“What ISO 38500 allows us to do is to use IT as a corporate tool and ensure that directors have the right guidance on how to govern IT,” says co-chair of the working group Myles Ward. “This is a breakthrough standard, because it lays the foundations for IT moving forward, in terms of use as an enterprise tool.”
Ward, who is the group manager of IT operations and services at Inland Revenue Department (IRD), says the standard — only 12 pages long — establishes “a common language and a common understanding” between the technical IT experts and the businesspeople who decide how IT should be implemented in the organisation.
Ward’s co-chair on the ISO 38500 working party is Alison Holt, founder of governance and strategy company Longitude 174 (see reader response at the end of the article).
ISO 38500 provides guiding principles for directors of organisations and people assisting directors, on the effective, efficient and acceptable use of IT in the organisations. The standard’s framework has six main headings: Responsibility, strategy, acquisition, performance, conformance and human behaviour.
Ward has been occupying various positions in IRD’s IT for the past four years. Prior to that, he was head of business management at Westpac.
In his present position, he is responsible for the smooth running of IRD’s technology in support of its key objectives – gathering $50 billion worth of tax revenue and discharging its social funding objectives. Ward reports directly to the deputy commissioner of information design and systems Tim Occleshaw.
Ward says it is “a humbling experience” to be co-chair of an international working group. “The reason I say that is because you have access and are leading through, some world-class experts in IT governance and that may be in terms of academia or IT professionals.”
The recognition of New Zealand should not be reduced to the cliché of the country “punching above its weight”, he says. Rather, “I think we’re punching at the right weight. I think we’re very much an untapped nation as world leaders in our thinking. The talents we bring to the table are the ability to get things done; to work very collegially with a lot of different nations, roll up our sleeves and get the outcomes. I think the key strength we have is the ability to call on all these experts to be able to contribute in the right way.”
Peter Macaulay, principal of end-user practice at IT analyst IDC, applauds the evolution of ISO 38500 and New Zealand’s role in it. There is a “governance gap” on the IT side of many organisations, he says. With few exceptions such as the ASB bank, Kiwibank and Air New Zealand, local businesses “need to do a much better job” of IT governance. The three biggest areas where there is a need for improvement in enterprise IT are governance, strategy and innovation. “Sorting out the governance gap will fix the other two,” Macaulay says.
As decisions on IT move from technical specialists out into the hands of line-of-business management, so good governance becomes more crucial, he says.
Macaulay believes there is a lack of research here about how well IT governance is working and whether it is improving over industry as a whole. However, Ward thinks local business is starting to “do the right things” or at least “the right questions are being asked.
“It is about ensuring that we get a standard way of doing business. That is the value of the standard, it introduces a consistent way and a consistent application of governing IT.”
Asked how ISO or the working group will persuade businesses to adopt the principles in ISO 3850, Ward says much of the consultation with people at the coalface of businesses goes on early in the process of evolving the standard. When considering what to tackle with the standard and any updates to it, “we would look at different companies within New Zealand and see that there is a buy-in there,” so there would be at least “a representative sample” of organisations aware of the standard and able to help it match their perceived needs, he says.
Though the essential standard is finished and has been handed back to ISO, the working party continues to plan revisions and additions. Because of the lead time involved in developing the standard, compared with the fast advance of technology, the standards working party has to think about three years ahead of the state of the technology, Ward says.
With the right expert input this need not be as difficult as it sounds. “The technologies will be very difficult to predict, but this is about the application and the governance of the technology.”
Current focuses for the first revision of the standard are the cloud, audit and digital forensics (awareness of electronic crime and standards of evidence collection).
“We’re also looking at vendor governance,” he says. As outsourcing grows, an aspect of governance is “being very clear how we integrate vendors within our environment and how we govern them”, particularly when they operate under different laws and regulations.
One of the most widespread problems of IT governance here is that the CIO’s reporting line to the board and top-level managers is too indirect, Macaulay says.
At the IRD, Ward’s position sits alongside managers of enterprise architecture, strategy design and implementation, and IDS strategy and business engagement. “We are the four group managers who report to Tim Occleshaw, who reports through to the Commissioner of Inland Revenue. They are very senior roles within the organisation and very influential in terms of enabling the business and also driving through a lot of opportunity for Inland Revenue,” he says.
Opportunities for innovation at IRD in the service of the public and the government lie foremost with the ‘e-channel’, Ward says — online communication, offering taxpayers a more direct and efficient way of doing business with the department. “Business is being done a little differently now; our citizens want to electronically transact with us and we need to do things differently, moving from paper to the electronic age.”
IT helps “streamline what we do, demonstrate value for money and make sure we can continually deliver what the public wants,” but always within the tight fiscal constraints of the time. “That demands that I have the foresight and thinking to know that I’m evolving our IT shop to be able to support those technologies in the future. To make sure we are evolving ourselves to work directly with the business.”
It’s also important, Ward says, “to be sure that we’re aligning our costs and drivers; that we understand the total cost of ownership and the cost of doing business. I’m not saying that we don’t know that now; [but] it’s becoming more prevalent.”
Part of the “fiscal prudence” and eye on costs that Ward keeps emphasising is a move away from individually tailored systems into commercial off-the-shelf software products where possible.
“You don’t have to develop; you configure. It goes to business rules. So the speed to market and adjusting to change becomes a lot easier.”
