Technology responsibility: Get it right

COMMENTARY: Senior managers, c-level executives, directors, and boards, in fact all of industry's masters and commanders who don't have the acumen to optimise their technology deployments as strategic levers, are neglecting their responsibilities to their shareholders, stakeholders, partners and staff.

There it is. There is no denying it. Forget the excuses. Irrespective of their age, training, background, or inclination, there are management teams treating technology as an operational black hole, from which only techno magicians can divine real power. These execs are like sea captains sailing between narrow miss and calamity, great at navigation but ignorant of the intricate workings of their vessel's engines, pumps and life boats.

Edge Zarrella is the global partner in charge of information risk management at professional services provider KPMG. His business is going through the roof, enjoying 30 percent growth and increased profitability of about 400 percent. He has about 2500 customers around the world, and is often called as an expert witness when technology responsibility gets litigious.

Edge is Australian. When in town, he is based in Sydney. He regularly tours the world's executive suites advising executives, who should know better, how to get out of IT messes. He is passionate about creating corporate cultures which capitalise on IT.

“There are some companies in Australia which have done it (corporate governance) very, very well. But then if you take IT risk mitigation and governance as a subset of that, KPMG has done enough surveys throughout the world to suggest that Australia is, at best, average or, at worst, well below average,” he says. “A lot of corporations still have projects going off the rails, many have not adequately implemented best practices, and many still just give harnessing IT a lot of lip service.”

Zarrella concurs that technology responsibility must be viewed holistically, if a business is going to realise its full potential. He says it's a dynamic process of which business excellence is core and supporting activities cover everything from governance through to risk mitigation to financial probity to compliance and best practices.

“Governance is very broad. It must cover strategic and operational aspects of the business. Its financial, its information, its compliance and reporting, its security. Its everything. A lot of people when they are talking governance, just talk financial, it isn't just financial. Its everything,” he says.

Measuring IT governance

While Australia would probably rate in the top five countries for corporate governance, Zarrella admits to being a harsh critic when measuring the nation's IT governance.

“I would put it about eight or even nine out of 10, with 10 being the bottom of the scale. I expect many people would disagree with me, but I don't think we are up there where we should be. My view is that we have done a lot of things (to improve matters) since IT has come in, but too many executives don't understand IT,” he says with some incredulity.

“I have met with too many boards, and too many executives, who have described their IT as a black hole. It worries me when executives are describing such an important part of their business as a black hole.”

“It suggests, and confirms the notion, that many senior executives are simply uneducated about IT, but I am a harsh critic.”

Zarrella dismisses the executive defence that their training or skillset hasn't included optimisation of technology as a paltry excuse.

“Every strategist in every environment must realise that things come into play in the main game, which absolutely demands appropriate attention,” he says. “Whatever you learned in your university days, or your school days, is irrelevant. IT is here to stay and has a major impact. You must know about it. The Wall St Journal has suggested that 47 percent of capital expenditure is spent on IT. Now, if you are spending that amount of money on IT, you cannot tell me that you don't know IT. To do so is irresponsible.

"You might be a 60 year old executive, or for that matter a 40 year old executive, but you must understand IT if you are going to maximise the advantages it delivers,” he says, underscoring the fact that challenges remain in achieving a suitable level of technology responsibility if senior executives simply delegate the role to a CIO.

“The issue with leaving that huge responsibility just with the CIO -- which (KPMG's recently released) governance survey revealed, and that covered off 200 of the world's largest organisations -- is that many of them struggle to communicate to their c-level colleagues about the real business issues of IT. I know a lot of boards can talk about marketing and sales and operational matters, with which they are comfortable, but when it gets to IT there are still many, many executives whose eyes glaze over. They will leave it to the tech heads to take over.

“In our firm, we see businesses struggling with effective IT management. We have many who are absolutely superb at it, but there are some who struggle. We don't have many individuals in corporate Australia, or indeed anywhere in the world, who have an equal understanding of the business and IT.
There are a lot of good people who understand marketing and business, sales and business, mergers and acquisitions and business, but not IT and business,” Zarrella says.

Kumar Parakala is NSW Chairman of the Australian Computer Society. During the last 15 years, he has worked in senior management roles in healthcare, professional services, manufacturing and the public sector. In a former role, he was director of Online Systems Program with KPMG Australia, and was responsible for an initiative of the firm to radically improve operational efficiencies and client management processes. He worked closely with CEO, CFO and National Managing Partners of the firm in this role. He has Masters degrees in Business Administration, Information Systems and Science.

Coupling his ACS role with a senior program management mission at Sydney University, which has responsibility for a range of strategic online service delivery objectives, Parakala is also passionate about ensuring technology responsibility has prominence on the executive agenda.

“ICT risk management continues to be an area of critical importance to executives of both private and public sector organisations. ICT is the single largest cost after labour for many companies, accounting for 47 percent of business capital spending (Wall Street Journal),” he says.

“Risk management enjoys greater recognition and focus in the ICT industry than in most other sectors, with mature methodologies and processes around this discipline. Despite this, the rate of failure in ICT projects and services continues to be unacceptably high, ensuring this focus will continue.”

Parakala and Zarrella are pragmatic about executives integrating business and technology. Both concur that the lip service must end and that executives are going to face increasing pressures, from regulators and stakeholders, to lift their game.

