Is poor governance the issue and if so what must be done to fix the problem?
What is the problem?
Complex IT projects usually have a well-documented business case before any organisation will allocate the significant resources required for such projects. This investment is made in anticipation of IT projects delivering significant returns. The problem begins right here because the business objectives, the business environment and the technology are fixed in time when the business case is approved but in reality they all change during the life of any complex IT project.
Properly governing and effectively managing a complex ICT project demands that changing business objectives, the changing business environment and the changing technology must be constantly realigned to produce the most optimal result.
Good IT governance is a critical prerequisite for all IT projects, however good governance is necessary but not sufficient. ALL the stars have to be aligned to even get a chance at success.
The problem is further compounded because the ICT practitioner community seems to confuse good management with governance. This is evident as much of the current governance standard for IT project management and governance are focused on good IT management practices rather than being focussed on true governance. Steering Committees and Project Boards are described with governance responsibilities but staffed with managers loaded with management tasks.
The problem therefore seems to be that the governance role of setting the organisation’s appetite for project risk and overseeing the alignment of business objectives, the changing business environment with the ever-changing technology is not the responsibility of properly empowered governance bodies set up by organisation’s governing board.
Why do so many IT projects fail?
As IT projects become ever more complex, larger and (consequently) take longer to implement there is a real risk that the business objectives, the business environment and the technology landscape will change. Without the separation of governance and management responsibilities there is likely to be confusion and lack of clarity around risk, project objectives and business objectives. So when things inevitably change people stay focused on what has been approved rather than what needs to be done to achieve the desired result.
It is not just the lack of proactive, effective risk management that causes projects to fail but more than this there is not enough effective leadership that brings together good governance and good management to make tough, difficult decisions before millions of dollars of valuable resources are wasted in a failed project.
Why do we need major IT projects?
According to the National CEO survey by the Australian Industry Group conducted in January 2012, “By far and away the most common reason for business investing in new technology is to increase productivity”. Investment in new technology is usually made to enable a business change project that as the Ai CEO survey identifies are aimed at improving productivity. Most increases in productivity are attributed to technology where improved technology has enabled substantial improvements in business process.
Business projects deliver business change and the “design of the organisation” or “enterprise architecture” is as much about the people, practices, customs, rules, policies, reporting structures, geographies and relationships, and is therefore much more of a business issue than a mere technology problem.
In our emerging connected economy increasing productivity is looming as the major challenge for both governments and business as they try to provide improved standards of living for all and so following this logic IT projects will be at the heart of business change for the next decade. If this is the case then not only will the board be required to set the risk appetite for the organisation but they will also be required to set the goal for productivity improvement within the risk appetite they have already established.
The importance of simplicity
Simple solutions are elegant but when the complexity of a problem is not understood the resulting simplistic solutions usually fail. Oliver Wendell Holmes, the great American jurist put it more elegantly when he said, “I would not give a fig for simplicity on this side of complexity but I would give my life for simplicity on the other side of complexity.” Einstein was reported as saying, “the solution to this problem has to be as simple as possible but no simpler.”
GlaxoSmithKline took complexity out of their IT organization and the way that they did projects has been described in the book “Simply Effective” by Ron Ashkenas (Harvard Business Press 2010). One of the methods they used to take out complexity was to ensure that all IT complex projects were carved into smaller projects so that there would be a measurable business return in six months or less. That is they design projects as building blocks that must get real business results along the way.
The GFC has seen many formerly admired businesses fail and it has become apparent that ever increasing business complexity is not scalable and that resilient businesses are often elegantly simple. McKinseys said in their book Simplicity Wins (Harvard, 1995) – “adding complexity to cope with complexity is a seriously flawed approach.”
Governance versus Management
Governance is basically making sure that the managers do their jobs properly. Successful projects require managers and project teams to do a number of things well. When they don’t, and the governing body fails to detect that they haven’t, that’s a governance failure and the board of the organisation must be held accountable. Of course, if the governance is working, management failure will be detected early and management will be held accountable.
