This interview features Jeanne Ross and was conducted by Michael Milutis, Executive Director of the IT Metrics and Productivity Institute.
Could you tell us a little about yourself, the MIT Center for Information Systems Research and your current responsibilities there?
JEANNE ROSS: I am a principal research scientist at the MIT Center for Information Systems Research (CISR), which is part of the Sloan School of Management.
The CISR tackles questions that enable practitioners to get the most from information technology. The center has been in existence since 1974, and I have been on staff since 1993. As a full time researcher, I am involved in a fair amount of presentations and executive education.
From the beginning of my stay at CISR I have looked into questions of IT management, IT governance, enterprise architecture and organizational change. In my mind, these are the critical issues that companies must understand in order to get the most value from their information technology.
You co-authored IT Governance: How Top Performers Manage IT Decision Rights for Superior Results. What inspired you to write this book? What specifically were you trying accomplish with it?
JEANNE ROSS: My book on IT Governance was inspired by the work that Peter Weil did with Gartner. At the time, Gartner was in the process of surveying 256 companies around the world to understand how companies were designing their IT governance. While Peter was working on this at Gartner, I was looking at infrastructure transformation, ERP implementation and e-business implementation. In the course of my own research, I discovered that companies that were clarifying the decision making process around their IT investments were attaining substantial value.
We combined all of my qualitative understanding with Peter's quantitative understanding. It really was a good partnership. He would produce numbers that I would look at and say, “I'm sorry, but that just can't be right.” He would respond, “Well, the numbers say it so maybe your data can't be right.” Figuring out why my qualitative data seemed to be saying something different than his numbers really helped us understand what was going on out there.
Usually, if there was a disagreement, we realized quickly that the original interpretation of the data was wrong. Originally, if some factor did not significantly correlate to added value, the assumption was that it was a bad investment of funds. After further analysis, we found that the lack of value was more a function of bad planning or execution. Rather than presuming that an organization should avoid such an investment, we wound up stressing how important it was to plan and implement the investment correctly.
For example, if you had looked at the purely quantitative data, you would have concluded that architecture committees were a pretty bad idea. The qualitative data I had assembled, however, pointed to the exact opposite; namely, that the best companies had great architecture committees. Looking at the entire picture, what we saw was that most companies had an architecture committee, but one that was performing poorly. Our conclusion was that although an architecture committee might be difficult to implement ““ there was an enormous payoff for those organizations that got it right.
Why do you think the term “IT governance” is so commonly misunderstood in our industry?
JEANNE ROSS: I think the rational explanation is that the word “governance” is frequently equated with the word “politics.” We often hear people referring to “politics” or saying, “This is a political issue.” The problem, though, is that at some point different people will use the term “IT politics” when referring to different things. Some people will be referring to culture. Others will be talking about the need for certain employees to start caring more. Still others will be saying that the priorities of individual business units are superceding the good of the company as a whole. All of these things and more tend to hang together, in a confused manner, when people use the term “IT governance.”
In light of this, could you give us a simple authoritative definition for IT governance?
JEANNE ROSS: I will give it to you right from the book. “IT Governance is the decision rights and accountability framework for encouraging desirable behavior in the use of IT.” The critical part of this definition is that it talks about the “decision rights and accountability framework” rather than the decisions themselves. Many people tend to view governance as the individual decisions that are made. This is incorrect. It is the overriding framework in an organization ““ the framework that assigns accountability and responsibility for those decisions – that is truly representative of governance.
Could you give us a description of such a framework?
JEANNE ROSS: The governance of IT investments might require the following process for deciding which projects get funded: individuals submit proposals to business unit managers; managers pick the projects most relevant to them; managers then justify their decision by developing a clear business case for their choice, possibly explaining how their decision might support the strategic objectives of the larger organization; the list of projects goes to a committee; the committee prioritizes the list of projects and then sends that prioritization list to senior level management for approval. Such a framework would be part of the “IT governance” for an organization. The actual decisions themselves would be secondary. What the framework dictates is which person or group will make the decision and how such decisions will be judged. Excellent governance goes beyond assigning a person to make decisions. Governance is about defining the factors that will govern how decisions are made.