In areas like online portals, there is no need for Inland Revenue to develop anything different from any other online business, he says. Likewise, some of the most visible innovations to the individual taxpayer, in the phone interface, are supplied off-the-shelf by IRD’s telecomms provider TelstraClear. “They provide our VoIP and call-centre routing; virtual hold, speech [recognition]; things you’d find in any IT shop.”
There are about 450 in-house staff in Ward’s business unit, but IR depends to a large extent on outsourcing — “TelstraClear for telecomms. HP for our mainframe and Unisys, who support our middle-tier environment. Then software vendors — Oracle, IBM SAP, who provide critical software to enable us to carry out our functions.
“About 50 percent of our budget is outsourcing,” he says; “it is a significant part of how we do business.”
In common with many other New Zealand businesses, virtualisation is an increasing element of the IT environment at Inland Revenue.
While the ISO working party considers governance of the cloud, is Inland Revenue moving in that direction?
The cloud is now part of everyone’s digital life, Ward believes, if it’s only a question of downloading an application onto a mobile phone. “Within the public sector there’s a roadmap to get to a cloud computing environment. It’s important [as a preparatory step] that you consolidate, rationalise and virtualise. It’s not a matter of jumping into the cloud; it’s making sure you’re evolving your base infrastructure to be able to adapt to a cloud environment. “There are certain fundamental steps that you’d look [to] to move an organisation into a cloud environment. There are also various laws and regulations that we need to abide by — the Public Finance; the Privacy Act. There are purchasing guidelines about what we can do offshore and onshore. So there are [constraints] we must operate in order to even consider moving into that cloud. Within private industry it’s definitely there now. In terms of government it’s an area we need to be clear about if we wish to evolve to it.
“The Department of Internal Affairs has good plans around the best way to evolve our technologies through cross-government platforms; but cloud computing offers some very exciting opportunities; it’s very, very important that we manage those opportunities,” he says.
A reader, Basil Wood, principal consultant, director, BAZ IT Limited, responds:
While it is great to see ISO/IEC 38500 getting press, and acknowledging the involvement of Alison Holt and Myles Ward, I am concerned that NZ’s role in the past and future development of the standard is misstating key facts. These facts are important to get right, because the standard’s credentials help to engage the very people that stand to gain the most from the use of it: boards of directors and C-level executives, and ensure that credit is given where it is rightly due.
ISO/IEC 38500 is a largely unchanged adaption of the Australian standard AS8015, which was conceived in 2002 with the support of the Australian Institute of directors, and launched in Australia in January 2005. An ISO/IEC joint technical committee invited Australia to submit AS8015 for processing via fast-track procedures to an ISO/IEC standard. This was indeed facilitated by a working group which, at the time, included Alison Holt as convenor and Myles Ward as a NZ representative. The project editor and technical author of the standard was Mark Toomey, an Australian who was involved in the development of AS8015 from its inception, representing the Australian Institute of Directors.
The article’s leading statement, “Two New Zealanders head the International Standards Organisation's working group for IT governance standards” is incorrect: The ISO/IEC joint technical committee formally reassigned ISO 38500 and all related work on governance of IT to a new working group, known as JTC1 WG6. This group met for the first time in London in May 2009, with three Australians heading up its efforts - John Graham as convenor, Max Shanahan and Mark Toomey. JTC1 WG6 is the body working on its next revision is developing additional standards to support the governance cycle, such as ISO 38502, which sets out the distinction and relationship between governance and management. NZ has full entitlement to send delegates to WG6 but none have attended thus far.
The statement “The foundation standard, ISO/IEC 38500, is now published, but work continues in enhancing it to cope with IT developments such as cloud computing and the increasing use of outsourcing” gives the impression that enhancements to the standard are necessary to cope with new developments in IT. This is not the case for two reasons. Firstly, the standard is agnostic about technologies and tactics. ISO/IEC 38500 is a jargon free, overarching standard for directing and controlling current and future use of the IT investment. It is intended to help business leaders at a governance level, irrespective of the technology or approach used.
Secondly, Standards NZ have stated they are scoping a NZ cloud computing standard. Alison Holt spoke about this at a workshop held in Wellington in July 2010. At the same workshop Myles Ward discussed the development of standards for governing outsourcing. It was understood that these proposed standards for governance will be based on ISO/IEC 38500 (in much the same way that AS/NZS 8016 is based on ISO/IEC 38500 but specifically addresses the governance of projects involving IT investments).
Mark Toomey is the authoritative source on the development and application of the standard and he would only be too pleased to talk to you about it. I also highly commend his monthly newsletter, http://www.infonomics.com.au/Newsletter.htm, and his books. These are valuable sources of guidance for business and IT leaders and have a large world following.
Mark travels and writes extensively promoting ISO/IEC 38500 and has gained large following amongst directors and CIOs. I am privileged to work with him to help promote the standard in NZ, getting him here on two occasions last year for speaking engagements to various groups, including the Otago/Southland branch of the Institute of Directors in conjunction with the University Otago School of Business, and the Standards NZ workshop noted above. Mark also provided training for my clients, the leading CIOs in the Waikato. All in all 150 people in NZ learnt from Mark and we hope to build on that success this year. Sent via email
To comment on this article, please email the editor.
Follow CIO on
Twitter @cio_nz
Sign up to receive CIO newsletters.
Click here to subscribe to CIO.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.