The phrase “necessary evil” may not be the savviest way of describing it, but keeping a handle on IT governance will likely remain a key priority for CIOs in 2006.
That was clear from the discussions at a recent Canadian CIO roundtable in Toronto partly sponsored by Canadian Information Processing Society (CIPS), a professional association for Information Technology (IT) practitioners in Canada headquartered in Mississauga, Ont.
Bob Adams, vice-president of RIS, a Toronto-based applications support and maintenance firm (and primary host of the CIO Roundtable event) said that IT governance is still top of mind, particularly in publicly traded companies these days.
“The reality is the conversation about governance is not new…but the reality is now it is everybody who is a part of the discussion. It’s at the CIO level, the board level…it also involves vendors and sometimes even customers. Collectively, we all need to get it right,” Adams said. “I hesitate to use the term ‘necessary evil’…a lot of this actually makes good business sense.”
At the roundtable, participating CIOs discussed the importance of balancing IT or corporate governance with business objectives. And – related to that goal – they emphasized the need for transparency and accountability in IT and financial reporting.
At least three current models of IT governance were identified: a centralized, shared services model; a decentralized model, where responsibilities are delegated to business units; and a hybrid of the two.
In a post-Enron world, enterprises are already aware of the challenges of weighing IT innovation with regulatory and legislative constraints. But, compared with the rest of the world, Canada is doing quite well when it comes to corporate governance, said David Brown, executive director of Brown Governance, an Ottawa-based advisory firm and also co-host of the event.
Brown said Canadian companies have done a particularly good job of integrating U.S.-style rules-based governance (including the Sarbanes-Oxley Act). At the same time, he said, Canada still maintains a British style principles-based system of governance, which allows us some flexibility around corporate governance. "More and more it’s accepted as the reality of doing business today. But there’s still a sizable minority that thinks this is going to go away and is an [unnecessary] exercise in compliance."
But on the whole, Canadian companies have grasped the reality that this is not an optional undertaking – it’s a mandatory thing, said Brian Chan, CIO for Toronto-based human resource solutions provider Morneau Sobeco.
"I think the whole governance environment – IT included – is getting better and there is more attention given to it. And people no longer treat it as a bureaucracy as opposed to a good business practice," Chan said.
Indeed being so close to the U.S. has likely accelerated this line of thinking, he said.
The biggest challenge, according to Chan, is balancing compliance at all costs, compared to compliance at an affordable cost. "You can get overboard and throw a lot of money at it or you can work with what you have already in place…and start slowing building up the layers."
Mary Jane Slavin, vice-president, company and consumer information management at Toronto-based Johnson & Johnson Canada said the IT governance is perhaps part of a larger enterprise issue, specifically the aligning of IT with business goals. Once an organization realizes the importance and value of the IT department, IT governance should be a natural extension of that.
IT professionals can still be perceived as the ‘break-fix guys’ but IT is obviously more than that, Slavin said. “The business tends to default to the CIO as the ‘chief helpdesk person’…not always but it’s still below the surface,” Slavin said.
Standards such as ITIL and COBIT have been in existence pre-Enron, but still provide a good IT governance framework to start with, Chan added. “You could be 100 per cent compliant, but if you’re losing money then it doesn’t matter.”