Marcel van den Assum, Fonterra: One of the most important aspects of governance pertaining to IS, is alignment within the organisation through different governance structures. Or, to put it more specifically, alignment of governance structures. For example if you're developing a corporate culture, corporate values, it's vitally important that that culture, those values, are understood in the context of IS governance.
An empowered organisation versus a controlling type organisation dictates different approaches to how you run an IS operation. So there are multiple governance structures that need to be synchronised in some way. You really can't look at IS governance in isolation, and if it does become isolated, then you run the risk of not delivering the value the business is looking for.
Tony Lester, Land Information NZ: One of the things I was asked to look at when I came on board [in 2004] was the question around the IT governance component. So we've started working on it for the last few months and it became very clear to us that you couldn't do it in isolation.
We're putting in place a new mechanism for the executive team to look at governance across all projects. It's just as important in a small organisation where resources are stretched. You've got to understand where your resources are.
Rohan Mendis, NZ Police: After INCIS, the State Services Commission and the government were very clear about the expectation of government chief executives, including the Police commissioner, and it is good that it set the foundation for major IT projects.
Before INCIS, we did not have a refresh program for infrastructure, and after that a business-as-usual refresh program has been set. We have an IT advisory committee now - an external expert from the public, a justice sector representative, three Police executives and Police IT managers - to work together to look at what the Police and public expectations are.
Ross Hughson, Inland Revenue Department and formerly Westpac: Traditionally within the bank, there have been Australian projects and New Zealand projects. What we've worked on lately is to get more alignment between those, so we can leverage off the capability of both sides of the organisation.
So there is a central body now across Australia and New Zealand that looks at coordination of the projects. The other thing that is very important for us is getting central point of approval and governance for those projects. That sits under our strategy department. It used to sit under the finance team.
Post-Enron implications
Martin Dalgleish, Kensington Swan: There has certainly been a trend after Enron, particularly in the United States, where directors have more responsibility to ensure that governance within any organisation is much more focused. In relation to the CIO role, the nature of certain companies means that the information and communication side is critical to the success or otherwise of that company.
So there will be a need for directors to insist on a much stronger governance structure in relation to ICT. If the directors have failed to properly address a key part of the delivery of success of that business, then they can expose themselves to liability and to a claim if the company ultimately goes under.
It does seem to me that there is a requirement to test what is the role between a CIO and the board in terms of what in formation has to be going up to board-level, so they can make informed decisions and ensure that proper processes are run and decision-making is appropriate. Acquisition of technology must be done on a proper basis so they can't subsequently be open to criticism if things don't work.
Marcel van den Assum: One of the challenges we face is that at a senior level there is not necessarily a level of understanding of IS implications in terms of business transformation. You certainly read in the media that there's a dearth of IS-literate directors.
It's partly an educational thing, which is the hard yards you have to put in, but I think the other factor that's a major plus from an IS perspective is, when you boil it all down, these are not IS projects. IS is almost a potentially distracting factor. You start talking about the technology and the technology challenges when ultimately it is a business issue.
Pigeonholing IT
Steve Johansen, Port of Napier: I'll be glad when we finally lose the stereotype from the 90s, like "It's IT, let's get the binoculars out, we must look at them, we must have a steering committee."
When are we going to have a steering committee for HR or engineering? You know, you don't see that in the disciplines that are established. One of the funniest things that I find, is that when I introduce myself, usually I don't say what I do. I just say "I'm a senior executive at the Port of Napier."
I don't mention IT until people get to know me a bit more because otherwise they immediately say, "Oh yeah, he's a geek, sits in front of a computer." They start talking to me about Windows at home.
Marcel van den Assum: Yeah, the neighbours ring you to come over to fix their PC. This guy runs IS at Fonterra. So, you know, I can't get this bloody printer to work on my PC. I wouldn't know what the hell to do.
Relationships with the board
Warwick Wright, State Services Commission and formerly NZ Racing Board: Although we're a reasonably large organisation in terms of our geographical spread and number of people that work or contract or supply staff on our behalf, the actual permanent full-time staff is only 200¿people, and most of those sit in the one office in Petone.
So in terms of getting around a table with the senior management team, and I do report to the chief executive, and I do from time to time talk with the board, the communication is a lot easier than a large organisation with distributed divisions and functions.
