Balancing innovation and accountability
Technology is supposed to serve humans, but it runs faster than them. People are playing catch-up now, trying to sort out the rules that will allow everyone to play nicely together on Wikipedia and YouTube.
A similar movement is afoot in the public sector. Technology that allows different government entities to share resources and information horizontally opens vast new possibilities to improve services – but also butts squarely against traditional vertical silos of accountability. Governance structures are now being stretched in new directions to foster but control innovation.
“The foundation issue for everyone in government is governance around shared services,” says Rose Langhout, head of I&IT strategy, policy and planning at the Ontario Ministry of Government Services (MGS). While the first wave of consolidation – sharing IT and other common services within jurisdictions – is still a work in progress, there are fewer question marks around its governance, she says. “We now have a track record, and there are many examples of mature shared services organizations.”
In Ontario, various committees comprised of deputy ministers, corporate chiefs and CIOs have been formed, and forums created to share and resolve common issues across ministries. “People are always a bit torn between what’s good for the enterprise and what’s good for their ministry, but what governance does is create a context for managing that balancing act,” she says.
While the basic model for shared services is fairly established, there are many new governance challenges that need to be worked through, she says. Identity authentication is a major area that can boost efficiency significantly across jurisdictions.
For example, provinces track life events – births and deaths – but the federal government issues pension cheques. “There’s a long and venerable tradition of continuing to send cheques after people pass away, and then you have to claw back the money,” says Langhout. Government initiatives are underway to share information to prevent these snafus, and also to consolidate citizen services that cross jurisdictions.
“For newborns, we’re testing a single process that allows parents to apply for a birth certificate, health card and SIN number,” she says.
In Ontario, the governance body that oversaw PKI implementation broadened its mandate two years ago to oversee all identity authentication, regardless of technology, she says. “However, not all jurisdictions have that kind of governance body.” Different provinces are at different stages – British Columbia is piloting virtual identity cards, but other provinces are still developing mechanisms. “A task force is working across jurisdictions to develop a standards-setting process to handle this in a pan-Canadian way. There’s been some progress but this isn’t cooked yet,” she says.
The intent is to agree on the underlying standards that define identity to enable different technologies to interact, and not to use a single technology. “What gets in the way of sharing information is not having confidence another jurisdiction is using the same level of trust as we do. If we can get the inputs right, then we can share personal information appropriately while also respecting privacy rights.”
New forms of horizontal sharing are also coming down the pipe and these will require new governance models, says Langhout.
“There’s a lively discussion in government around horizontal policy and how to do that,” she says. To deal with many broad social issues such as poverty and recidivism, many ministries must work in concert. “It’s not about all your business, but a piece of it that you want to do differently and in collaboration with others.”
The governance model from the shared services sphere doesn’t fit this new policy sharing form, nor does it fit well in Ontario’s I&IT cluster model. “This reinforces the importance of I&IT having the ability to govern itself horizontally across government because more and more we’re being asked to support initiatives that are not ministry-specific,” Langhout says.
Another area that has major growth potential, but where there is no track record, lies in sharing investments in IT infrastructure across different levels and types of public sector organizations, she says. “Provinces, municipalities, agencies, boards – all invest in IT and there’s probably a lot of overlap. If we could figure out how to collaborate better, we could produce better results for the one taxpayer at the end.”
These initiatives will also need new governance models that allow disparate organizations to agree on the business rules. “For example, if the province of Ontario wants to work with the municipality of Waterloo and a local school board on a project, then we’d need a group that represents all these players and can make decisions about their collective resources,” she says.
Vertical meets horizontal
At the federal level, the government’s focus is on community-building to facilitate new ways of sharing information and resources, says Chuck Henry, CTO of the CIO Branch of the Treasury Board Secretariat (TBS). “Horizontal governance across organizations is the most interesting development in this space,” he says, adding a policy directive is being developed to provide guidelines. “We’re just months away from having some good horizontal governance rules in place,” he says.
