David Drew used to have his own supergroup for IT decision making at 3M Corp.: the Information Systems Steering Committee. He had all six business division chiefs in there, along with the top functional leaders, meeting together six times a year to do nothing but jam on IT strategy, endorse IT projects of more than US$1 million and prioritize IT resources.

It was great while it lasted. In a company of strong business units-each focused on their own wants and needs-the committee was Drew’s base for creating consensus for a unified IT strategy. But when W. James McNerney, the company’s new CEO, took over in January 2001, he broke up Drew’s group. And the business unit executives didn’t protest. They already had to prioritize IT resources for their own unit; they didn’t want to do it at the corporate level too.

“Our company is big and complex, and the group members didn’t feel they understood the issues in all the different units well enough,” explains Drew, who is vice president of IT for St. Paul, Minn.-based 3M.

But Drew can’t conceal his disappointment. “The corporate IT prioritization process was moved back to IT, and I would really rather have it at the highest business level,” he laments.


Well, what CIO wouldn’t want IT decisions made “at the highest business level”? For years, management gurus and the IT media have pushed for committees like Drew’s late-lamented supergroup as the solution to the age-old problem of business-IT alignment. If a CIO could just get all the top honchos in the company meeting regularly to talk about IT, the thinking went, all his troubles would be over.

Unfortunately, this ideal of good IT governance is more often philosophical than practical. Even though big companies are now spending more than 50 percent of their capital investment dollars on IT (according to Gartner), few have a supergroup to guide their IT strategies. Most top executives still regard IT as a shopping cart full of hardware, apps and systems, and the extent of their involvement is to say, “We’ll take that one and that one but not that one.”

That approach leads to flavor-of-the-month technology spending. Executives buy what they think they need to accomplish the short-term goals of their unit. Corporate strategy? Pie in the sky. Technology and business process standards? What’s that got to do with third-quarter revenue?

If they are ever to rid themselves of the IT-shopping-cart mentality, CIOs must create something better: a governance structure that 1. keeps IT and the business jointly accountable for linking technology to the most important business strategies of the company, and 2. produces IT decisions that benefit the entire company and not just a part of it.


Understanding governance is easiest if first you understand what it isn’t: It isn’t management. Management is the decisions you make; governance is the structure for making them. Without good governance, you won’t get good decisions consistently, no matter how wise or shrewd you are. The executive IT committee is the most powerful tool companies have to steer IT decision making at all levels, but it can’t be the only mechanism you have.

The two main components of governance are 1. the decision-making mechanisms you create, whether committees and review boards or written policies, and 2. the assignment of decision-making authority and accountability. IT governance drives decisions in three main areas: IT strategy, and investment in IT projects and IT architecture.

The big challenge in IT governance, as 3M’s Drew discovered, is that businesspeople view all IT as local unless the governance structure forces them to think otherwise. CIOs have to build governance systems that fulfill the strategic business goals of every part of the company while somehow imposing standards for the safest, lowest- cost use of technology across the entire enterprise.

A tall order for sure.


CIOs can begin attacking the problem by examining the different pieces of IT governance they already have. Chances are, they aren’t very well linked, says Peter Weill, director of the MIT Sloan School Center for Information Systems Research in Cambridge, Mass. “The use of IT in companies has become mature, but IT governance hasn’t caught up,” he says. “Most governance mechanisms are created to solve specific problems, like IT investment or architecture, but little thought is given to how they work together.”

Here’s how the failure to link governance mechanisms hurts your company: A business unit wants to buy 10 PCs, and the business unit investment committee gives the go-ahead. Meanwhile, your IT architecture board (or architecture policy) says you have to buy ThinkPads. If those mechanisms-the business unit investment committee and the IT architecture board-are not linked, the company will end up with 10 different business units with 10 different brands of PCs running 10 different flavors of software, and you’ll need at least 10 different guys on the help desk to service them. You might as well not have a corporate IT architecture at all for all the good it’s doing you.

But not only must the governance mechanisms be linked functionally, they must be linked philosophically, says Weill. The different governance structures should not have conflicting goals that drive different types of behavior-such as linking a freewheeling IT purchasing process to a rigid corporate architecture. If businesspeople are free to buy whatever PC they want, they will be resistant if IT then wants to control the software they can put on those machines. In effect, the two governance mechanisms are sending two different messages.

The messages that governance mechanisms send need to be consistent not only with each other but with the prevailing business strategy. So if the CEO is on an acquisition binge and wants to grow the company as fast as possible, IT may need to relax its governance structures to let decisions happen more quickly and with fewer qualifications. Conversely, when the CEO calls for cost reductions, CIOs may need to add a few layers of new IT governance to control spending and better enforce standards and architecture.