Cathy Budd, Public Trust: We have several methods of reporting through to the board. One is risks, which go through every quarter. So if there's anything that they really need to know they can get a handle on it straight away, and the other one is that projects go up on a monthly basis so they get status reports on capital expenditure projects that they've approved. We also provide the board, once or twice a year, an actual status and where we're heading in IT.
Steve Johansen: We threw the IT plan out of the window five years ago. When Garth Cowie joined us about six years ago as CEO, he said to me, "I see that you've got a post-graduate qualification in strategic planning. I need somebody to facilitate the business plan." So what I wound up doing for the next five years, was actually being right in the heart of that process.
I looked at the methodology we had been using, designed one that actually incorporated IT directly into the business plan, which amazingly enough the first year got past the audit. As part of those five years, you're dealing with all the other senior executives. They all get to report to the board just like I do. But the main thing for me has been getting that alignment right at the start.
Ken Spagnolo, Archives NZ: We have no projects - whether they're business projects or mainly IT projects - that don't have an executive sponsor. That makes all the difference in the world.
Tony Lester: We've just confirmed a rule that says there are five members that report direct to our chief executive and are the only ones that can sponsor projects - the general manager customer services; general manager business support (which is finance); our general manager regulatory, who looks after the audit compliance roles; general manager policy; and the CIO. So there's just that five of us, which covers the whole business range.
Martin Dalgleish: You need to be aware or be conscious that there are times when you do need to reflect something all the way through a reporting process.
Every so often, circumstances arise where it's prudent for the CIO to record certain things. It's making sure that it is built in as part of the process... When things go wrong in a company, it's never very helpful to say that I met with someone and I told them this, that and the other.
To have a report or something which actually records that can be very important in being able to demonstrate something years later, if there is a major issue or some form of litigation.
Warwick Wright: I've found personally that keeping working notes and reasonable filing records have been very helpful.
There have been a number of times when I've thought, "How the hell did I come up with that number in the budget?" And I've gone back to my working papers and then went, "Ah, that's what I added in, when we made this assumption we took that out." Without that, you're saying, "I'm sure there's a good reason why I did that but it's not obvious to me now."
I actually got involved in an audit office enquiry where there were implications that a purchase of software had been made for improper reasons. I had all the history of the board recommendations and people started having a different view.
But it was clear evidence that we made a recommendation to the board on what to buy, well before the chief executive - who was accused of bringing this product in - was appointed. There was a clear trail there. So it is important to keep stuff.
Different focuses
Marcel van den Assum: Governance-type exposures feature in the executive assessment of where we need to focus our efforts. It's clear to our business in terms of priority - issues of compliance and quality and control centre on the integrity of the value chain. Cow to consumer.
So for us, it's more important to ensure that we've got traceability through that value chain than it is to deal with the specifics that Enron or some of the other examples might have delivered... As a result of that prioritisation, there is no resulting issue with the investment necessary to make the appropriate changes.
When you look at some of the changes that typically are made to the way the business functions, your pure IS investment is a very small percentage of organisational transformation, and that's why it's baked into the business plan, the business strategy, why the business leaders represent the performance of projects to the board.
There is a letting go in that because in a way I've been successful by not being in the limelight. The guys running the business are the ones talking about the change and the investment and the benefits realisation. So it's somewhat paradoxical. The more successful you are, the less visible you are.
Risk awareness
Rohan Mendis: All our governance - project governance and everything - is based on the 'no surprises' principle. No surprises does not mean stagnation. In our project reporting environment, we have a system called traffic light which is green, yellow and red and that report goes to executives every month. Green means it's going okay.
Yellow means alert - alert in the sense of not only in IT but the political, the business change management and other alerts. Red means we're in trouble. So if a project goes to orange or yellow, the project sponsor, the business manager, the executives, immediately begin a real assessment of the project... The project management culture has changed. It is better to tell in advance before it becomes dark red. It is very positive. If the project is getting into that attention stage it is better to tell the executives at once and get whatever the required support.
Marcel van den Assum: It's not being risk averse, but being very clear about the prioritisation, what's driving this, what's the propensity for our organisation to take risk, what's the potential exposure, what's the upside, who's accountable? If we continue to focus on failures, then basically organisations and individuals are going to be reluctant to make a difference.
