Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

An IT governance model needs risk and communications components

An IT governance model is critical to the success of any midmarket organization. Learn how risk assessments and communications are essential parts of any IT governance model.

Any midmarket company that considers IT a strategic part of the business should have a formal IT governance model in place. In this podcast, SearchCIO-Midmarket.com Executive Editor Karen Guglielmo interviews Forrester Research Inc. Vice President Craig Symons about how to implement an IT governance model, measure its success and communicate its importance across the company.

SPEAKER'S BIOGRAPHY: In his role at Cambridge, Mass.-based Forrester, Symons serves CIOs and is a leading expert on deriving business value from IT investments. He helps Forrester clients implement improved IT governance to drive strategic alignment and maximize the value of IT-enabled business change investments. Symons uses an IT balanced scorecard to help clients measure and communicate IT performance to stakeholders. He currently focuses his research on IT/business alignment, IT performance measurement, IT governance, IT portfolio management, IT investment management, IT demand management, IT human capital management and running IT like a business.

Play now:
Download for later:

An IT governance model needs risk and communications components

  • Internet Explorer: Right Click > Save Target As
  • Firefox: Right Click > Save Link As


Hello. My name is Karen Guglielmo, Executive Editor for SearchCIOMidmarket.com and I'd like to welcome you to today's expert podcast on the importance of an IT governance model.

I'm joined today by Craig Symons, a vice president at Forrester Research. In his current role, he serves CIO professionals and is a leading expert on deriving business value from IT investments. Craig helps Forrester clients implement improved IT governance to drive strategic alignment and maximize the value of IT-enabled business change investments. He uses an IT balanced scorecard to help clients measure and communicate IT performance to its stakeholders.

Craig focuses his research on IT/business alignment, IT performance measurement, IT governance, IT portfolio management, IT investment management, IT demand management, IT human capital management and running IT like a business. Welcome, Craig.

Symons: Hello, Karen. Thanks for having me.

As I mentioned earlier, we're here today to talk about the importance of an IT governance model in the midmarket. I will spend the next eight-plus minutes asking Craig to answer a number of questions about today's topic. So Craig, let's get started.

First, tell us what percentage of midmarket companies (those with 100 to 1,000 employees) that you've seen have a formal IT governance model in place currently?
Symons: I think it's important that you use the word formal there, because in the broadest sense, IT governance is about making IT investment decisions, and therefore all companies are doing this. So the real question is, are companies doing this on an ad hoc basis or do they have something formal or documented? I can't give you a scientific answer on that, I can only give you an anecdotal response. I would say today, best case, we're looking at only half of those organizations that have taken the time to formalize their governance.

Would you say IT governance is more or less important to midmarket companies vs. enterprise organizations?
Symons: Well again, if we think about what we mean by IT governance, I don't know that there's a relationship between company size. I think there's more of a correlation to what I would call IT intensity. I define IT intensity as the role IT plays in the organization. If you're a high IT-intensity organization, you would be one where IT is a strategic component of the overall business. IT essentially enables products and services. In that case, I would think that formal IT governance is much more important than a company which we would call a solid utility, where IT is basically only in a support role. I think that's a much better measure than company size. But at the end of the day, since governance helps us make better decisions around IT and helps us maximize the value of those investments, I'd say it's important to all companies of all sizes.

How important is communications around IT governance?
Symons: I think communications is really at the heart of IT governance. The problem that I find in the consulting work that I do with organizations is a major disconnect between IT executives and business executives. A lot of this is as a result of either a lack of communications or sometimes the fact that they communicated different terms. IT still continues to communicate in more technology terms, which is just not relevant to the business and they just don't understand it. So good communications is extraordinarily important so that everybody is on the same page and that the business and IT become very closely engaged. Because in reality, what we're talking about with IT governance is not really IT. A better term would be business governance of IT. Again -- we're making strategic decisions on where we're going to invest in technology and those are really business decisions, not technology decisions. In that case, communications is key.

