Alan Calder on IT Governance, information security & ISO 27001

Confusion apparently surrounds the future of the job running the NHS’s £12.4bn flagship IT programme, and the timetable for the departure of director-general Richard Granger.

Wouldn’t it be nice if there were proper leadership of the NHS? But, as the NHS is increasingly run from 10 Downing Street, indecision and interference will get increasingly worse. And there’s every chance that the CfH programme will, without proper leadership, lose its way and we’ll see any improvements that have actually been achieved whither away.

Bruce MacEwan has a very good post on his blog about the IT governance issues facing law firms as they pursue mergers. While his particular focus is on the economics of law practices, there are many excellent points here that relate to mergers in any industry. This is clear, concise guidance for anyone involved in a merger or acquisition – the 25-odd M & A deals I’ve been involved in (as an executive or CEO) all demonstrate that absolute accuracy of these comments – and, insofar as IT governance is fundamentally about how the direction that directors or top partners set for IT within the firm, this advice is spot on. I think there’s a book in this!

CIO Magazine has some eyecatching research that underlines how critical it is for CIOs to report to the CEO rather than the CFO. The impact can clearly be seen in various ways, such as how much access the CIO has to other senior execs to how much time is spent on tactical rather than strategic IT issues.

Regulators, investors and customers are demanding that businesses become far more effective in how they utilise and control their IT investments. That is why IT governance will without doubt become one of the top boardroom issues of the next few years. However, until it becomes understood and accepted that the correct reporting line for the CIO is straight to the CEO any moves towards proper IT governance will be seriously hindered.

IT Governance, as Jason Cole points out, is more than project management, more than regulatory compliance, more than CobiT or ITIL or ISO 27001.

It’s also somewhat more than his article suggests. There are three books that tackle this subject, a Weill and Ross book (How Top Performers Manage IT for Superior Results) from Harvard Business Press, a compact and concise guide for Directors (IT Governance: Guidelines for Directors) and IT Governance Today: a Practitioner’s Handbook.

Even more usefully, there is a new framework that pulls together all components of IT governance (the Calder-Moir IT Governance Framework) and the related IT Governance Framework – Toolkit that is designed to help organizations of all sizes make a start with tackling IT governance at their own pace and in their own way – and at a cost somewhat less than is likely to be extracted by a substantial consultancy provider.

With all these resources so easily available, there’s no need for anyone to wonder what IT governance actually is, or to work out how to get started with realising the real business benefits of implementing an IT governance framework.

Following the apparent derailment at Connecting for Health, let’s hope that another prestigious national project fares rather better with its systems delivery. The Olympic Delivery Authority is said to be close to selecting an information systems supplier, with Accenture amongst the contenders (better luck this time). I hope that the ODA will research the NHS experience as a case study in how not to do things, and ensure that proper IT governance processes are put in place and adhered to.

If Health Service IT systems run two years late, we give a weary shrug and sort of expect it. If the Olympic systems aren’t ready on time, it will be national humiliation on a global stage. IT governance is about managing that sort of risk.

Getting the best out of Information Technology is rightly spoken of as one of the most pressing responsibilities facing boards in the next five years. However, few organisations currently have the knowledge or skills to develop an appropriate IT governance response – instead, they often become unnecessarily reliant on (costly) outside advice.

Therefore, to help companies and their boards tackle this challenge, we have launched an IT Governance Framework Toolkit, which provides everything a business needs to create a best practice IT Governance regime. Companies will be able manage the entire process in-house and at less cost than a single day’s consultancy.

The Toolkit, which simplifies and accelerates the development of an IT Governance framework, has been created jointly by Steve Moir – a highly experienced IT governance consultant – and me, drawing upon my books ‘IT Governance: Guidelines for Directors’ and ‘IT Governance Today: a Practitioner’s Handbook’.

On a single CD-ROM, the Toolkit provides the full means to understand, organise, adopt and monitor IT Governance practice. Its 98 separate documents include templates, guidelines, checklists, questionnaires, slide presentations, assessments and planning tools, all of which have been specifically designed for the purpose. In addition, each Toolkit includes electronic copies of both of the above books, which offer plain-English guidance on all key aspects of the process.

The toolkit is priced at only £995.00/$1,810.90/€1,442.75, which includes a full online support service covering all aspects of the implementation process. To learn more or place an order click here.

Accenture has decided to walk away from its £2 billion contract to help modernise the National Health Service’s IT systems. A termination deal has been worked out in which it will pay only £63 million to its government client, Connecting for Health – a lot of money, but presumably better than it could have been.

But what a shocking indictment of the IT governance within this flagship project: one of the world’s top IT consultancies prefers to cut its losses despite such major cost to itself, while the project itself is already running two year late. I imagine that CSC, which is taking on Accenture’s role, will be looking for major assurances that the project goalposts will stay fixed henceforth.

A recent statement by Aidan Lawes, CEO of the itSMF, had him expresssing a belief that ITIL should be about integration – rather than alignment – with the business, and that there are now only business processes. That’s completely right – and there is a key point there for all IT governance practitioners – even for CobiT!

This promises to be an interesting event. Sherron Watkins, the celebrated Enron ‘whistle blower’, will be addressing an IT governance symposium in August in Orlando. Ms Watkins is obviously doing well on the lecture circuit, but it’s hard to begrudge that, and she seems an excellent person to talk on IT governance. Enron is the starkest illustration of how vital proper governance is to the running of an organisation and the potential dire consequences of taking this lightly. Let’s hope a few CEOs go along to hear her.

Type ‘liar’ or ‘failure’ into the Google search box and see whose personal Internet sites are right at the top of the organic search listing for each of these terms. Whatever your own personal views of these two individuals, a quick scan of what’s on their websites will not find any occurrences of either of ‘liar’ or ‘failure’. So, how did their sites acquire these top rankings?

The power of internet links, that’s how. So many people have linked to these sites using one of these terms that the Google algorithm has ranked the sites as number one for them. While this fact conveys an important message to both these folk, it has a broader implication for anyone interested in IT governance and intellectual capital management.

An organization’s brand and brand name are of part of its intellectual property and have a fundamental importance to its long term competitive success. Where an audience’s experience of the brand diverges sharply from the brand’s values, the Internet provides them with a means of telling everyone what they really think. They’ll use it – and once a site has acquired that sort of ranking on the basis of direct links, the only way to delink is to de-commission the URL – and that’s a potentially expensive step, particularly for any organization that uses its URL as part of its identity.

If ever there was a reason for brand integrity, there you have it.