13 MOVING FORWARD – OPTIMISING THE IT GOVERNANCE FRAMEWORK

As always, the advice is to start with the optimisation frameworks that are currently being used in your organisation. If you are not currently using any frameworks or if you are using a multitude of different frameworks, you have the opportunity to select a framework that best meets your needs. You are not bound to select one particular framework. Choose your framework carefully and test it out before trying to evangelise your peers and colleagues. If your chosen framework involves some form of certification or accreditation, check out that the badge you are seeking is worth getting and means something to your industry sector.

Given the plethora of frameworks, schemes and standards at your disposal, you might be at a loss as to where to start. If so, I suggest you find two or three organisations who seem to run efficiently and who have a great customer service culture (because that reflects an organisational mindset of continual service improvement) and see what they do in this space. My picks in New Zealand would be Air New Zealand, Z Energy and Icebreaker. Now, I do not know what frameworks they use behind the scenes, but I would be keen to find out, if I were looking for a framework to implement. These organisations all have the following in common:

• They all exhibit excellent service management.
• They run efficiently.
• They are a pleasure to do business with.
• They are very quick to address customer feedback and to handle issues.
• They do not appear to suffer IT outages or slow IT systems.

FRAMEWORKS, STANDARDS AND METHODOLOGIES

Frameworks are good for internal use, but adopting a framework does not say anything in particular. For example, I can tell you that I have adopted ITIL, and actually I might only have implemented one or two processes. Even with the one or two processes that I have implemented, you cannot gauge how good I am at doing them. That said, frameworks are excellent stepping-stones towards standardisation and particularly useful as guidelines. COBIT is an excellent tool to use for developing solid operational processes that will help you build a consistent governance framework, by aligning IT, IT processes and business goals. It has been used widely in the US to assist with meeting Sarbanes–Oxley compliance.

Compared to frameworks, standards offer more certainty and are useful for proving your internal achievements to the outside world. For example, if I say that I am certified to ISO/IEC 20000, then you can read the standard and know the minimum I would have had to have done to achieve certification. When we first published the 20000 standard back in 2005, it consisted of two parts only – the description of IT service management as a list of requirements that could be certified, and a volume on guidance for meeting the certification requirements. Since then parts have been added to cover scope definition, a process assessment model in line with ISO/IEC 15504 and an exemplar implementation plan. At the time of writing there are another six parts in the pipeline to cover the application of the principles of IT service management to cloud computing, alignment to the quality management standards and so on.

Certification can also help with compliance if the certification body is recognised as a quality institution, if the area of certification is relevant and if the certification is current. If your certification requirements are aligned fully or in part to your legislative requirements, you should be able to prove compliance with little or no additional work. Certification can also give you a head start on your competitors in a tender process, if it proves beyond doubt that you are capable of an activity without having to pull out case studies, reference sites and so on.

Other standards to consider for inclusion in your IT governance framework are the information security management standards (the 27000 series), the business continuity planning standard (ISO 27031) and the risk management standard (ISO 31000). Certification to any of the standards mentioned in this section will assist with discharging the 38500 conformance requirements.

If you have adopted a standard and you are pursuing continual service improvement, then a capability maturity model, such as CMMi (Capability Maturity Model Integration) could prove very useful as a framework to help you work towards process efficiency in a consistent way across your organisation. I am a big fan of CMMi, as it is relatively easy to map your organisation against the framework, and once you have mapped it, there is clear guidance as to how you might proceed to the next level of maturity. The related People CMM is one of the few frameworks that address the development of your people in any depth. Given that the human behaviour principle now seems to be the most important of the six governance principles, it is worth looking into a methodology that helps you develop your staff, helps you evaluate how well you use your staff and assists with integrating the competence growth of your staff with your process improvement programme. My colleagues and I have had the pleasure of mentoring a number of start-up CEOs, CIOs and IT programme and project managers in the last few years, and it has given us great pleasure to see how they have stepped up once they have been trained and feel they have the confidence to attempt tasks that were previously beyond them. Developing the staff you have is generally so much easier and more cost-effective than replacing them with new and more highly skilled staff.

MOVING FORWARD WITHOUT MOVING BACKWARD

Of course, not all your efforts at introducing greater efficiencies will result in improvement. Some of your schemes and programmes will go wrong to the point where they could result in a loss of business. One of my favourite books is Management of the Absurd by Richard Farson (1997). To quote the foreword of the book, ‘In his easygoing, anecdotal way, he [Richard] emphasizes the inevitability of unintended outcomes, paradoxical coincidences, and unknowable realities in human affairs’. Richard Farson is a psychologist, educator and former CEO and his insight into why we often achieve the very opposite of what we are trying to achieve is very thought-provoking – and actually very comforting if you have discovered a number of unintended or unexpected outcomes at the end of your programme.

