CIO Bob Plante was under the gun. A big security and controls audit of CIT Group Inc., completed in September, had left a trail of “red marks” – mostly related to legislation such as the USA Patriot Act and the Sarbanes-Oxley Act – that had to be addressed immediately. While Plante had recently reorganized his IT group to get a better handle on internal priorities for the Livingston, N.J.-based commercial and consumer finance company, these new legislative mandates were another story.
“He was getting battered by the auditors and the board,” says Russ Ward, a senior account manager at Forsythe Solutions Group Inc. in Skokie, Ill., which helped Plante develop a framework to deal with the issues. “He tended to run from one hole in the dike to the next, responding to whoever was screaming loudest at the time. That’s pretty common for most of the folks in his spot right now.”
“There certainly are a lot of external factors causing more than the normal items on the IT agenda,” says John Boushy, who, as CIO at Harrah’s Entertainment Inc. in Las Vegas, knows something about regulatory requirements.
“Priority-juggling used to be internal, but now we’re getting hit by external factors,” says Jean Holley, former CIO at manufacturer USG Corp. in Chicago. “Probably the biggest frustration is unfunded-but-mandatory things like Sarbanes-Oxley. These things are not optional, so how do you juggle those external components you’ve got to put in the mix?”
“It’s frustrating,” says Marty Chuck, CIO at technology firm Agilent Technologies Inc. in Palo Alto, Calif. “I have other aspirations, like growing the company, satisfying the customer, increasing operational efficiencies. I don’t want to be spending on this. It’s a necessary evil, chewing up resources we’d rather spend on something else.”
The challenge is twofold: how do you prioritize these external legislative requirements, and how do you then integrate those new priorities with must-do business projects?
Prioritize and plan
At CIT, Plante and Ward needed to prioritize security and control requirements identified by the security audit.
They looked at industry security and control standards such as Control Objectives for Information Technology (known as COBIT) and ISO-17799 as well as legislative mandates and identified the portions that were most critical to CIT, such as those involving change control and system security and recoverability. Then they developed a matrix to map those controls to their most critical systems. Finally, they overlaid the findings of the security and control audits, colour-coding each area red, yellow or green, indicating greatest to least risk. At that point, priorities became clear.
The next challenge is to complete the necessary compliance activity and still deliver what’s in the regular IT project pipeline. Plante manages the competition for resources by detailing the cost of required improvements so that he, the CFO and business unit executives can decide on the proper pacing and level of expense for each.
Tracking is essential to good prioritization, USG’s Holley adds. “You’ve got to have a way to measure projects to see if you made the right decisions,” she says. “If you don’t keep score on whether you got business value from projects, how will you know how to prioritize projects in the future?”
Spell out costs
Detailing the true costs of proposed projects is a strategy CIO Roger Gray has elevated to an art form at Pacific Gas & Electric Co. in San Francisco, where the key to prioritization is to shrink demand. “What is unmetered is always overconsumed,” he explains. “By metering things carefully, demand is self-correcting. I call it the ‘eConservation of IT’ principle.”
IT usually does a good job of laying out one-time costs, he says, but it needs to do the same for ongoing costs, which are often hidden in infrastructure and maintenance budgets. “We don’t hide those costs in a black box,” Gray says. “If operations wants a system, they know what the bill will be as a project – as well as next year and the year after that.”
When the real costs are revealed, demand curtails itself and prioritizing is much more manageable, he says, and budgeting and charge back improve because there are no surprises.
Shrinking demand also means not going hog-wild over regulatory requirements. You have to meet the law, Gray says, but “the challenge is to be rational and not go around and do crazy things.”
To shrink regulatory demands, he says, be sure to define requirements carefully and rationally, and use experts wisely. For example, Gray never uses auditors who also work as consultants to fix the problems they find.
Your upper management should ride herd on regulatory issues and set priorities, Chuck adds. “If any-thing related to security, audit or Sarbanes-Oxley is left at too low a level, well-meaning people will overspend on it,” he explains. Where they jump into the minutiae of compliance, a senior executive with a broader perspective might realize that there are whole areas that don’t even need to be addressed. “You’ve got to get senior business leaders into the process or it can eat up a lot of time and money,” he says.
While doing everything he can to shrink internal and external demand, Gray also focuses on productivity. “If we can become one to two per cent more productive every year, in theory we can absorb one or two per cent of things that come at us without sacrificing,” he explains. “So we try to get better at what we do so we can absorb these new requirements. Every business has to do that.”
Harrah’s IT group is doing a variation on that theme. Boushy has invested for years in “strategic resource augmentation” – using contracted labour and outsourcing to provide additional skills as needed to grow his IT capacity dramatically. “What helped us get past the paradigm of how to allocate a fixed set of resources was turning the problem sideways,” he says. “If I can get more resources, I don’t have a number-of-projects problem.”
Because of its casino business, Harrah’s operates in 13 different regulatory environments simultaneously, and each has slightly different requirements. Boushy realized years ago that if he had to choose between meeting regulatory mandates and getting business projects done, the business would be poorly served.
“If you’re forced to trade off, you may have to choose on the side of the regulatory requirement,” Boushy explains. “But instead of getting into that choice, by investing in resource augmentation you allow yourself to handle both.”
By augmenting staff to tackle the business project, you enhance revenue, improving your financial position and making it easier to continue to do more, he says. “As result, you start to loosen the budgetary constraints that surround IT.”
Recently, staff augmentation enabled Boushy to finish in six months a comprehensive customer-rewards project that had been estimated to take nine to 11 months. He worked with Sapient Corp. in Cambridge, Mass., and Infosys Technologies Ltd. in Bangalore, India, to carve the project into portions for internal, external and offshore people.
“Not only did we augment from a pure numbers standpoint,” he says, “but when we went to bed, people in India were just getting up, so we were able to do in a 24-hour period almost twice as much work.”
Boushy cautions, however, that staff augmentation is a long-term approach. “We worked with Sapient for five years and Infosys for three years prior to doing the project I described,” he says, adding that it takes time to develop a good working relationship. “If you don’t give it time, you’re likely to hit more bumps in the road,” he says.
But what if you lack the budget for extra resources? Boushy says if you can show the real value of IT investments, the money will be there. He’s been able to do that with a very robust financial-projection, monitoring, measuring and tracking capability. That enables him to see exactly what a project costs, then track the business value it creates. Every year he reports on how IT investments are doing.
“We’re constantly evaluating our investment in information technology, just as you would evaluate how your stocks are performing,” he says. “And we make decisions going forward based on that. IT is seen as an investment from which we expect to receive internal rate of return just as we do from building a new hotel.”