So let's talk about measurements. How do you measure the effectiveness of your IT governance model or your efforts and processes around IT governance?
Symons: The simplest measure would be the value you're getting from those IT investments. The problem with that would be that few organizations are actually measuring that value. We do a lot of survey work at Forrester when we ask people about their process for approving IT investments. Over 90% say they have some formal mechanism -- whether it's a full-blown business case or simple ROI analysis, they have some mechanism they use to review projects and either approve or deny them for funding. But when you go in and ask those same people how many of you actually go in and measure the actual results of these investments, only a little over one third tell us they have a consistent process in place to do that.

So if you're not keeping score, it's a little difficult to know what you're getting and to improve. I think that's the real important point here. When you keep score, you can learn from that and you can feed that back in and you can improve. The best measure is the value. You can do that in a number of ways. Probably a better way if you're not measuring the actual results -- look at what is the cumulative value of the benefits you expect from your portfolio. So if you totaled up all the benefits from all the projects you're working on, what value is that to the organization? Another good measure is alignment. It's hard to get value if your IT investments are not aligned with business strategies. So measuring what percent of projects in the active portfolio are aligned with specific strategic business initiatives is a good measure for governance as well.

For organizations that are less mature and don't have all these methodologies and processes in place -- just looking at the engagement between business and IT can be a good measure. So do you have an IT steering committee would be the first one. And if you do, how often does it meet and what are the outcomes from those meetings. Some other governance-related measures have to do with customer satisfaction. What are your customers telling you? What is their overall satisfaction with IT? What is their overall satisfaction with projects that IT is executing on behalf of those customers? I think that's a good start in measuring the effectiveness of IT governance.

How important is IT governance to mitigating risk in the midmarket?
Symons: I think that's probably one of the areas where there's the most room for improvement in most organizations. I don't think they do a very good job of assessing risk and incorporating risk into their decisions. Simple example -- we all know from reading in the press that IT doesn't have a high success rate of executing projects on time and on budget. Some of the more conservative statistics tell you it's only about half. Yet every business case I've ever seen assumes that the project's going to be completed on time and on budget. Well if you know that, you're only good at 80% of it -- you should be factoring that into the overall business case. So I think one of the things about governance is, it's really maximizing the value of your IT investments at an acceptable level of risk. And the other thing people need to understand about risk is that risk is not inherently bad. Risk at the very basic level is neither good nor bad. It's being able to account for that risk and be able to mitigate that risk that turns it from either from being bad or being good. So we want to make sure in our overall portfolio that we have a mix of projects that have different risk-reward criteria so we can do some fairly low-risk projects and at the same time that enables us to do some higher-risk projects. And when you do that, the overall risk of the portfolio can be within your risk constraints. Therefore, governance is key to focusing on that risk.

So, finally -- what are some of the critical steps that midmarket CIOs need to take to set up a successful IT governance model?
Symons: I think the first thing is to realize that we're really talking about the business governance of IT. And that implies that the business has to be actively engaged. If the business hasn't been actively engaged, it's sometimes difficult to get them engaged. If they haven't been accountable and haven't been doing it, they aren't necessarily comfortable stepping up to the plate. The best thing the CIO can do is to sit down and have a good long conversation with the CEO and CFO to help them understand why governance is important and what the impact would be on the organization and do that in business terms. There's been some research done recently that has demonstrated quantitatively that those organizations that have improved IT governance have improved business results, whether you measure that on profitability , return on equity or other financial measures. That's a start. And I think the other thing is something we touched on in an earlier question, and that is communications. The CIO really has to be an evangelist for this and really engage their peers on the business side to help them understand how good IT governance will help them improve their bottom line business performance.

And on that note, that concludes today's podcast. Thanks again to Craig Symons for speaking with us today, and thank you all for listening.

This was last published in October 2009

Dig Deeper on Small-business IT strategy



Find more PRO+ content and other member only offers, here.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.