The directive will also recommend elevating the status of the CIO Council, he adds. “Our goal is to make the CIO Council, which includes all the CIOs of larger government organizations, officially recognized as the adviser to the CIO of Canada for the purpose of managing IT policy.” The objective is to create a clearer voice in setting horizontal strategies. “We can give guidance to horizontal service providers from an IT perspective.”
He points out there are also vertical governance challenges to tackle as the horizontal movement grows. There are lines of accountability between deputy ministers and CIOs, which come with the traditional challenge of ensuring business and IT plans are aligned.
“We’re hopefully transitioning to a time when government CIOs are part of the C-suite,” he says. And there are lines between the CIO and IT staff, and ensuring they have a common set of goals. “So the CIO is the focal point for the vision to the people in the trenches.”
All three areas need to be considered going forward, he says. “We want to ensure there are knowledgeable service providers dealing with knowledgeable clients, and the horizontal stuff people are building is effective in meeting those vertical challenges.”
Henry points out there are limits to what can be done on a shared basis. “Although we think we can do a lot shared, we can’t do it all – there’s still about 40 or 50 per cent of IT that’s very aligned to particular organizations, like the DND and its command and control systems.” But he points out even in those instances, there are other things that can be shared, if not the IT systems themselves.
“We would like to share other things around them, such as application methodologies, design styles, base technology components and so on. We need to create larger communities aligned around types of technology so we can share resources across government,” he says.
All governments are struggling with these horizontal and cross-jurisdictional issues, he says. “The same thing is happening internationally. We need to talk to the U.S. government about things coming across the border.”
The process to create a new governance structure around border issues and the right IT infrastructure to address them is similar to any new governance initiative: discussion about the business rules to create an interface together, a consultation framework that satisfies all parties that the rules are legitimate, and then putting the technology framework in place to support the initiative.
Doing government business horizontally means people need to talk more, he says. “This is why we’re heavily focused on community, because that communication allows horizontal initiatives to be more effective quickly.”
Web 2.0 technologies that allow people to collaborate across time and distance will play a big role in the future. “This is a focus I’m trying to bring to the job – I’m pushing hard on developing communities by experimenting with wikis and other Web 2.0 technology. Once those communities develop a vision, then our job at the Treasury Board is to look at the plans coming forward to see how people are sorting out their program accountabilities against that shared vision, and figuring out where it’s important for IT to line up and where it’s better it remains distinct,” Henry says.
This won’t be easy for CIOs, he warns. “They’ve got limited time and money, and frankly, I’ll be asking them to invest some of that in communities – but the value we’ll get out of that is a broader and deeper understanding of areas where we have clear opportunities to save money and address issues.”
In both the public and private sector, organizations have injected more rigour, discipline and metrics into IT organizations in recent years via IT governance methodologies. An array of acronyms – COBIT, ITIL, PM and BTEP – describes methodologies that address different aspects but fit together well, says Henry.
“COBIT is a complete IT framework which basically guides how to plan, build, run and measure IT. It’s our master model, except we’ve replaced the COBIT view of the ‘run’ piece with the ITIL 3.0 view on IT service management and delivery. COBIT and ITIL have done a lot of work to keep themselves aligned, and organizations around the planet use both to make IT more effective,” Henry says.
BTEP is a methodology developed by the Government of Canada (GOC) for business process transformation, he says. “This makes for a consistent set of reusable planning assets that allow you to get to a good project.” After BTEP comes the final step around project management (PM), which guides the actual execution of an IT project to ensure systems are delivered on time and on budget.
Adoption of these methodologies across the federal government is patchy. “We’re well on our way in different places,” he says. “There’s lots of focus on project management and we’re getting better at doing it. With ITIL, the CRA and Public Works have been focusing on it for the past couple of years and are delivering solid results.”
At the provincial level, more formal project management discipline was introduced two years ago in Ontario and is fairly well-established, says Langhout. But the range of methodologies that are being introduced can be overwhelming. “All these methodologies are out there, but in trying to do it all, people try to evade some of those best practices as they can be onerous.”
