These days, many CIOs in Asia are in a frenzy over America’s Sarbanes-Oxley Act, or Sarbox. Not Daniel Lai, chief information officer of Hong Kong subway operator MTRC. In mid-2000, he and his team started developing an enterprise-wide IT governance system that aimed to document, monitor, and control all IT processes that deliver and sustain sources of business value—which means practically everything at IT-enabled MTRC. So when KPMG started its audit work in August, including the examination for the first time of internal-control systems under Sarbox, the IT department had everything in hand. “All the documentation and controls already exist,” says Lai.
If only others in Asia are as well-armed. According to the non-profit IT Governance Institute, only 17% of the world’s companies have implemented an IT governance solution, with another 19% in the process of putting such a framework in place. The findings are contained in the IT Governance Global Status Report 2006, the result of a survey of 695 CEOs and CIOs, of whom 38% are in the Asia Pacific. A whopping 36% of respondents are not considering instituting IT governance at all. Observes the report: “Implementing IT governance is not as easy as organizations might have thought.”
Maybe so, but companies may not have much choice going forward. Across Asia, legislation similar to Sarbanes-Oxley is wending its way through parliaments and congresses, with places like Australia, Korea, and India already requiring Sarbox-like regulations. In Japan, the Financial Instruments and Exchange Law passed in June this year requires companies to evaluate and certify internal controls by 2009 as part of the law’s “J-Sox” provisions. This means that the IT systems used to generate, amend, store, and transport data must be governed by controls that help assure external auditors the financial statements are accurate and reliable—and ensure that CEOs and CFOs who sign off on the numbers stay out of jail.
Beyond compliance, an even more powerful tide is the growing alignment of IT with the business, what the Economist Intelligence Unit (EIU) in a recent report calls the “expansion of IT’s mission from cost cutting to revenue generation.” In a survey of 288 executives from 58 countries, the EIU found that 83% of CEOs and board members polled believe that IT’s predominant strategic role in three years will be to enable revenue growth, rather than to drive cost efficiency as is the case today. With its focus not only on controls but also on transparency and return on investment, IT governance can play a key role in accomplishing this far-reaching mission.
Here’s the rub. While expectations about the role of IT in growing the business and governance are expanding dramatically, CIOs are cautious about how quickly they can rise to the challenge. The EIU detects an expectations gap between the executive suite and the IT troops, particularly in the Asia Pacific. While both C-level executives and IT managers in North America agree that IT’s primary role in the next three years will be revenue generation rather than cost reduction, IT specialists in Asia still see their contribution as chiefly enhancing operational savings. The EIU measures the gap between the two sides in Asia at 23 percentage points, compared with 13 points in Europe and just three in North America.
The cautiousness may spring from IT’s recognition of the realities on the ground. IT governance cannot be implemented overnight, warns MTRC’s Lai, who spent more than a year adapting various international standards such as ISO 9001:2000, SEI CMM Level 2, and modified system development life cycle and project management methodologies. Solutions must be tailor-made for the MTRC, which is something of a hybrid enterprise. A public utility majority-owned and regulated by the government, it also answers to private-sector investors, having listed in Hong Kong in 2000, and to holders of debt notes it floated in the US (which is why MTRC must comply with Sarbox).
For all its seeming finished state, IT governance at MTRC is still evolving. While guidelines, procedures, and benchmarks are in place, most reports are prepared and analyzed manually using customized spreadsheets, and there is no dashboard that tracks IT services performance versus targets in real time. “We are looking at what are some of the suitable [commercial IT governance] products, but so far we have not seen any that provides an overall end-to-end solution,” says Lai. He reckons that the current system is working well enough in keeping IT projects on track, including an upgrade of the enterprise asset management system—MTRC’s assets now total more than HK$113 bn, up 76% from 1996.
MTRC’s system appears to fit the classic definition of IT governance. According to KPMG, it is “a set of business processes that imposes a performance discipline over investment decisions, investment management, resource management, risk management, project (value) management, and communications” across the entire organization, not just the IT department. The processes require “many layers of organizational commitment, from senior executives’ business sponsorship to the management of detailed project services and individual project resources.” They may or may not be automated, even though vendors like CA, Mercury and Compuware are coming out with software suites that promise to create real-time IT governance dashboards.
IT governance also requires time to take root. “It is not just about having controls in place,” says Edge Zarrella, KPMG’s global head of information risk management. “It’s not just having tools and reports. The major component that people often forget is the cultural behavior aspects. What is your controls consciousness?” Some companies have phenomenal security controls in place, but hackers still get through. “Why? Because employee behavior on security is very poor,” Zarrella continues. “IT governance encompasses behavior, the cultural aspects, the people aspects, the processes, how you monitor it.”
