As legislation such as Canada’s Bill C-198 and the United States’ Sarbanes-Oxley cracked down on corporate accountability, executive suites and boardrooms have been buzzing with talk of compliance and governance. Faced with being held personally accountable for their companies’ misstatements, top executives are looking more closely at the systems behind the numbers they must now guarantee personally. Since information technology plays a key role in those sytems, the current fascination with compliance might be expected to bring old issues of IT governance to the fore again. On the surface, it looks as if that’s happening, but it’s not that simple.
IT governance is indeed in the spotlight, but legislation is only part of the reason. IT’s increasingly central role in most businesses, its maturity and a shift from a technology to a business focus are at the root of the shift.
Despite continued concerns about IT’s visibility at the top executive and board levels and its alignment with business goals, the CIOs we talked to believe they have top bosses’ attention and are in tune with corporate strategies.
Mary Jane Slavin, vice-president of company and consumer information management at Johnson & Johnson Inc., a health and beauty products company with Canadian headquarters in Montreal, says the legislation has led IT to tighten up its processes a little and created more formal links to top management. That is all good. But rather than playing “the compliance heavy,” Slavin sees her role as maximizing technology’s contribution to the business.
She recounts her delight at being asked by senior management to tell them what needed to change in order to maximize the company’s use of IT. “IT folks are really the glue in the middle of the organization,” Slavin says – and top executives are getting it.
“I’ve been on the boards of two Johnson & Johnson companies for five years,” Slavin says, “and I don’t believe I’ve had an alignment issue.”
“It’s no longer acceptable to have unpredictable outcomes from IT investments,” says Akhil Bhandari, vice-president of IT and chief information officer at CCL Industries Inc., a Toronto packaging company. When IT was young, Bhandari says, “IT folks got away with a little more than engineers would otherwise.”
As it matures and becomes more important to the business, that’s changing. “I think it’s happening more and more that people are putting some sort of specific framework (in place) in regards to IT investment.”
Formal frameworks used to impose discipline on IT include the Control Objectives for IT and related Technology (CobiT), the Information Technology Infrastructure Library (ITIL), the International Organization for Standardization’s ISO 17799 security framework and others.
Sarbanes-Oxley requires companies to use publicly available frameworks to vet their systems, explains Will O’Brien, a partner in The Manta Group, a Toronto consulting firm with a focus on CobiT. So it has been a catalyst for adoption of CobiT and other frameworks. But it only hastened what had to happen anyway. “IT is such an immature piece of the business,” he says. “Many of the processes aren’t documented. They’re sitting in somebody’s head.”
Troy DuMoulin is an executive consultant at the Canadian office of Pink Elephant Inc., a Zoetermeer, Netherlands-based company that offers consulting and education on ITIL. He agrees there has been a surge of interest in frameworks like ITIL recently, and legislation has played a role, but he maintains the real causes go deeper.
“Until recently,” says DuMoulin, “IT has been largely managed by domain.” There were servers, databases, networks, applications – and people with technical expertise in each area managed that field. Little attention was paid to how they fit together. But now, after “20 years of management by technology,” DuMoulin maintains, IT is moving to service-line management. IT people have to think in terms of the business processes they support, rather than technology components. That forces a fresh look at how IT operates.
“CIOs are becoming more like general managers and not just IT managers,” says Brian Chan, chief information officer at Morneau Sobeco Group LP, a Toronto-based firm that provides human resources services. While technology is still important, understanding the business plays a growing role.
If new laws are not the root cause of growing interest in IT governance, the legislation benefits IT managers who want to improve their operations’ professionalism, Chan says. “Before, every time you talked about governance, (it was seen as) more cost.” Now more auditing is required by law, and because IT systems underlie processes that produce numbers for which chief executives and chief financial officers can be held personally responsible, they are more interested in making those systems foolproof.
“IT matters today more than ever before,” comments Bob Adams, vice-president of Calgary-based outsourcing company RIS.
“All the CIOs I know do have a seat at the table,” says Bhandari, though he admits that “not every organization has the same need for IT to play a strategic role.”
But has the IT organization reached the level of professionalism where it needs to be? Probably not. Paul Swinwood, president of the Software Human Resources Council, notes that four out of five IT projects don’t achieve their goals, and about the same proportion of IT workers lack formal education in the field. Swinwood believes we need better ways of measuring and recognizing IT skills.
Today, he says, IT organizations use tool sets to select employees. Advertisements ask for five years’ experience with Java, or three years of XML. “They’re not asking for the other leg of the stool: the attitude, the professionalism, the domain knowledge.” So, people with technical knowledge are hired for positions where abilities like project management and communication are more important – and highly competent people are passed over because of a lack of specific technical knowledge they could acquire very quickly.
“You want a plumber who is competent, not one who knows how to use number 20 soldering paste,” Swinwood says.
To change this, the SHRC wants to develop a “ladder of recognition” for IT capabilities. This will require an assessment structure, Swinwood says, and will take three or four years to implement. He says the council has determined the broad outlines of the plan and is working to build support.
Certification is nothing new in Canadian IT. CIPS has touted its Information Systems Professional (I.S.P.) designation since 1989 – but only about 1,500 people are entitled to place the three letters after their names today. For job-seekers, the designation is helpful, but not essential. “Certification itself is a good thing,” says Chan, “but does not guarantee success.”
Slavin expresses some skepticism about certification. “Information management people are business people who just happen to be good at technology,” she argues. “I’m not convinced that accreditation as a professional IT person is a good idea. I worry a bit that that drives a wedge between us and the people we work with.”
And yet, while designations like the I.S.P. and best-practices frameworks such as ITIL and CoBIT may gain acceptance, they can never tell the whole story about IT professionalism. Some of what makes IT work cannot be prescribed in certifications and best practices, and cannot be measured. “How do you certify somebody as a creative CIO?” asks Bhandari. “It’s almost an oxymoron.”