Skip navigation
Up to Blog Posts in Blogs

Blogs

4 Posts tagged with the deliver_business_value tag
Louis Trebino
0

I recently came across an interesting article on the Dawn of the hybrid CIO which talked about a new strategic frontier focused around the opportunity for CIOs to lead more broadly through the power of customer data.

 

In reading this, I reflected on my own recent evolution of my CIO role, and wanted to share my thoughts on where I looked to have broader impact, and what other CIOs might consider if they aspire to play a broader business role, and position themselves to drive revenue and impact.

 

The opportunity

In my organization, we have been continuously transforming the technology, the company and our business over the last few years to stay competitive and look for new opportunities.  On the one hand, this has been a good lesson in the fact that transformation does not end after the first big effort, but must happen continuously.  On the other hand, at each stage of transformation, I have looked for the opportunity to not only work with my CEO and executive team peers to look for ways to leverage technology in the transformation, but to take the lead to transform the company through technology.  This – for me – has provided a chance to add bottom line value in new and different ways, as well as bring my executive team along to truly understand the power of technology to drive the business.  (As a side note, I shared some of the valuable things I learned about linking IT investments to business value in an earlier transformation effort in this Center case study entitled Linking IT Investments to Business Value.)

 

More recently we have been looking at new ways to leverage data and transform the services we offer to our existing client base.  In the course of this effort, we uncovered a significant challenge with our client services department.  I saw the opportunity to leverage the approach I had taken within IT to re-organize delivery support, streamline communications, and improve our interaction with internal customers, and use it to revamp our external client services function.  I was ultimately able to make the case for taking over the client services function along with IT, and the result is a significant improvement in client satisfaction and service delivery.

 

Making the case

While this step seemed to be an obvious one to me, it took some education with colleagues and clients for them to see why the role of the CIO should transform again. And the ultimate case touched on the points raised in the article I referenced earlier – it all comes down to the data.  Given that 99% of the issues that arise in our industry- and in our company’s service delivery – are data related, what makes better sense than managing that within the CIO’s office.  My own business background in consulting and service delivery was helpful to the case as well, but I see the data as driving opportunity for all CIOs to take on more aspects of driving the business and leading the company towards true customer centricity.  After taking the time to build the case and bring my colleagues along, upon presenting the new paradigm to the Board, they understood the need and agreed with the value immediately.

 

Where is your opportunity?

I know that I am not alone in seeing the leadership opportunities for CIOs in the exploding role of data across all industries and enterprises.  In fact, a number of my fellow Center CIO members have contributed to Center research on this topic.  My question is – how will you seize this opportunity in your own organization? What are you doing to become a “hybrid CIO?”

788 Views 0 Comments Permalink Tags: communicating_business_value, deliver_business_value, communicating_value_in_the_c-suite, customer, csuite
Brian Barnier
0

By Brian Barnier

 

Many CIOs are creating IT risk leaders and teams. In doing so, some  are struggling to get value, others are more successful. To help you be successful, here are five steps to hiring your leader for managing IT-related risk to the business.

 

  1. Clearly define why you need to emphasize IT risk management

Was it due to a problem?  Regulatory examination? Audit finding? Test failure? Customer  commitment missed? Difficulty in managing the acquisition of another  company? System failure? System breach? Data loss? Project cost  overruns?

Or, is it an effort to improve business performance?  Smarter investment decisions? Better integrate acquisitions? Expand more easily? More efficient business processes? Reduce  business operations cost? Get more value from business-IT spend?  Clearer executive communication?

 

2. Begin with “the business”

In  hiring an IT risk leader, and designing the department that goes with  the leader, it’s helpful to start with the enterprise’s business  objectives, business model and business risks that most threaten those  objectives. For example, how much business competitive differentiation  depends on differentiated IT capability? How critical are IT operations  to the business? How is the business seeking to grow profitable revenue  and how does this depend on IT for success? Of course, these questions  can be answered differently by business line or geographic units. The  point is understanding how IT-related business risk interacts with “the  business.”

 

3. Be clear on what IT-related business risk management is – and isn’t

It’s  not: A fancy name for IT security, audits, controls or compliance management.  It’s also not just “self-assessments” done to check controls. While all  those involve and use aspects of risk management, they are not the same.  IT security is just one area within the operations/service delivery  category of IT-related business risk management. Controls are one of the  tools (along with preparedness tools) that can be used to reduce risk.  Compliance is one of the benefits or outcomes (along with performance)  of good risk management. Audit is an assurance function, risk management is, well, a management function.

