quickly to get the low-hanging 'savings' fruit. That means consolidating data centres and renegotiating software licenses and vendor contracts to prepare for a larger user base.

• Drive business decisions away from feature-by-feature comparisons. Application rationalisation is critical because the cost of redundancy is so high and because business process integration requires a single applications set. This is the lengthiest and most complex part of integration. The big insight? CIOs must help executives see that "the shortest path to synergies may be to use as little as possible from the acquired firm."

• Pick one firm's set of processes. Roll those out to the other firm's staff. Process consistency is the hallmark of a mature IT organisation. It's also an important element in how business perceives IT. Processes such as procurement and security policies must be stabilised and standardised. Merging two firms' processes during an M&A integration adds to staff confusion; Forrester recommends you don't do it.

Technorati Tags: IT Governance, M&A

Intro to IT Governance

Here's a quick introduction to IT Governance from the Executive MBA blog...

Technorati Tags: IT Governance

YITGC Lessons from US Passport Decision

In this Podcast we analyze the poorly planned and executed decision by the US State Department regarding passport rules to see what we learn from it and apply it to our own governance environment.

Do you want to learn more about this topic? Please listen to this PodCast now by clicking this link.  If you are reading this in the blog, you may also subscribe to it and automatically get future releases for free by clicking the iTunes or RSS orange buttons on the left column.

Intuitive Governance?

Governance helps leaders make better decisions by clarifying things like vision, priorities, risks, decision rights, decision structures and so on. I have witnessed many times improvements in productivity and savings in the millions of US dollars after improving an organization's governance. However, I do feel that there is a place for intuitive decision making in the business world. In fact, the clarity and alignment achieved through formal governance, actually sets the groundwork for "safer" intuitive decision making.

I read this morning a great article on this topic in the London Times online. The article is by Professor Eugene Sadler-Smith, author of the upcoming book "Inside Intuition." Enjoy!

*******************************

From The Times
August 13, 2007
When you just know. . .

We all have intuition – a gut feeling, a hunch or sometimes business instinct. It is a hallmark of how human beings think and behave. Though we are often exhorted to be cool and rational, to rely on hard data and logic, it is impossible to function without gut feelings when making decisions. Intuition presents itself to us in an instant, quite unbidden – a neurological alarm bell, if you like – and its effects can be life-changing.

If we can distinguish this intuitive feeling from fears, biases or wishful thinking it can be a potent, sometimes life-saving, force. A small child has a high temperature: nothing unusual about that. But a parent may have a gut feeling, take action – and discover meningitis, just in time.

It is also very relevant in the world of business. From research in the UK and the US, we know that 90 per cent of managers use intuition, in areas such as hiring and firing, new product development and business strategy; with two thirds saying that intuition led to better decisions.

There are many famous examples of commercial intuition. Sir Richard Branson claims in his autobiography that he makes up his mind about people and business proposals, and whether they excite him or not, within 30 seconds (not always effectively: witness Virgin Cola), and for entrepreneurs in the long run intuition seems to pay dividends.

Ray Kroc, the founder of the McDonald’s chain, has said that he followed his funny-bone instinct when deciding to borrow $2.7 million in 1960, against his lawyer’s advice, to buy out the fast-food franchise that he had started.

However, what my own research has proven, is that the unpremeditated, effortless spark of creativity does not arrive in an unprepared mind. It is the outcome of extensive learning and experience – a precondition for accurate intuition.

Technorati Tags: Decision Making, IT Governance

Aligning to your company's growth strategy

Some functional executives like CIOs have difficulty aligning their function's strategy to the corporation's because sometimes corporate strategies are not clearly communicated beyond the publishing of mission and vision statements. I have had clients say, "we can't develop our strategy until the corporation clarifies theirs." Regardless of what is published or not published, a company's real strategy is indicated by the actual trade-offs that are made, how people and divisions are rewarded, and how priorities are set. CIOs and their staff can develop a set of assumptions about the drivers they need to respond to and engage their business partners in confirming and articulating those drivers.

Many companies are right now focused on growth. In fact, a recent ComputerWorld article states that "Around 60% of CIOs expect their businesses to grow faster than the global economy, which the IMF predicts will grow at around 5% a year until 2012." However, companies use various strategies to grow their company. IT executives can use Gartner' s Seven Levers for Growth model to develop assumptions about their company's growth strategy and engage their business partners in dialog. They can then modify their strategy to ensure they are enabling and exploiting such opportunities.

The model mentions these seven levers for growth:

• Improve operations
• Improve products
• Exploit channels
• Target customers and markets
• Acquire companies
• Connect the ecosystem
• Create blue oceans

Effective IT governance ensures all decisions advance and support the IT and corporate strategies.

Technorati Tags: IT Strategy

Study Reveals Positive Impact of Training in Mitigating IT Risks

Study Reveals Positive Impact of Training in Mitigating IT Risks
Government Technology (06/20/07)

IT teams that are well trained are better able to leverage key technology features and functions, resulting in an increase of performance and productivity, concludes a new study by IDC and Symantec. The study focused on more than 200 North American functional IT teams consisting of two to three staff members. High-performing teams spent an average of 78.9 hours on maintaining and improving operations per month--considered high value activities--compared to 62.8 hours for low-performing IT organizations. In addition, high-performing IT organizations spent less time on low-value activities--they spent an average of 49.2 hours per month deploying solutions and 62.9 hours per month resolving broken tools or processes, while low-performing teams spent 54.7 hours on average deploying solutions and 73.5 hours resolving broken tools and processes per month. Because the well-trained teams used their time more efficiently, they could potentially realize a 10 percent increase in productivity, representing savings of up to 2,000 hours or $70,000 in gained productivity annually. The benefit of training not only lies in enhancing skills and performance, but also on reducing IT risks such as compliance. The study found that well-trained IT staff met software configuration standards for their production servers more than twice as often compared to less-trained teams.

