Is poor governance the issue and if so what must be done to fix the problem?
What is the problem?
Complex IT projects usually have a well-documented business case before any organisation will allocate the significant resources required for such projects. This investment is made in anticipation of IT projects delivering significant returns. The problem begins right here because the business objectives, the business environment and the technology are fixed in time when the business case is approved but in reality they all change during the life of any complex IT project.
Properly governing and effectively managing a complex ICT project demands that changing business objectives, the changing business environment and the changing technology must be constantly realigned to produce the most optimal result.
Good IT governance is a critical prerequisite for all IT projects, however good governance is necessary but not sufficient. ALL the stars have to be aligned to even get a chance at success.
The problem is further compounded because the ICT practitioner community seems to confuse good management with governance. This is evident as much of the current governance standard for IT project management and governance are focused on good IT management practices rather than being focussed on true governance. Steering Committees and Project Boards are described with governance responsibilities but staffed with managers loaded with management tasks.
The problem therefore seems to be that the governance role of setting the organisation’s appetite for project risk and overseeing the alignment of business objectives, the changing business environment with the ever-changing technology is not the responsibility of properly empowered governance bodies set up by organisation’s governing board.
Why do so many IT projects fail?
As IT projects become ever more complex, larger and (consequently) take longer to implement there is a real risk that the business objectives, the business environment and the technology landscape will change. Without the separation of governance and management responsibilities there is likely to be confusion and lack of clarity around risk, project objectives and business objectives. So when things inevitably change people stay focused on what has been approved rather than what needs to be done to achieve the desired result.
It is not just the lack of proactive, effective risk management that causes projects to fail but more than this there is not enough effective leadership that brings together good governance and good management to make tough, difficult decisions before millions of dollars of valuable resources are wasted in a failed project.
Why do we need major IT projects?
According to the National CEO survey by the Australian Industry Group conducted in January 2012, “By far and away the most common reason for business investing in new technology is to increase productivity”. Investment in new technology is usually made to enable a business change project that as the Ai CEO survey identifies are aimed at improving productivity. Most increases in productivity are attributed to technology where improved technology has enabled substantial improvements in business process.
Business projects deliver business change and the “design of the organisation” or “enterprise architecture” is as much about the people, practices, customs, rules, policies, reporting structures, geographies and relationships, and is therefore much more of a business issue than a mere technology problem.
In our emerging connected economy increasing productivity is looming as the major challenge for both governments and business as they try to provide improved standards of living for all and so following this logic IT projects will be at the heart of business change for the next decade. If this is the case then not only will the board be required to set the risk appetite for the organisation but they will also be required to set the goal for productivity improvement within the risk appetite they have already established.
The importance of simplicity
Simple solutions are elegant but when the complexity of a problem is not understood the resulting simplistic solutions usually fail. Oliver Wendell Holmes, the great American jurist put it more elegantly when he said, “I would not give a fig for simplicity on this side of complexity but I would give my life for simplicity on the other side of complexity.” Einstein was reported as saying, “the solution to this problem has to be as simple as possible but no simpler.”
GlaxoSmithKline took complexity out of their IT organization and the way that they did projects has been described in the book “Simply Effective” by Ron Ashkenas (Harvard Business Press 2010). One of the methods they used to take out complexity was to ensure that all IT complex projects were carved into smaller projects so that there would be a measurable business return in six months or less. That is they design projects as building blocks that must get real business results along the way.
The GFC has seen many formerly admired businesses fail and it has become apparent that ever increasing business complexity is not scalable and that resilient businesses are often elegantly simple. McKinseys said in their book Simplicity Wins (Harvard, 1995) – “adding complexity to cope with complexity is a seriously flawed approach.”
Governance versus Management
Governance is basically making sure that the managers do their jobs properly. Successful projects require managers and project teams to do a number of things well. When they don’t, and the governing body fails to detect that they haven’t, that’s a governance failure and the board of the organisation must be held accountable. Of course, if the governance is working, management failure will be detected early and management will be held accountable.
Good governance will require management to develop the skills; behaviour and methods to improve success in delivery of real value through IT-enabled business change projects so essential to delivering improved productivity.
