Week 05:IT Strategy

Very interesting and diverse set of comments this week.  Did you notice how quickly the nice orderly world of ISACA  (basic and admin controls, enterprise architecture, strategy and steering teams and RACI  charts) became chaotic? There is an important point here, its called POLITICS.  Not the nation-state kind, nor necessarily the back stabbing kind.  The best definition I know of politics is “Who gets what, when, where, why and how.”   You can go into any organization, find its IT strategy, find a steering team and apparently they are doing the right things.  But, until you understand who the committee members are, what interests they represent, which groups have more power than others, you will not really know what is going on.  The Weill and Rose article should open your eyes to some of the possibilities.

The thing we want you to take away from this discussion is that implementing an IT strategy is also a political exercise.  Yes, having a great plan based on an excellent enterprise architecture is important, but you need to get it accepted throughout the organization.  This means you need to get buy in from anyone who is in a position to shut you down.  You need to get all the other players to understand, buy in, and support you when things go wrong. This will involve a lot of skills that IT people are not usually known for.  There are likely to be difficult negotiations, private lobbying, dramatic speeches, and lots of grass roots communicating.  Good CIO’s have these skills and have probably used them to define a comfortable status quo with the rest of the organization.  As an auditor, you may find a problem that has the potential to upset that status quo and hence threaten the CIO.  Be aware.

Though ISACA indicates otherwise, having a board member serve on the IT strategy committee is not common practice.  In fact, I have neither experienced nor heard of a single incidence of an independent board member sitting on the IT strategy committee.  The only circumstance under which I can imagine it happening would be one in which corporate executives (employees of the company) are also board members.  In this case, wearing his/her corporate hat, the director could coincidentally be a member of both the IT strategy committee and the board.  However, the roles are distinct.

To clarify:  the board’s activities with respect to IT governance (including strategy) are to approve and to oversee.

I’m seeing lots of good posts on archetypes, well done.  Being a Political Scientist by training, its important to me that you understand that these archetypes represent the politics of organizational decision making around IT.  By defining who is making these decisions I can affect what decisions are being made.

So, think about a company with multiple lines of business (LOB).  How powerful is the center vs the heads of each LOB?  If the LOB heads are very powerful (think “we make all the profits you center guys just cost money”) then you will likely have a Feudal archetype.  If there is a strong center (CEO,CFO,CIO) then you probably have a Duopoly or Federal  archetype.

While you will never get a CISA or CISSP question on archetypes, they can help you in your work.  If you are in security and proposing a significant spend to the CFO and CIO and all the decision making power is in the hand of the LOB’s, you are barking up the wrong tree.  If you are auditing enterprise architecture and see all the right plans and documents but everyone is allowed ti do their own thing (Anarchy), then you have the same problem.

Lyndon Johnson, former US President, once said of politics  “Before I enter a bar, I like to know where my friends and enemies are sitting.”  You need to understand how decision making is being done and who is involved (and who isn’t) to really understand how IT governance is done and influence the decisions.

Comments please.

 

Readings

1. Describe the five IT questions that Weill & Ross (see Figure 3-4) see all organizations making?
2. How do the Weill & Ross questions line up to the McKinsey questions? What’s changed in the last 15 years?
3. Which archetype do you think is the most rare? Most common? Why?
4. What is the difference between and IT Strategy committee and an IT Steering Committee?
5. What archetypes do you see in your company? How well do they work?

 

No case this week