Your book features a chapter on the “Five Key IT Decisions.” Could you elaborate on these five decisions and explain how they relate to IT governance?
JEANNE ROSS: We found a remarkable consistency across organizations from a wide range of industries. Each of these organizations was making five identical IT business decisions. The difference was that each organization was not necessarily governing these decisions.
The first key decision is IT principles. Each company we looked at needed a clear understanding of the role that IT would play in their organization. For example, a commodity-based company might be using IT predominantly to cut costs and to make their company more efficient. Another company, such as a financial services company, may not view cost cutting as the most important use of IT. Their main focus might be providing the best possible service to their clientele. In short, a financial services firm may decide to sacrifice cost-cutting in order to ensure high quality customer service. These are very different principles. And this decision itself ““ the decision on IT principles – may be one of the most important high-level decisions made in an organization. If a company does not identify their IT principles correctly, everything that follows forth will be off the mark.
The second key decision involves capabilities. It draws entirely from the previous decision about IT principles. For example, if your IT principles are focused on the lowering of costs, then your capabilities must be built around that focus. Likewise, if the principles declare that the company will operate as a single enterprise, then a tremendous amount of integrative capability will have to be built for data sharing among global customers. Whatever has been decided, the IT department will have to concentrate its efforts on these areas.
The third key decision involves infrastructure. Once it has been decided what capabilities should be built, it must then be decided who will have access to what information. What data will be shared? How long will employees have access to the information? These are the kinds of questions that come into play with the third decision.
The fourth key decision revolves around who will formulate the requirements for individual applications. Should each individual business unit decide on their own application requirements or should applications be provided to each unit in a more collaborative way? As in the case of the second and third decision, the fourth decision relates directly back to the original IT principles.
The fifth and final key decision centers on IT investment. Who gets to decide on the prioritization of projects in the organization? What projects will be funded? What projects will not be funded?
For many companies, IT governance is focused solely on investment, the final decision, rather than all five. What this entails, essentially, is that senior management dictates to IT exactly what they want. And IT responds to management by relating how much it may cost and how long it may take. Everyone knows that this is a poor model, but many companies are stuck inside the mindset.
What is the correct way to implement IT governance?
JEANNE ROSS: First of all, a mechanism is needed to implement governance properly. Many companies create a senior committee that oversees these five decisions and that either takes responsibility for them or assigns responsibility to others. In addition, many companies will create overlapping ownership across management teams for each of these five decisions. For example, the CIO may be part of both the principles team and the investments team. As a result of overlap, decisions become more cohesive. Second, organizations must come to terms with the fact that they are not going to get everything right the first time. IT governance is a learning process. In light of this, it is important for someone to take the responsibility – to check and double check ““ that the company is receiving the business value they desire from their processes. Generally speaking, the committees that are created and the processes that are initiated will not run smoothly from the start.
Third, you need to create processes that can be pushed down through the organization. The best example I can think of would be a post-implementation review of a project and that project's impact on business value. A post-implementation review allows for a clear analysis of a given project's value. Some of the review should compare results to the original business case, while other parts should be more testimonial, i.e. people reporting about their experiences with this new capability.
A final thought is to never give up. Even when you feel like things have not significantly improved, you should continue to diagnose why they have not improved. At times, this may involve changing personnel. In other cases, it may involve changing incentives. In the end, it is important simply to stick with it and to realize that IT governance is a very important component to the success of the business.
How can we convince our organizations about the importance of IT governance?
JEANNE ROSS: Every organization can relate to the importance of their finances. They understand the importance of budgets and of standard costing. They understand the importance of variance analysis and of target income levels. They understand the need for internal auditing. All of this is necessary for any organization to run efficiently.
I would argue that a company should relate to IT governance the same way they relate to financial governance. Since IT spending is a significant component of overall costs, I would contend that special care must be applied to ensure that appropriate decisions are being made. Having clear and precise processes behind such decision making will allow your business to better understand and control the overall IT spending.
What are some of the biggest misconceptions that you encounter in our industry about IT governance?