Ross Hughson: We actually have a general manager risk, he's now responsible for compliance as well. It's a specific role of our executive responsible for risk management, and the term we're using is risk mastery which is interesting. That's the latest buzzword. It's being prepared to take a risk sometimes, but a calculated risk.
Ken Spagnolo: I think these days if you work in an organisation where you can't raise a problem before it becomes a big problem, I'd be looking for a new job. Cathy Budd: There are still a number of organisations like that. They don't want to know the problems. "Just fix it, don't tell me."
It's interesting, particularly if you've already spent a significant amount of money on the project and you turn around and say, "No, this is just not going to go anywhere." [In a previous organisation], We spent probably $800,000 of which $500,000 was actually sunk - but it was a $5 million to $6million project in total, and they would still be trying to implement it now if we hadn't pulled the plug.
Critical reviews
Tony Lester: Post-implementation reviews are an integral part of our methodology, our project management framework, and from that perspective it's actually quite interesting to see the lessons that we've learned. Some of the work that we're just putting the finishing touches to now around our project governance, is as a direct result of some of the lessons that we've picked up from at a post implementation review.
Rohan Mendis: One of the criteria to measure the success of a project is to monitor the uptake of the project deliverables. Depending on the type of project, we have different benchmarks, different matrices to determine its success. The critical one is, don't change the scope. If you are changing the scope it means you haven't done the initial scope of the project properly. Usually we cancel the project at that point and then we re-list the project for future consideration.
Compliance costs
Warwick Wright: There are two costs to compliance. One is the cost which you might have to spend on part of your software and processes, but the other one, and probably the less visible one, is the people cost.
For example, every six months, I and all my direct reports [at the NZRB] have to sign off and we, in turn, sign off to the CEO who signs off to the board that we've complied with about 105 Acts that affect our business. We do have compliance champions designated for the different Acts. But it's a huge overhead.
I could get into trouble if it was found out that I was in breach or one of my people was in breach of something and I signed off and I didn't really make the enquiries or didn't understand what it is that they shouldn't have been doing. There's a lot of time spent on that - it's just pure administrative overhead. So to me, the more significant cost of compliance is the management time.
Ross Hughson: Sarbanes-Oxley and Basel¿II are very big programs that work for us in terms of compliance and legislation - basically it gets to the prioritisation and it's a must do. There's just no discussion. It needs money. So that has clearly got a portion of the budget that is spent on projects that wasn't there three years ago.
My assessment is probably 30 per cent of our projects are on compliance in terms of Sarbanes-Oxley, BaselII, the Credit Contracts and Consumer Finance Act, the International Financial Reporting Standards.
An evolving model
Marcel van den Assum: Utility-type concepts around infrastructure are going to evolve. It's really important that we're able to have a clear definition of infrastructure procurement which is going to be driven by benchmarking on a cost-per- transaction-type basis, and cost-per-storage-unit or whatever it might be, versus investment that's driven by benefits realisation in terms of business process and how business processes change.
Bandwidth components, storage com-ponents, server components, desktop components - they're all commodities.
But unfortunately the commodities haven't been brought together into a utility solution, so many people still have procurement folk on their teams buying commodity components and then amalgamating them into some sort of infrastructure capability within the organisation. That really does need to be acquired from a global amalgamator so that the asset realisation is going to go from 20 per cent to 80 per cent. Think of the money that would free up.
Tony Lester: It's really interesting to see how the world is moving down that track to whereby all of us at the end of the day may not end up actually having to buy anything as a piece of hardware or a piece of software... Our vendors do have a lot to learn about that yet.
I think there are a number of vendors in the community who still need to really understand where their clients are going and how they best deliver that service for us.
In the panel:
Marcel van den Assum, former chief information officer, Fonterra
Cathy Budd, IS manager, Public Trust
Martin Dalgleish, corporate and commercial partner, Kensington Swan
Ross Hughson, chief information officer, Inland Revenue Department and former Westpac chief information officer
Steve Johansen, chief information officer, Port of Napier
Rohan Mendis, national manager enterprise infrastructure, NZ Police
Warwick Wright, chief information officer, State Services Commission and former general manager technical services, New Zealand Racing Board
Tony Lester, chief information officer, Land Information NZ
Ken Spagnolo, chief information officer, Archives NZ
EMC kindly sponsored this roundtable on corporate governance.
The next MIS roundtable discussion with CIOs will be on mergers and acquisitions.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.