But can the business wait? Increasingly, impatient CEOs and sometimes CFOs are taking the lead in IT adoption, with the CIO reduced to functioning as a mere implementor. The CEO sees the competitor down the road putting a customer relations management system in place and asks IT when the company can get one. In 2009, the CIO may reply. It is the extraordinarily patient and self-confident executive who is willing to wait for three years for IT to implement CRM, business intelligence, or whatever IT solutions of the month other companies are purchasing.
This is true even in compliance. KPMG’s 404 Institute recently surveyed 1,000 executives in US companies and foreign corporations bound to comply with Sarbox. Half of the respondents singled out IT as the most challenging area in achieving compliance, and many said they did not bother to include the CIO in designing IT solutions. The CEO and CFO may not have wanted some persnickety, techno geek gumming up the works and possibly making the company miss its Sarbox deadlines.
Enter the Consultants
Executives today know enough, or think they know enough, to conclude that data-mining, CRM, web-based marketing, and so on can be sources of competitive advantage. And no slouches in riding trends, IT consultants, commercial vendors, and non-profit institutes are taking pains to make their products comprehensible to the suits, not just to the IT department.
Cobit—Control Objectives for Information and Related Technology—is a case in point. Developed by the IT Governance Council, this IT governance framework was specifically designed for the layman. “IT governance can appear to be a boring subject to our colleagues in business operations, and without any background in IT, many of them may never understand it,” says Emmanuel Rodriguez, regional head of information technology at Prudential Corporation Asia. “We adopted Cobit as our framework because its language is easy for non-specialists to understand.”
There are other IT governance frameworks that have been developed, among them Information Technology Infrastructure Library and Unified Compliance Project, to guide the development process and make sure all the needed governance structures are put in place. The IT Governance Council and its mother organization, Isaca (Information Systems Audit and Control Association), are arguably the most active. Isaca international president Everett Johnson has just completed a tour of Asia, during which he promoted a new enhancement to Cobit called Val IT.
“This initiative is all about getting more value from your IT investments,” Johnson explains. The Val IT protocols are meant to address the problem of ill-conceived and ill-executed IT and IT-enabled business projects, which result in software turning into unused shelfware. “Gartner did a study on this a couple of years ago, and estimated that billions of dollars a year are wasted,” notes Johnson. Protocols and guidelines for Val IT have been released, with some initial business cases and best-practice case studies as further aids for adoption by individual companies. The next phase will focus on benchmarks based on the experiences of some 50 companies involved in the research.
It is possible for a company to use Cobit as a framework at a nominal fee, if its IT department does the job on its own. Another route is to hire a consultant, which will need to be licensed in the use of Cobit for commercial purposes. Prudential Asia went with a consultant to develop and implement its IT governance solution. Rodriguez declines to say how much the company paid, but says it was worth every cent. He estimates that the IT governance project will take 18 months to complete. That’s not too long a timeframe, he says, considering that Prudential offices in 12 Asian markets are involved.
The consultants typically talk a good game. “We work in the yin and the yang of IT governance,” says Simon Roller, worldwide business development manager for management solutions at Hewlett-Packard Asia. The ying is the narrow task of putting governance in the IT department; the yang the broader job of using IT to promote governance across the enterprise, things like Sarbox compliance, security, and business continuity. Beyond that, continues Roller, is the “organizational design” of the IT governance solution.
“We answer the question of what is the appropriate governing model between IT and the business,” explains Roller. “How will ideas like IT shared services, outsourcing, return on investment, and so on fit into the governance configuration?” Part of the service would be playing marriage counselor to IT and the business by articulating how to get the relationship right to enable growth. “IT has often been very slow, not as supportive of the business as it could be, not as efficient, not necessarily accountable,” says Roller. “Now the business is saying, give me the governance model, the supply chain model, the financial model to make IT run as a business for the business.”
Automation ‘R’ Us
Software vendors are also scrambling to climb aboard the IT governance train. America’s CA paid US$350m last year for IT governance solutions specialist Niku. It has just introduced an upgraded project and portfolio management (PPM) solution called Clarity 8, comprising four modules, including a portfolio manager that features a real-time CIO dashboard that details the running total cost of each business service, and a risks and controls manager solutions pack that includes several frameworks, including Cobit. “Clarity 8 can help the IT-enabled enterprise reach its goals,” says Malcolm Lister, CA’s director of financial services and security, “whether it’s automating manual processes, whether it’s selecting projects to focus on, or whether it’s optimizing the way you organize your processes.”