Of course, in the real world, companies-especially big ones with multiple business units-rarely have consistent business strategies. At 3M, for example, there are six market centers and 45 units, all with different strategies and market conditions. Drew needs to tie them all together with a single governance structure that serves the unique needs of each business while somehow maintaining consistency across the units and building support for a unified IT strategy across the company.

To do that, Drew has developed a governance structure that promotes the IT goals of 3M as a whole-standardization, cost savings and ROI-at the functional and business unit levels of the company.

Drew’s governance structure starts at the bottom, at the business process level. Each of the six business divisions must keep a running list of “e-productivity” projects, which identify a specific business process (such as order management or customer service) whose cost, quality and speed can be improved by IT. Leaders in the business units choose the projects and champion them, with IT in a supporting role. Each business division has a quarterly cost-reduction dollar target, and the projects are reviewed to see if the goals are being met. If they aren’t, the business unit leadership has to explain itself to the top executives. That pushes the units to become more accountable for IT projects and to devote the resources necessary to help Drew’s staff get the job done. Of course, Drew also measures his own staff on its ability to drive those projects to success. If the projects look like they might be transferrable across more than one business unit, they become “Super E’s” and get bumped up to the corporate level.

The governance mechanism that Drew uses to keep these projects on track and in line with 3M’s corporate goals for IT is the enterprise architecture, the CIO’s secret weapon. Each e-productivity project must adhere to a list of common applications, hardware and programming languages. In this way, Drew is gradually pushing the different divisions toward a common architecture without having to issue a fiat from above.

He calls the architecture “embedded governance” because it’s built into the projects and drives the technology decisions that benefit 3M as a whole, not just the individual business units.


Governance structures that drive hard at the process level gain their power from clear IT strategies at the top. Without guidance from senior executives, process-level projects have a tendency to multiply or become neglected and unfocused-or, worst of all, simply irrelevant.

“The single most important IT governance decision you can make is getting senior management to identify three or four or five strategic, core business processes and then decide which ones they want to focus their IT spending on, because then everything else kind of falls in place from there,” says Jeanne W. Ross, principal research scientist at the MIT Center for Information Systems Research. “These companies get so much better value from IT than the companies that say, OK, here are all the IT project proposals that were submitted this year, let’s decide which ones have the highest ROI and allocate the dollars accordingly.”

At State Street Corp., the Boston-based bank, IT knows which core processes to focus on because the company has an IT supergroup, the IT executive committee, devoted to talking about them 12 times a year. All of the heads of the different business units, along with the president and COO, sit at the table. The IT budget, which used to be controlled almost entirely by State Street’s highly independent business units, is now in the committee’s hands. The committee focuses primarily on IT investments, but it also discusses business strategy and the role of IT in supporting it, as well as IT-specific issues like security and architecture. The different units still have their own discretionary budget, and quite a bit of power to determine their own IT destinies, but they all know that the IT executive committee is there to serve the interests of the company as a whole, which right now is focused on improving customer service across all the business units. John Fiore, who developed State Street’s governance structure as CIO, left the company last month. His successor, Joseph Antonellis, who assisted Fiore in creating the structure, says he will maintain it. “I strongly believe in the governance and the ideals that [Fiore] put in place,” he says.

Electronics manufacturer Flextronics also has an IT supergroup that consists of the CFO, the COO and the presidents of the company’s different business units and functions. Because Singapore-based Flextronics’ margins are so thin — 2 percent to 3 percent on average-the group focuses on using IT to support and enforce a set of common practices in the company’s core processes of planning, manufacturing and global distribution.

Microsoft wants Flextronics to build its X-Box game console with the same speed, efficiency and quality in China as it does in Mexico. “We need to provide global consistency,” says Mike Webb, Flextronics’ senior vice president of information technology. “That is a fundamental part of our business.”

Such a clear message from the business’s top leaders makes Webb’s job much easier. For example, Flextronics’ quest for consistency drives Webb to go really deep on the architecture piece of governance. The company has a single version of all its major software platforms that it installs around the world. Webb even has a staff of 60 fully dedicated in-house consultants who drop in like commandos to set up the infrastructure at a new plant. Control is so tight from Webb’s 120-person corporate group (800 IT people worldwide) that when Webb ships a router to a new factory, it has already been configured and tested by his corporate group.

Of course, even at companies that place as high a value on technology as Flextronics and State Street, top executives have other things to do besides meeting about IT, so Webb and Fiore must be like rock and roll managers, keeping egos under control and minimizing fighting and boredom. Before leaving, Fiore already had seen a backlash against the depth and complexity of the IT discussions in the committee meetings. He reduced the size of the committee from 22 to 10 and rejiggered its mission to focus more on business and less on specific technology discussions.