How will you know if your efforts to improve your business have backfired, and what will you do about it? How will you identify and measure the unexpected benefits? Some negative consequences are temporary. Suppose I revamp my ecommerce site and provide more detail on my products so that my customers do not buy the wrong item by mistake. Well, initially, I might appear to lose sales, but eventually my number of repeat customers should increase.

Critical success factors and critical failure factors

What does success look like? Have you planned and prepared for success? What would failure look like? Ironically, it is easier to prepare for failure and to set up reward schemes that inadvertently encourage failure. Are you rewarding your team based on success or failure? If they are enjoying being part of a programme team and you have taken them away from the burden of responsibility of a less interesting operational job, then success to them might look like keeping the programme going for as long as possible. You might find that your career-minded team members are more incentivised by the promise of a more interesting role once the programme ends than a bonus payment. If you can promise them some sort of ‘life after go-live’ that involves them contributing to an ongoing, never-ending continual service improvement project, they will feel that the hours they have put in to make the programme a success have been worthwhile. Once you have them hooked on delivering successful projects you can get more ambitious every year.

Most of us human beings respond well to incentives, but often we are encouraged by just seeing the fruit of our labours. For example, I acquired a pedometer at the end of last year, and seeing the number of steps I had walked at the end of the day encouraged me to walk further the next day. My critical failure occurred when I put the pedometer through the washing machine by mistake. Failures will occur. One of the measures of your success will be how well and how quickly you respond and move on from failure.

Keep redefining the critical success factors, and get more ambitious every year.

Key performance indicators and key goals

Set realistic business goals and make sure that the performance indicators you set for your staff all align to those business goals. If you incentivise your IT team managers to spend as little money as possible on IT systems, then you cannot expect them to deliver high-quality services. If you incentivise your IT team managers on providing a highly secure environment, you should not be surprised when they refuse to support you connecting your iPad to the company network. Whatever you set for your staff will drive their behaviour. I know that sounds obvious, but you would be surprised how many managers complain that their staff have made poor procurement choices, missed maintenance tasks, run infrastructure components beyond their use by date or replaced them too quickly. In many instances when we have investigated the root cause of such behaviour, it has turned out that the staff in question were just pursuing their performance targets.

Be careful what you wish for, and make sure that what you wish for is supported by organisational goals, business goals and individual goals. I find the cascading balanced score-card approach to reporting, referred to in Chapter 4, helps make it very clear where the goals across the organisation might not be aligned.

Write very clear KPIs and list them under headings so that your staff member knows what you are trying to achieve through each goal. It will help greatly if you can suggest what the desired behaviour, outputs and outcomes would look like. As a staff member, I would like to know what is expected of me to be ranked as outstanding, meeting or exceeding expectations, developing/needing improvement and unacceptable. If I am new to the role, this will give me a clear idea of what is expected and I will not be too concerned if I do not ‘exceed expectations’ from day one. If I have been in the role for years and I continually deliver ‘outstanding’ work, I might want to look for something more challenging.

Risks and countermeasures

One of your greatest aids for supporting business improvement is the organisational risk register. For most business risks, IT systems or data and information management will be part of the mitigation or part of the solution. Keep your own IT risk register, and review it with your management on a weekly basis. It will provide a useful guide to the areas of the IT systems and services where you should be focusing your business improvement efforts. Send a consolidated version of your risk register, highlighting critical risks that affect the whole organisation, through to be incorporated into the organisational risk register.

Make addressing risks part of your CIO reporting through to the board. One of my clients moved from seven critical-rated IT-related organisational risks to zero in the space of two years through the implementation of a comprehensive work programme. It is very satisfying for your governing body to watch the number of risks reducing.

Self-assessment

Beware of self-assessment. I know that it is very popular for boards to self-assess and that there are some excellent self-assessment tools and frameworks available. However, I cannot think of many areas of life where self-assessment is reliable, so why would you entrust the development of your organisational leaders to a self-assessment process?

Auditing

Having your systems audited might not directly help you optimise your governance framework, but it will help you detect whether you are starting to slip backwards. An audit is a bit like a car service or an annual dental check-up. You hope nothing is wrong, because you know that would involve inconvenience and expense, and maybe a bit of pain in the short term. On the other hand, you would rather find out about that cracked filling before it develops into an abscess, or the soft brakes before they let you down on a wet motorway late at night.