Mercury Interactive, which in 2003 acquired Kitana, another IT governance specialist, has come up with the Mercury IT Governance Center offering. Compuware bought Changepoint in 2004. “Unlike our competitors, our solution is one integrated package, not several modules that need cobbling together,” says Bob Donald, Compuware’s vice president for partner business development. The focus, he adds, is on three “real value points”: portfolio planning, management of resources earmarked for projects, and identification of unnecessary or wasteful IT products and services.
One common thread of these new products is their supposed ability to red-flag gaps in a company’s IT infrastructure—something that has providers of information security solutions, email and digital documents storage, and disaster-recovery systems anticipating a bonanza. Cybertrust, a leading global e-security company, is particularly bullish on managed IT services. “Companies can outsource the monitoring and management of their key security infrastructure to us, and we can quickly produce compliance reports that help tell auditors and regulators that they are generally complying with Section 404 of Sarbanes Oxley and with Cobit standards,” says Jeremy Pizzala, vice president and general manager for Asia.
All these IT products and services, of course, cost money. Compuware’s Donald says the Changepoint IT governance solution starts at US$100,000 to several millions of dollars, depending on the size and complexity of the organization. And just like a person who finally goes for a comprehensive medical check-up after years of prevarication, the IT governance system may diagnose so many deficiencies that the enterprise may need to spring for many more IT services than it had thought it needed.
Is it worth it? If an enterprise is under the gun to comply with Sarbox 404 and similar legislation, it may have no choice. Some companies may opt to do the heavy lifting themselves by devising and implementing an IT governance solution in-house as MTRC did, but they run the risk of ending up non-compliant if the effort turns out to be a dud. Remember, testing and attesting to the adequacy of internal controls under Sarbox—and J-Sox and potentially other Soxes around Asia—will be an annual requirement, so a robust system is preferable to a makeshift one.
There could be bigger rewards. The KPMG study has found that organizations with effective governance in place, a strong investment process, an IT architecture that facilitates change, and a robust change management process “were better able to leverage the capabilities of their infrastructure and design disciplines to achieve faster, less expensive, and more sustainable IT solutions.” That’s not a small thing, given the huge amounts of money that Gartner and other research organizations say are wasted on software turned shelfware.
All that said, KPMG’s Zarrella counsels caution in implementing IT governance. Not every company may need the same level of rigor in controls, for example. A financial institution bound by strict regulations and with a very low risk appetite may insist on very tight controls. “But if you’re an entrepreneurial company, you may be content with just the basic controls,” says Zarrella. He is also wary of over reliance on dashboards. “Enron,” he points out, “had phenomenal dashboards.” A framework and dashboard are great tools, but they are useless if people do not act on the red flags.
Both MTRC and Prudential Asia endorse the slow-but-careful approach—and the need to sell IT governance to everyone in the organization. At Prudential, Rodriguez has produced a user-friendly book detailing the Cobit protocols called the IT Governance Cookbook, with case studies, best-practice examples, illustrations, and pictures. He and his team are currently awaiting the return of a 40-item survey questionnaire sent to the head of IT, head of audit, head of compliance, and CEO of each regional unit in Prudential’s 12 markets in Asia. The aim is to find out whether they had read and understood the Cobit framework, identify the gaps, and design a training program to close those gaps.
What about the business’s expectations that IT contribute to the topline, not just cost-cutting in the middle line? The first goal does not necessarily need to wait on the other. At Prudential, says Rodriguez, the implementation of CRM, business intelligence, and other revenue-enhancement IT projects is proceeding in parallel with the IT governance initiative. The company already has IT evaluation, decision-making, and monitoring processes, which will eventually be integrated into the IT governance structure.
Noting the high cost of compliance, Zarrella says outsourcing may be the answer to IT governance in the long-term. He has worked with an organization whose cost of compliance is US$500m a year—”and going up 20% per annum.” To control those costs, the testing of internal controls, says Zarrella, can be outsourced to a shared-services center or an independent third party. Security, data storage, and other IT services can also be farmed out, as indeed is already being done by multinationals.
Where does that leave the CIO? Hopefully, not “Career Is Over,” as the joke goes about what those three letters stand for. The slimmed-down IT department will have its hands full monitoring the outsourced IT functions, including IT-enabled control processes, as well as helping meet the business’s revenue targets. “I don’t agree that the role of the CIO is primarily cost-cutting,” says Prudential’s Rodriguez. “I believe it is both cost efficiency and helping drive revenue growth.”
The CFO’s sentiments, exactly.