“In the next two to three years, organisations will continue to spend more and more on ICT. This will result in boards and the CEOs coming under increased pressure and scrutiny by shareholders for a return on investment contributing to the bottom line. Regulatory bodies and legislation will require both public and private sector companies to implement appropriate internal risk management controls and provide responsible reporting to shareholders,” Parakala says.

“Many large organisations have over the years developed complex project and ICT management methodologies that support their massive ICT spending. However, these high cost processes and methodologies do not completely fulfil the objectives of effective ICT governance and risk management.

Effective ICT risk management

Parakala says that as the ICT industry recovers from its downturn of the last three years, and ICT spending increases, the need for effective ICT risk management is higher than ever before. Many organisations are still struggling to mitigate their strategic risks, even though they have optimal processes to reduce operational risks.

Some of these major strategic risks emerge from:
1. Lack of CEO and senior management commitment and participation in ICT investment decisions;
2. Limited Boardroom visibility of major ICT projects and activities;
3. CIO and ICT managers failing to align ICT with business;
4. Increased level of offshore outsourcing;
5. Lack of integration between ICT and corporate governance structures; and
6. Increased complexity due to new and emerging technologies

“Effective risk mitigation requires the CEO to take a proactive role in recognising ICT as an important business enabler and integrating the ICT functions into the value-chain to support the core business of the organisation,” Parakala says.

Zarella agrees that increased regulatory pressure makes it necessary for senior managers to “get responsible” to ensure their technology platforms are effectively managed, monitored and championed.

He suggests managers and boards must have a clear picture, plan and roadmap of what their technology platforms are delivering and that must concord with their corporate objectives.
He maintains that business leaders must recognise that technology is a strategic lever, and when given that priority, there is abundant evidence to suggest significant advantages can be realised.

“A lot of businesses will run technology that is outdated, and their executives will talk [with pride] about how much money they have saved through the use of old and possibly challenged technology. Yet these are the very same executives who are surprised to learn how uncompetitive their business has become. IT has to be used as a strategic lever to give you competitive advantage.

“Businesses which recognise that are generally better at mitigating IT risk. Those that don't usually miss the IT risk. We do a lot of due diligence on companies and we hear comments about companies that have controlled their IT expenditure. Then you look at the balance sheet at fixed assets and you see that [sometimes] what has happened is that these companies are right on the knife's edge, running their IT far beyond the use by date. So yes they have controlled costs, but at any moment could be in real strife because of major systems failing,” Zarrella says.

“Just because you have a very low cost IT expenditure on your P&L -- that doesn't mean you are being strategic, that could mean that you are running things into the ground.”

Zarella says a natural human instinct is to make something easier, or more comfortable. Unfortunately this can lead to a “set and forget” mentality occurring throughout a corporate culture -- unless the organisation's management is geared to counter such complacency.

“Unfortunately, technology is often bought, installed and forgotten and it's run on a set and forget and basis. It is true. Everyone is very busy and challenged with finding reasonable time and resources to ensure that everything is running the way it should, but it has to happen, it's imperative,” he says, acknowledging that in many companies mitigating risk is often a reactive rather than proactive function.

Given the corporate imperatives of beating the competition, striving for excellence, and best practices, Zarrella cites anecdotal evidence suggesting that some management teams may be proactively contributing to a projects failure.

“Organisations don't manage project risk very well. An IT project usually encompasses key business areas -- yet so often the wrong people are put in charge, with inadequate reporting lines to management. I know of situations where the people running such projects have been put there not because they are the best people for the job, but because they are disliked and put there with a hope that they will fail.

“When there is a big project going on [often] everyone knows it's chances of success or failure. If there is any indication that the project is going to fail [sometimes] people are going to be inclined to put their worst people on it,” Zarella says, adding that successful projects have very different profiles.

“The ones that succeed have every relevant executive there -- CEO, CFO, COO -- it makes an enormous difference. The big guys are involved and they don't walk away.”

Zarrella says shareholders and stakeholders would be surprised with how many boards would not know what projects they are running.

“I know of organisations which are literally running hundreds of projects. I know of a situation in which I was talking to eight executives reporting to one MD. They were very stressed out, working early, working late, overworked, the whole bit.

“We did a quick project audit or stocktake. I spent an hour with them working a whiteboard. They started with 52 projects which they called mission critical. They had a team of 10 guys doing a project that no one actually wanted. After the hour, I left them to continue the process, and within a week they had got the amount down to just 12 mission critical projects. They are now much less stressed and much more valuable to the business,” Zarrella says.

“I was astonished that a company board didn't have an accurate list detailing the status of all its projects. It had no idea. How can you run a board when you have no idea of all the projects you are running?”

To dispense their technology responsibilities effectively, Zarella says boards must have the following:
* A clear strategic intent of IT
* Be aware of IT risks and be prepared to mitigate them
* Conduct regular IT reviews at board level
* Map, manage, audit all project management activity

“There is a common expectation that your IT executive can do every project and do every project well. Often this is not a reasonable expectation, and the associated risk must be mitigated with better prioritisation of activities and resources,” he says.

“We expect so many functions to be handled by our IT execs -- but the reality is that by the time they handle security, compliance, application deployment, risk mitigation, administration, maintenance, they don't have much time for strategic matters. They can't deliver,” he says.