Good governance will require management to develop the skills; behaviour and methods to improve success in delivery of real value through IT-enabled business change projects so essential to delivering improved productivity.
Good Governance is the Solution
How are good governance structures and governance practices as well as effective management established in order to produce better decisions and mitigation of the risks involved in conducting ICT projects?
Perhaps the most successful topic in management books of the past 30 years has been FFNFM. The John Cleese and Ronnie Corbett Balance Sheet Barrier training film became a classic. All directors today understand they must be able to understand finance and cannot rely on financial experts or expert financial advice to fulfil their board duties. When technology underpins the very survival of all organisations and is the major enabler to increase productivity, all directors must be fully equipped to have a meaningful conversation about technology and be able to confidently play a role in its governance.
It is well established that all Boards need to set their organisation’s appetite for risk. To survive in this connected and highly competitive global economy all Boards need to set their organisation’s target for improved productivity within the bounds they have established for risk. An organisation’s established appetite for risk and it’s goal for increasing productivity will set the framework for managing their application and development of technology solutions to enable business change.
The governance question is ‘How do we know…..’ the management response is what has been or what needs to be done. That is boards govern and managers manage.
How does a board know their data is secure from attack and loss? They need to ask management how do we know that our data is secure from attack and loss? Management’s answer to this question should include substantive evidence of back up systems, disaster recovery systems and security systems. These systems will include people, processes and infrastructure; all of which need to operate in concert, requiring the right culture to be developed, training, and oversight.
If the governing body cannot get satisfactory answers then management need to be directed to take action.
The Cadbury definition of Corporate Governance is how an organisation is directed and controlled, the ISO 38500 definition positions governance of IT as how IT is directed and controlled, therefore it follows that IT project governance must also be about how IT projects are directed and controlled. Project failure means the governance system by which projects are directed and controlled has failed.
But what does better governance look like? How do we recognise it when we see it? Good governance ensures that the business puts in place a thorough approach to risk management and mitigation, goal setting and evaluation to report on success and corrective actions when things go wrong. Boards govern and manages manage but they are two sides of a penny. Responsibility and authority can be delegated but accountably always remains with the Board.
How can real accountability be assured and importantly how should project governance modify plans when required? Is there an ideal structure of governance and management bodies overseeing ICT projects?
The Project Governance Board of complex major IT projects should operate as a Board committee with a formal charter and comprise board members with the experience to conduct the inquiries to determine what they need to know to confirm that complex projects undertaken by the organisation are within the appetite for risk established by the Board and will meet the productivity goals of the organisation.
The Project Governance Board should steer the project whilst the Project Management Committee manages the project. The Board must clearly identify for management the level of risk that is acceptable in the project (risk appetite) and the information that management is expected to provide to monitor the progress and report risks to the Board.
The job of the Project Governance Board is not to merely receive a report on progress from a project manager and record in the minutes it has been noted but rather it must ensure that the project is still going to achieve its intended outcome. To do this the Project Governance Board must ask searching questions and be capable of assessing the quality of the answers provided by management. To do this boards need the right people, with the right mix of skill, to understand and perform their duties of directing and controlling projects to ensure that those projects that can succeed are successful but have the authority to be able to shut down projects that can no longer deliver the intended outcomes.
To be able to do this it is obvious that such a governance body must be a committee of the Board and be answerable to the Board. Unless the Project Governance Board has a similar authority as the Audit Committee the role of such a board is management oversight not governance. The Project governance Board should be evaluated against its charter, as all board committees should be by measuring the outcomes achieved by IT projects against outcomes desired (increases in productivity) that justified the organisation’s investment in the technology.
Sir George Adrian Hayhurst Cadbury Chairman of Cadbury and Cadbury Schweppes for 24 years. He has been a pioneer in raising the awareness and stimulating the debate on corporate governance and produced the Cadbury Report, a code of best practice, which served as a basis for reform of corporate governance around the world.