A good auditor, like a competent dentist and an enthusiastic car mechanic, will leave you with hints, tips and ideas as to how you can improve your current state, and if you are being audited against an ISO standard, they will hopefully leave you with a nice certificate for the wall.

Besides the developing governance of IT audit ISO standard, there are also a number of audit schemes to consider in this area, such as Cobit and TickIT.

MEASURING SATISFACTION – REVIEWING PROGRESS

This section covers the area of collecting feedback from all your stakeholder groups to determine whether they perceive that services are improving. It is useful to collect feedback three months, six months and one year after the initial implementation. The reasoning behind this suggested timeframe is as follows. After three months you will have addressed all the critical and urgent issues, but you will have members of staff and customers who are still finding their way with the new framework. You can use this initial review to identify further training or communication needs. By six months everything should have settled down and the uptake on the new systems should have increased since the three month review. After one year, the framework should be just about invisible to all stakeholders in that it is fully embedded into the business as usual activity of the organisation.

Board satisfaction

So, your staff are happily incentivised to continue developing your framework to meet emerging and evolving business goals, you have completed an audit to check that you are not slipping backwards, and you are running risk registers and issues registers to keep on top of problems as they arise. But how do you know if your board is satisfied with the roll-out of the new framework? Do they now have the information that they require to monitor IT activity and information systems across the organisation? Can they see positive outcomes from activities and tasks that they have directed?

Do your new reports inform them to make better decisions both for the business and for the development of the supporting systems? Do they still feel engaged with the governance programme and are they aware of current activities? Do they see any overall organisational improvements?

You will want to hear back from your board, and the best way to approach this is via your board sponsor. Your board sponsor will be able to give you their view on how the programme is progressing as it goes along, and will be able to answer the questions above on behalf of their colleagues. They will also be able to advise you on the best way to get direct feedback from other board members. Given that most boards are made up of diverse members, it is very helpful to have direct feedback from three to four members at critical points in the programme. A half-hour, one-to-one interview slot with members can be particularly helpful when you are formulating the next phase of delivery. Note that your questions should be around the vision for the direction of the organisation, not around the success so far of the programme.

Customer satisfaction

Have your customers noticed a positive change since the deployment of your IT governance framework? Surveys and interviews can be useful tools, but you do not want to place an unnecessary burden on your customers, so make sure that any effort here is lightweight. For example, you could put out a survey through your website or your call centre, but keep the number of questions to three to five, and keep the questions short and easy to answer. Alternatively, you could run an official launch of the programme and invite your most influential and loyal customers. It will send a very good signal to your customers that you are serious about continual service improvement, and they will enjoy celebrating your success with you. Do not tell them how bad everything was before you ran the programme – either they know already or they do not need to know. Keep the serious content of the celebration to a minimum, and send everybody away with something that will help them remember what you have done.

Management satisfaction

Often, middle managers end up with increased workload when new processes and policies are rolled out. They have to keep the peace with staff who have gone through a switchover to new processes and procedures, they are the first port of escalation for disoriented customers, and they still have their normal workload to process. This is not a good time to put a survey under their noses or to put them through an interview. However, this is a good time to provide admin and other support, and generally pamper them with any remaining project budget.

The best time to survey management is once the first set of deliverables is stable and whilst you are planning the second set of deliverables. Only ask for suggestions for improvement if you are at a stage where you are still able to incorporate input. Otherwise, present what is going to happen and ask for feedback and comments. Look particularly for feedback on where resources are stretched or where there is a lack of policy or procedure to support the programme.

Employee satisfaction

Employee surveys are not always successful. A better approach is to interview individuals and talk to staff informally at the water coolers, in the kitchen and by the lift. Rather than quiz staff on the benefits of the IT governance framework, look for signs of frustration and listen for their suggestions for tweaking the framework to make it easier to work with.

Stakeholder satisfaction

And, finally, there are all your other stakeholders who have a connection with your organisation – however loose or tenuous that connection is. This is where a light survey – in the style of a pop quiz – could be perfect to gauge an outsider view to the organisational changes that you have completed.

BUILDING ON SUCCESS

If the results of your satisfaction survey are not as good as you had hoped, you have some work to do to make improvements. The biggest danger, though, is that your satisfaction survey results are good, you think you have completed your mission and complacency sets in. So get planning and book an external review and get reading to keep ahead of tried and tested practices. Find a set of companies that you admire and see what they are doing. Do not look for badges in the form of certifications and accolades, but look for results. Of course, if you are offered badges and certificates on the way, make sure that you display them where every visitor to your organisation can see them.