Good Governance is the Solution
How are good governance structures and governance practices as well as effective management established in order to produce better decisions and mitigation of the risks involved in conducting ICT projects?
Perhaps the most successful topic in management books of the past 30 years has been FFNFM. The John Cleese and Ronnie Corbett Balance Sheet Barrier training film became a classic. All directors today understand they must be able to understand finance and cannot rely on financial experts or expert financial advice to fulfil their board duties. When technology underpins the very survival of all organisations and is the major enabler to increase productivity, all directors must be fully equipped to have a meaningful conversation about technology and be able to confidently play a role in its governance.
It is well established that all Boards need to set their organisation’s appetite for risk. To survive in this connected and highly competitive global economy all Boards need to set their organisation’s target for improved productivity within the bounds they have established for risk. An organisation’s established appetite for risk and it’s goal for increasing productivity will set the framework for managing their application and development of technology solutions to enable business change.
The governance question is ‘How do we know…..’ the management response is what has been or what needs to be done. That is boards govern and managers manage.
How does a board know their data is secure from attack and loss? They need to ask management how do we know that our data is secure from attack and loss? Management’s answer to this question should include substantive evidence of back up systems, disaster recovery systems and security systems. These systems will include people, processes and infrastructure; all of which need to operate in concert, requiring the right culture to be developed, training, and oversight.
If the governing body cannot get satisfactory answers then management need to be directed to take action.
The Cadbury[1] definition of Corporate Governance is how an organisation is directed and controlled, the ISO 38500 definition positions governance of IT as how IT is directed and controlled, therefore it follows that IT project governance must also be about how IT projects are directed and controlled. Project failure means the governance system by which projects are directed and controlled has failed.
But what does better governance look like? How do we recognise it when we see it? Good governance ensures that the business puts in place a thorough approach to risk management and mitigation, goal setting and evaluation to report on success and corrective actions when things go wrong. Boards govern and manages manage but they are two sides of a penny. Responsibility and authority can be delegated but accountably always remains with the Board.
How can real accountability be assured and importantly how should project governance modify plans when required? Is there an ideal structure of governance and management bodies overseeing ICT projects?
The Project Governance Board of complex major IT projects should operate as a Board committee with a formal charter and comprise board members with the experience to conduct the inquiries to determine what they need to know to confirm that complex projects undertaken by the organisation are within the appetite for risk established by the Board and will meet the productivity goals of the organisation.
The Project Governance Board should steer the project whilst the Project Management Committee manages the project. The Board must clearly identify for management the level of risk that is acceptable in the project (risk appetite) and the information that management is expected to provide to monitor the progress and report risks to the Board.
The job of the Project Governance Board is not to merely receive a report on progress from a project manager and record in the minutes it has been noted but rather it must ensure that the project is still going to achieve its intended outcome. To do this the Project Governance Board must ask searching questions and be capable of assessing the quality of the answers provided by management. To do this boards need the right people, with the right mix of skill, to understand and perform their duties of directing and controlling projects to ensure that those projects that can succeed are successful but have the authority to be able to shut down projects that can no longer deliver the intended outcomes.
To be able to do this it is obvious that such a governance body must be a committee of the Board and be answerable to the Board. Unless the Project Governance Board has a similar authority as the Audit Committee the role of such a board is management oversight not governance. The Project governance Board should be evaluated against its charter, as all board committees should be by measuring the outcomes achieved by IT projects against outcomes desired (increases in productivity) that justified the organisation’s investment in the technology.
[1] Sir George Adrian Hayhurst Cadbury Chairman of Cadbury and Cadbury Schweppes for 24 years. He has been a pioneer in raising the awareness and stimulating the debate on corporate governance and produced the Cadbury Report, a code of best practice, which served as a basis for reform of corporate governance around the world.
Tags: AICD, Australian Government, board governance, boards, Company Directors, governance, IT Governance, Project Governance, Project Management, Russell Yardley, strategic planning, strategy
Subscribe
Hi Russell,
Great article, and gives a great overview about the management and failed management in large projects.
Some of the things, which normally go wrong, not only in large projects, are:
• Customer won’t pay for good Project Management!