Technorati Tags: IT Risk Management

IT Governance Decisions for SOA

Service Oriented Architecture (SOA) is being embraced by many organizations as way to both, become more efficient and increase responsiveness and speed. A study by McKinsey and Company reports that 60% of the CIOs surveyed planned to use SOA projects to achieve their objectives. Although some organizations are beginning to realize benefits from SOA implementations, many are struggling with the very thing that is at the core of SOA: sharing services across organizational silos.

This is demanding a more matured governance that was required before. According to Gartner a successful SOA program "necessitates new processes, ranging from governance, through development, to operations." The more organizations that share in the development and consumption of shared services, the greater the return in the initial and on-going investment. However, this complicates the speed and quality of decision making unless the appropriate IT governance is quickly designed and implemented.

Governance at its essence is effective decision making. As such, after ensuring we have a clear and compelling strategy we need to focus on selecting the governance decisions that matter most. There are many, many decisions that need to be considered; however, an organization needs to prioritize them based on their impact to strategic objectives, their impact to business failure if not properly done, and their financial impact. We shouldn't underestimate the work that is required to properly govern just one decision: defining the decision making criteria, the roles and authority, and the governance processes needed to make the decision. This is why we need to be careful to start with the most critical decisions and grow the number of decisions that are in governance control.

Technorati Tags: IT Governance, SOA

Lessons in Innovation from Apple

Most successful IT organizations chose to optimize their organization for either operational excellence, customer intimacy, or innovation. Everything, from competencies, to processes, to even structure need to be aligned to support that strategic anchor. I find it helpful to study organizations that model those anchors to see what we can learn and apply. As a Mac user myself, Apple is a wonderful example of an innovative company. What can we learn about innovation from Apple?

The June 9th issue of The Economist has a cover article entitled "Apple and the Art of Innovation." In this article, and a longer one also in this issue, they talk about the ups and downs of the company, their business struggles and wins, and the influence of Steve Jobs. They also talk about the culture of innovation within the company and I believe we can learn a few things that we could apply to an IT organization striving to be very innovative.

Here are some of the lessons from Apple on innovation:

• Welcome innovation "not invented here." For a company or an IT organization to be innovative, it doesn't mean THEY have to come up with all the great ideas themselves. They need to recognize the possibilities and how the different technologies, processes, information, etc. can be combined to uniquely meet business needs. Apple is great at finding and embracing innovation that occurs outside their walls. The idea of the iPod came from a consultant working on a project, iTunes was bought and then improved, the Mac OS was bought from the Next company, that although Steve Jobs' company, it and Steve were outside of Apple at the time. So be ready to adopt "network innovation" just like companies like Procter and Gamble and BT.
• Pursue Simplicity. Apple designs its products around the needs of their users, and not the demands of technology. Although IT solutions may be complex behind the scenes, they need to be intuitively simple for users. I was just talking with a friend in a company where they just deployed a very expensive and powerful application. The users are disillusioned, "is this all we get?" The IT staff are frustrated because the users are not taking the time to really study all the powerful features and exploit them. Perhaps better design with their users in mind would have helped. I'm not sure how good the iPhone will actually be, but people are going crazy over its perceived simplicity.
• Ignore Focus Groups. This may seem to be a contradiction to the above point, but it's not. Yes it's important to listen to your customers, but we need to do more. We need to understand what customers need, versus what they say they need. Keen observation and imagination are invaluable.
• Fail wisely. When a solution is not working for a company, when they purchased the wrong tool, or wrote the wrong application we then think of "writing off" the investment. This may be a wise accounting thing to do, but we should not write off the knowledge or even technological capital we have gained. We may be able to apply this in the next generation of a solution. The Mac was born from a previous failed attempt, Lisa. The iPhone is coming after a failed attempt with Motorola. Recent Apple computers are based on technology from Next, a company that produced computers that were not very marketable. So, in every failure we can find a gem, but the risk taking culture of an innovative IT organization must be open to it.

Just a few things to keep in mind in our journey towards innovation. Is your organization able to support these ideas?

Technorati Tags: Innovation, IT Leadership

YITGC Getting IT Organizational Design Right

Cobit's control objective PO4.5, IT Organizational Structure is both innocent looking, yet extremely powerful.  It is part of “Define the IT Process, Organization, and Relationships” PO4.  We have all been part of organizations that have organizational structures aligned to their strategy and of those that are misaligned.  Sadly, many of us have also experienced botched organizational design transitions. 

In this podcast I cover the levers that need to be considered when re-aligning an organizations, and the things that need to be kept in mind to make the journey to the new organizational design a successful one. 

Do you want to learn more about this topic? Please listen to this PodCast now by clicking this link.  If you are reading this in the blog, you may also subscribe to it and automatically get future releases for free by clicking the iTunes or RSS orange buttons on the left column.