We all know that IT is moving to a utility model. Taking advantage of service providers' economies of scale, breadth of expertise and wider pool of support experience makes sense for IT services, just as it did in the evolution of electricity supply from small scale generating plants supplying a town or factory to a utility piped in from outside. Many businesses look at the cost of support, disaster recovery and business continuity measures – then conclude that bought-in is better than home grown. There are other advantages as well: utility / service provider / cloud computing models don't tie up capital which could be better employed on core business activities. Many people might even conclude that there's no real need for an IT function in the business any more – that it simply boils down to contract management. This is true when things are going well, but if they aren't we run up against the two things a business can't outsource: responsibility and accountability Corporate responsibility and liability can't be passed on. The officers of the company are responsible to the stockholders, and the management is responsible to the officers. The company is bound by the legislation in the countries in which it is incorporated and operates, and may be subject to additional regulation depending on the industry or sector. What does this mean for the IT function? IT departments will find their role gradually changing as the tide of delivery and day-to-day operational and maintenance work recedes, leaving a hard core of functions which must be kept in house. PLANNING – only the officers or directors of a business can make the plans for its future. After all, they are the ones accountable if the plan fails to deliver value to the stockholders. Taking professional advice from suppliers or consultants is good, responsible business practice but nevertheless only the organization itself can take responsibility for planning deciding the business objectives to be fulfilled by the IT delivery mechanism, whatever it happens to be. GOVERNANCE – ensuring the company complies with the law in respect of accounting practice or data protection, together with the responsibility to the stockholders to ensure the business is run effectively and efficiently are activities that belong in house. The retained IT function needs to put robust risk management processes and controls in place as part of the wider governance, risk and compliance management activities of the organization. MANAGEMENT – just because the service is being delivered by someone else doesn't mean it can be left unmanaged. Control of costs, ensuring that the service being billed is the service delivered, monitoring value delivery against corporate objectives and the elimination of waste still needs the attention of the management team, but on a more abstract level than the hands-on day-to-day operations. BUSINESS CONTINUITY – absolutely must not be left to chance. It's all very well saying “I've outsourced to company X who have robust BC/DR plans in place”, but what happens of company X ceases trading? It's happened before, and the nature of business is that it will happen again. CORPORATE CONTROL AND KNOWLEDGE – related to all of the others, but important enough to stand on its own. As business becomes ever more dependent on ICT, so ICT becomes inextricably linked with the delivery of core business functions. An organization must have control of its own destiny, and that means knowing and understanding how its systems and processes are delivered.