• When the project is sign and ongoing, then the management of changes in the project often is failing!
• The overview over the changes and the impact of those – are missing! This is all parties (Consultant/project manager/customer/management)
Again great article…
/Brian
Hi Russell,
You have raised some very interesting points about why IT projects fail. I think there are several factors that play here and actually at times governance can infact work against making IT projects succeed. Governance might help to deliver projects on time and budget (rarely) but it sure wont help to get the benefits.
I am happy to discuss with you offline about this as I am working with several people around the globe to develop an IT strategy model that makes it easier to connect boards, executives and IT & business folks to communicate the same language and work on the same model.
Please drop me a line if you want to know more about it.
Regards
Ajith
Very good contribution, Russell.
Getting a governance plan and model in place is important. But I see two common problems. One keeps being talked about and recognised – most of the time post implementation. The other seems evident.
The first problem is Change Management, or rather, insufficient amounts of it. Say Change Management to an IT professional, and they think change requests, change approval processes, and IT project impacts. Say Change Management to HR and they think about organisational change management, structure, roles and culture. This is called Organisaional Development (OD).
The former IT can do something about. The latter they cannot. IT implicitly denigrates OD, generally classifying it as a ‘soft skill’.
10 years ago I recall reading an article in CIO Magazine about the top 10 reasons for ERP project failures. #1 reason with a clear air gap from #2-#10 was insufficient attention to organisational change management.
When projects run into trouble or budget squeeze, organisational change gets more expensive. And yet it’s one of the areas typically squeezed the most, both for time and resources.
The second of the two problems is Benefits Realisation. Russell cites the business case in his first paragraph, and goes on to mention change being the reality of any complex IT project.
You would intuitively think that the purpose of a project in the first place is about attainment of anticipated benefits. Afterall, that’s how the business case gets over the line. But think back to just about all of the projects in which you’ve been involved. How often is the project called ‘streamline financial and procurement processes’ as opposed to ‘the SAP project’ (insert relevant terms).
Change is the constant reality. The starting point and anticipated benefits evolve over time – in exactly the same way as issues and risks. Think about IT solutions as a kind of ‘Swiss Army knife’. It’s not the tool which gives the benefits, it’s the way it’s used to help your processes. Just as it’s impossible to envisage in advance all the situations in which you can use a Swiss Army knife, the same applies to IT solutions.
Therefore I argue you should have a benefits register (in the same way you have issue, risk and change registers), a process (aka governance policy) requiring you to build a realisation plan which covers each of the benefits you plan to realise, and metrics by which benefits will be measured.
(My eyes on benefits realisation were opened several years ago by Melbourne based Jed Simms. Jed is founder of Capability Management, which was nominated by Gartner in 2011 as a ‘Cool Vendor’ for its innovative approach in managing complex IT projects.)
Russell -
You make some excellent points here. You mention complexity as one of the issues, which I definitely agree with. One of your approaches to complexity is to break larger projects down into smaller projects. With this, you are taking a similar approach to complexity as that recommended by David Snowden in the “Cynefin framework”. This framework also provides further insight and tools for dealing with complexity. Would be happy to have a chat with you about this some day.
You can get the basics on Cynefin from the Wikipedia entry at:
http://en.wikipedia.org/wiki/Cynefin
– Keith
Russell,
Good thoughts. I’m not sure if you saying that the “ICT practitioner community seems to confuse good management with governance” in terms of how it applies the ISO 38500 definition, or do mean in ignorance of it? In any case it should provoke a reaction.
As to the root causes of many of the problems I agree with you, that the business needs diverge and the project maintains its own life. And that’s fundamentally because (1) all projects in history, from the pyramids to the Space Shuttle develop their own lives in a certain vector, and (2) we don’t have the right people in the right places asking the right questions. (And one of those questions is to ask how much the project has developed a life of its own!)
This then supports your contention that governance and management are often not separated. I think that people have recognised the issue, from time to time. But if you don’t have the right people to the address the issue it devolves back to “management”.
I’ll stick my neck out and say that the Boards of most listed public companies here are grossly underskilled in the domain of IT governance as you describe it. So yours is a good call to action.
Walter @adamson
Melbourne