Webb makes sure to keep the discussion in the room big-picture. “I don’t involve [the committee] in the details of our IT infrastructure or our network security strategy, other than reviewing the cost,” says Webb. “I present them with plans that help them understand why we’re doing something. I’ll show them the business risks we face and then explain the level of investment that I think makes sense to alleviate that risk.” He also keeps the details of IT architecture to himself.

But CIOs can’t keep too much to themselves or they risk alienating the top execs. So education is important. At Milwaukee-based sign-maker Brady, Keith Kaczanowski feeds the company’s top executives information about a technology before they have to make a decision about it. Brady recently centralized its computing infrastructure on a new ERP system, which raised the stakes on issues such as security and disaster recovery now that all the company’s digital eggs have been placed in one system basket. Kaczanowski, who is vice president of IT and process improvement, devoted a meeting to educating the top executives on those issues because he knows he’ll soon be recommending some new spending in those areas.

At Atlanta-based package giant United Parcel Service, CIO Ken Lacy also uses education to set expectations. “The top executives travel all the time, and they’re hearing things about new technologies wherever they go,” says Lacy. “So I listen for that. And we’ll have education sessions on Linux, for example, where our people will present the issues and talk about why we think we should wait on Linux or go ahead with it.”


Not all CIOs can expect to get that kind of attention from senior executives. That is why having a good committee governance structure at the middle level is so important.

Jeff Balagna, senior vice president and CIO for Minneapolis-based Medtronic, which makes pacemakers and other electronic medical devices, was brought in from GE in 2001 to establish a core governance structure. Medtronic is highly decentralized and was not interested in powerful supergroups. So Balagna formed a committee of senior IT leaders from the company’s five business units. Many companies use this device, the IT council, to govern the IT function when they have multiple independent business units, each with its own IT staff.

Though he does not have the leaders of the different business units in the council, Balagna adds an interesting twist to this governance mechanism that gives it more strategic significance: Each CIO of Medtronic’s five business units reports directly to the president of those business units, not to Balagna, who gets dotted-line authority over them. The divisional CIOs sit in on their business units’ strategy sessions and bring those strategies with them to the meetings of the IT council. That helps the council set an overall strategy for IT that reflects the business interests of the business units. When the committee decides to make a big IT investment or a major policy change, final approval goes to Medtronic’s executive committee of top business honchos, but most of the company’s IT discussion and strategizing remains at the IT level.


If all these governance mechanisms sound like extra layers of bureaucracy, you’re right. However, “large company bureaucracy is not always a bad thing,” says Balagna. “It can keep you from doing knee-jerk technology projects.”

But CIOs need to be careful. As layers of governance build up, innovation and flexibility suffer. Companies with highly formalized structures for investing in IT, for example, tend to invest only in projects that support current business. In a survey of 40 companies, MIT’s Weill found that companies that do well in terms of return on assets tend to have tight, centralized governance mechanisms, while companies looking to maximize their market caps tend to push IT decision making out to the local business unit or end users.

All the committees and rules that come with good governance tend to lead to investment decisions short on risk or creativity. So companies have to be willing to devote a certain percent of the budget to experimentation — 5 percent seems to be average for companies that maintain this innovative edge, according to Ross. At UPS, for example, Lacy has an advanced technology department that works with UPS’s major vendors to test new technologies. And the department has the power to commission small-scale pilots from scratch. “There isn’t a whole lot of off-the-shelf technology you can buy for transportation,” Lacy says. To change that, UPS also has a Strategic Enterprise Fund that invests in small or startup vendors that could eventually deliver the functionality UPS is looking for.


At 3M, Drew says IT is surviving just fine without his supergroup. The company still has a corporate council, composed of all the functional heads, that talks about enterprise IT strategy on a regular basis. And IT projects over $3 million still pop up to the executive committee, which gives Drew a forum to talk IT strategy with all the top execs. Beneath this level, he has built steering committees in each business unit and an IT operating committee, composed of the different business unit IT leaders, that meets regularly to talk strategy and prioritize investments.

Asked if he thinks his supergroup will ever reunite, Drew says no. 3M’s new CEO is a Six Sigma fanatic, so the quest for zero defects in business processes will occupy top management for the foreseeable future. Drew has responded by placing IT people on all the Six Sigma teams and doing his best to anticipate the IT requests that will come out of the exercises.

In the end, and above all, governance must be adaptable.

“You can’t solve everything with committees,” Drew says. “You have to figure out the most practical way to interrelate with senior management on IT issues and be prepared to change the way you do it. There’s no standard model for that.”