JEANNE ROSS: Perhaps the biggest misconception about IT governance is that it only governs how much money should be spent on IT and what that money should be spent on.
Deciding where money should be invested is only half the story. The other major factor to consider is how to derive value from those investments. Until an organization understands how to derive value from their investments, it will never make good investments.
As I mentioned earlier, this is a learning process. By measuring the actual value from our investments, we can learn a great deal about the process of investment. We will learn why we succeeded or failed. We might even experience benefits that we were not expecting. This kind of feedback cycle often gets ignored.
For those organizations that lack an IT governance framework but would like to establish one, how would you advise them on getting started?
JEANNE ROSS: Generally speaking, the push for an IT governance framework will come from the CIO, one who comprehends the extent to which good governance can help the company.
The first hurdle the CIO will face is senior management; convincing them that IT governance is well worth their time. A common mistake is for the CIO to talk to executive management – in esoteric terms – about the role of IT in the business. The CIO might ask the CEO or the CFO to decide how IT should be used or to establish principles for IT. This is a mistake. It would be much more productive to engage senior managers in a discussion about how to save money on IT or how to get more value for that money. Consequently, my advice is to identify a few areas where senior management might be able to help themselves financially and then try to encourage their enthusiasm about involving IT in the solution.
Meanwhile, at the project level, I think the CIO needs to work more on project methodology. He should be getting his IT department to clean up projects, make them more targeted to business value and then put mechanisms in place to assess that business value upon completion. Being able to inform the company that it spent a lot of money and did not realize any value from it will surely jump start discussions about IT governance.
How widespread is good IT governance? How many companies are doing it right? How many are not doing it at all?
JEANNE ROSS: I suspect that on some level every company has a small amount of governance going on. However, the evidence seems to indicate that most companies are not doing it very well.
Our best metric for measuring governance implementation is simply to ask senior managers how IT decisions are made in their company. On average, only 38% of senior managers could tell us how IT decisions are made. We did not ask them about their knowledge of financial decisions but I would suspect this to be close to 100%. Until IT decisions get the same level of recognition as financial decisions, we are not going to see good IT governance across the board. We quite clearly have a long way to go.
Are there any companies out there with exceptionally good IT governance in place?
JEANNE ROSS: UPS (United Parcel Service) has extraordinarily good governance. Considering how effectively they use IT, it is not surprising that they are governing it well. ING Direct also has an extraordinary governance process which has really kept them on target.
Taking UPS as an example, one consistent item we noticed was that IT governance was highly correlated with general management. Companies that understood the principles of good management and good overall governance tended to be the ones that were managing IT effectively. Another trait they shared in common was solid financial performance. That does not necessarily mean that good IT governance made these companies successful. It is more likely the case that these companies were very well managed and that excellence in governance accompanied the excellence in management. It would really be hard to have one without the other.
Could you tell us about your latest book – Enterprise Architecture and Strategy?
JEANNE ROSS: Our newest book, published by Harvard Business School Press, evolved from working with e-businesses. We were trying to understand how companies were converting e-business into value. It became clear that much of this was rooted in transparent decision making processes around how organizations invested in IT and how they pushed for value from their investments. At the same time, we were recognizing that some companies were building IT solutions, while others were building IT capabilities. Those companies that were building IT solutions were becoming better at building solutions, but in the process were becoming less agile. On the other hand, the companies that were building IT capabilities had much broader platforms and enterprise-wide thinking. Consequently, these latter companies were more able to focus on the kind of organization they wanted to be and on how to utilize IT to get there.
It was these ideas that became the foundation for the enterprise architecture book.
Biography of Dr. Jeanne Ross
Dr. Jeanne W. Ross is Principal Research Scientist at the MIT Center for Information Systems Research. Her research focuses on the management of the IT unit, particularly on the management of the IT infrastructure and on changes in management demanded by new technologies and new organizational forms. Much of her work involves development of case studies that describe the human, technology, and IS-business relationship resources of firms that have successfully implemented technology-based changes. Her current research focuses on the management of technology infrastructures that enable organizational transformations and on the discussion of IT value between IT and business management.