David Norfolk, Practice Lead on Governance issues, took part in a recent Bloor-led governance workshop for CIOs which discussed the place of governance in the emerging business automation landscape.
I took part in a governance workshop recently, put on by Bloor's partners the Winmark CIO Network, in which a group of governance experts and IT practitioners discussed the place of governance in the emerging business automation landscape. My introduction was around the need for "just enough" governance, built into the development process from the start; and was followed by a presentation on the changing role of the CIO.
The context of my presentation was that development is about building automated business outcomes rather than just code; while governance is about doing this with managed risk, no waste and no surprises; compliance with regs is just a small part of it.
The key is "just enough governance" - it's there to enable business, so it must have a usefulness metric. It's important that governance is seen as useful, not a silo inhabited by "the people who say NO". It needs to work alongside the emerging trends of FREEDOM and TRUST - using ACTIONABLE INSIGHTS (from Big Data and the IoT).
I proposed that you should start with the big picture, with what you want to achieve, based on the accepted governance baseline in your sector. You need to see governance as a business enabler rather than a business cost - and gain the positive buy-in of all those affected. Be very aware that IT has raised reinventing the wheel to an art-form - a variation of the "not invented here" syndrome - although much governance is common to an industry sector and is already documented as "good practice". You should question and validate this but use it wherever possible as it is easier to explain what you are doing (to all stakeholders) in context of industry good practice. You need a governance process framework, so that if you do have issues, you are able to say something like "thanks for bringing this to our attention; we are monitoring the issue and will address it in the near future on a continual improvement basis" - and be able to demonstrate that you have.
It is important that good governance is embedded in the organisation; both top down (with good corporate governance and ethics, supported at Board level); and bottom up (people obey rules they helped to formulate). All stakeholders must be involved and you should build in good governance early, as a business requirement, rather than trying to bolt it on to a design which ignores governance issues.
I looked at a big data use case: just collecting data in case it is useful for decision support one day. However, even if data storage is almost free, there is a cost of managing data (if it is ever going to be used) and risks associated with just having data. If you are ever subject to litigation masses of data can be a lawyer's goldmine; and if someone discovers that it contains personal data, they can cause you a lot of expensive trouble. Basically, just collecting data may give you unpleasant surprises - and the aim of "just enough governance" includes "no surprises". So, it's worth thinking about what sort of governance issues we have in this use case and what might be cost-effective to address: there's a possible threat of business sabotage or litigation; there's a waste issue (how likely is the business return from this stuff); there may be education issues (people just not aware that the UK data protection regs. apply to collecting personal information, even if you never actually use it); silo issues (key stakeholders left out of the loop); poor planning processes driven by technology fashion (instead of business return).
At the end, I suggested that good governance is a state of mind; and that people issues are at least as important as technology. However, "just enough governance" should deliver higher morale, less stress and facilitate a more adventurous business. Of course, even if you are demonstrably in control and aware of, and following the spirit of the regs, you are not necessarily in a safe place - it's a risk management thing - but you'll be better off than many. It's a question of balancing TRUST and FREEDOM through ACTIONABLE INSIGHT
My fellow presenter, Andrew Marks (ex-CIO at Tullow Oil) then gave us an alternative CIO view, with a plea for us all to "think different" - possibly even, to do things differently - when we returned to the office. The challenge is to accommodate 3 different viewpoints:
- The Customer viewpoint - we want to engage with those we buy from and we want to gain value through what we buy
- The Board viewpoint - we must drive value through all that we do; we must be competitive; and do this with appropriate risk
- The CIO viewpoint - we know we have to deliver rock-solid IT operations and we know that we can add much more value to the enterprise
The proposal was that new digital, social and mobile computing agendas have redefined the role of the CIO - it is no longer an "evolving" role, it should be considered newly-defined and needs to deliver under the following headings:
- VALUE should underpin all that a CIO does. The CIO should treat every IT expense as a business investment and identify a tangible return, be able to rank opportunities ... and be prepared to say STOP.
- OPERATIONS; everyone expects 'it just to work' ... as should the CIO! The role involves identifying the experts needed to make this happen (they may be in-house or outsourced), identifying the cost/value balance and being aware of the consequences of non-delivery and for whom.
- SOCIAL engagement with both customers and staff, possibly using publicly available social tools (not just expensive "big iron") to drive real action. Nevertheless, part of the role is to agree the necessary boundaries (including addressing information security and privacy issues).
- MOBILE. Everyone expects to be able to do more from wherever they are 'now', which includes being at the workplace. The CIO needs to identify what is reasonable - your most valuable staff will burn out or leave if you expect them to be available and working 24x7x365; which is obvious when stated thusly but is the implication of some, less-well-governed, mobile initiatives. The CIO's role is to assess what is possible and what more could be done to drive value.
- DIGITAL is the test: not just using the words but seeing and creating new opportunities from what is possible with new technology. The CIO should, perhaps, be looking at the gaps between what is being done today and what would be done if the company was starting from scratch. The key is having the right eyes in the team to see emerging potential.
Andrew suggested that the place of the new CIO is at the centre of a partnership - spanning inside and outside the organisation - between board and staff and customer. He thinks that this may be an ideal place for the new CIO to drive and protect value.
Both presentations generated considerable discussion. The need for governance - but just enough governance, not governance as an end in itself - was generally accepted, with the challenges coming largely from people issues and a company's cultural issues (cost-effective governance becomes more difficult the less mature a company is; and a "blame culture" is very disruptive to effective governance). Good governance has to be built in from the first, and involve all stakeholders - perhaps the new role of the CIO is to be the broker in all this.