More discipline in planning and documentation makes an application more useable in the future, but in the here and now, it means telling customers their projects can’t be implemented right away – which can make them unhappy. “It’s important that we get buy-in from business areas so they understand why it’s important to have more rigorous processes,” she says.
Trends are similar at the municipal level, says Roy Wiseman, CIO of the region of Peel in Ontario. Adoption of formal project management frameworks is fairly widespread, and most IT organizations are also adopting ITIL to get their houses in order, he says.
But adoption of COBIT, which creates the master plan for aligning IT with business objectives, is still at the early stages. Although the region of Peel recently completed a COBIT assessment to get a better understanding of its objectives and IT project priorities, Wiseman says he’s not hearing much about COBIT in government circles. “We happen to like COBIT, but it’s not getting a lot of buzz yet. If you’re a significant IT organization, you’re expected to have ITIL in place, but COBIT is seen as more optional,” he says.
While there are many similarities between the public and private sectors’ IT governance initiatives, there is one crucial difference, says Will O’Brien, partner at the Toronto-based consultancy Manta Group, which conducted the COBIT assessment for the Region of Peel. “There’s nothing linking good corporate governance to IT in the public sector. Whereas, it’s directly linked in Sarbanes-Oxley legislation, so the private sector has been forced to comply.”
Preventing another Enron scandal was the stimulus for improving corporate governance, but government scandals haven’t created a similar reaction in the public sector, he says. “I think government scandals may put the spotlight on governance, but there’s no driving force – it’s really up to the leadership of whatever party is in power to initiate good governance or not.”
As a consequence, there’s no over-riding program around governance of IT in the public sector to drive out enterprise-wide requirements, he says. “It’s ironic, but there’s little governance around governance initiatives, which should be run like any other program. The net result is that few government initiatives address enterprise concerns – they’re run in silos to address a particular organization’s issues or they deal with point-in-time solutions.”
But in both sectors, the general trend is increased focus on management of IT risks. “The risk-based approach for creating and rationalizing the right control environment to provide governance is picking up steam on both fronts.
“Many organizations recognize that a systematic approach is needed to assess and mitigate the threats, vulnerabilities and exposures of their businesses. But adopting IT governance methodologies is often a rote exercise in some organizations,” O’Brien says. “Instead of really rationalizing what they need to have in place to manage their investments, people are just putting things in place to get them in place – it’s a ‘something is better than nothing’ attitude.”
O’Brien believes there will be convergence in the marketplace around different methodologies and best practices. “They will eventually all come together. But right now, we have competing methodologies.”
ITIL, for example, is similar to ISO 20000 in addressing IT services management, but there are some key differences. “ITIL is fine from a government perspective. But unlike ISO 20000, ITIL isn’t a standard and you can’t certify an organization to it – it’s a certification for staff.”
Measuring governance value
Value governance is an emerging approach that tackles a perpetual problem in IT circles: how to quantify its value. “Val IT is another framework that’s come out of the IT Governance Institute. It’s basically an add-on to COBIT that provides better IT-business alignment, and in the government context, more voter-government alignment,” says O’Brien.
IT is traditionally viewed as a cost centre, explains Fariba Anderson, a partner at the Manta Group. “Its focus has been to reuse costs and deliver more value.” COBIT has changed this view to an extent. “In COBIT, the view is, forget the concept of IT as a cost centre – if you spend money, then you’re a business, and as a business, you should comply with fundamental business principles.”
Building a control environment that enables value governance means being able to measure the value of each initiative, says O’Brien. “Value governance is ultimately about being able to take the demands of voters – the programs and services they want – and being able to translate that demand into some sort of quantifiable value driver or metric.”
To illustrate the potential benefits, O’Brien cites a successful initiative in Ontario to create one common payment process out of different modules used by various ministries to receive payments from citizens for services. This meant developing one 20-step process useable by all from various departmental payment modules that ranged from six steps to 19, he says.