 

It is, in a financial sense, about reducing risk to returns (revenue, cost, profit, share value). In an operations sense, it is about reducing risk to business objectives  (production, quality, customer satisfaction). IT-related risk  management, as described by ISACA’s Risk IT Based on COBIT (the leading  IT-related risk management framework and best practice developed by the 95,000 member, 160 country organization) covers three areas: IT  investment portfolio (the risk of “doing the wrong thing” and making the  wrong investment decisions), program and project management (“doing it  wrong” in implementation), and operations/service delivery (“doing it  wrong” in daily activity).

 

4. Five key capabilities define an excellent IT-Related Business Risk Management Leader:

    • Understand the business products and processes  and how they depend on IT. This is not general understanding, but  knowledge from a candidate who has done business process analysis and  improvement. Having a person with experience in your industry is good.  However, since specific products and process (and competitive  approaches) can vary from company to company, the real key is a person  who has the skill to dig into and understand business processes and their dependencies on IT. So look  for business process improvement/reengineering, and/or product  management experience. "Knowing the business" is crucial. The Operational Risk Handbook for Financial Companies (Harriman House, London, 2011) makes the crucial linkage more explicit.
    • Understand business-IT finance.  A leader can’t frame IT-related business risk in “business” terms  unless s/he first understands Finance. This is more than IT budget. IT  should include business-perspective on cost/benefit analysis, return on  investment and business case development. This not only allows the  leader to improve communications, but also to dig into business projects  to see areas of risk and help you as CIO be proactive in framing and  managing those risks (and along with the CFO and CRO).
    • Understand multiple risk disciplines.  A person with single-discipline experience can struggle to learn the  frameworks, concepts and terminology of other risk disciplines. As the  overall IT risk leader, the candidate must cross the silos and bring  people into a team. Thus, experience in operations, change management,  release management, project management, business continuity, physical  security, IT security, facilities, disaster recovery, or availability  management are all valuable. They key is to have enough knowledge  to relate to people in multiple disciplines and leverage them to build a  stronger team.
    • Understand “tools of the trade.”  This is critical for efficiency and effectiveness. This asks if the  candidate is deeply knowledgeable in using IT risk management best  practices and frameworks such as Risk IT Based on COBIT and others.  Strong frameworks are built with the insight of practitioners from  around the world and are supported with a range of guidance documents  and user groups. To you as CIO, this means two benefits:  First, you can  more easily talk with your customers, partners, suppliers and  regulators who also use popular frameworks; and Second, that your people  can be more productive with access to training and other information  without “reinventing the wheel.” The candidate should also be familiar  with whatever your business risk leaders use for general-purpose enterprise-wide risk  management such as OCEG’s “Redbook” 2.0, COSO’s ERM Integrated Framework, the UK & European  A Risk Management Standard (ARMS) or ISO 31000. A caution flag should  go up if the candidate is only familiar with single-discipline  frameworks such as those in security, project management or disaster  recovery.
    • Team and collaborate.  Whether operating in a centralized or decentralized environment, the IT  Risk leader must not only cross the IT silos of risk, but also work  with business leaders, geographic region leaders, functional leaders,  corporate-wide risk team, finance, legal, compliance, audit and more.  They need to help people bridge the gap and communicate in terms of business objectives. Matrix-runners are good.

With  these five capabilities, you can now create an IT Risk Leader job  description for your needs. If you (or your Human Resources partner)  would like more detailed information on job skills for either creating  job descriptions or job analyses, you might find the job tasks and knowledge statements recommended by ISACA helpful. (On the web page, click the “Display or Hide All Task & Knowledge Statements” toggle to see all the details.)

 

5. The Organization Design to Enable Success

  • Given  the scope of responsibilities of the IT risk leader, the ideal  reporting is direct to you, the CIO, with dotted line to the chief risk  officer or similar corporate role. Some organizations may have policy to  prefer the reverse. The IT risk leader would also be a member of  corporate or divisional risk committees. Finally, the IT risk leader  would be a voting or non-voting member of the enterprise governance of  IT board (voting if IT has several members, non-voting if the CIO is the  only IT member).
  • The IT risk leader would have as reports all  the IT silo risk leaders (security, disaster recovery and such) although  some might be matrixed or have a liaison (sometimes project management  is in this category) plus a core team. In decentralized organizations,  the IT risk leader would have solid or dotted line reports from  divisional IT organizations. Of course, the IT risk organization  requires staffing, training and support to be successful. More guidance  on this can be found in the maturity models of the Risk IT Framework at www.isaca.org/riskit .
  • Finally,  do your IT risk leader a favor, do not name the department “risk and  controls,” “security and risk,” “risk and compliance” or something  similar that pigeon-holes risk in a protect-only role that does not also  embraced improved business performance and value. A performance  perspective helps both you and your IT risk leader demonstrate your  personal value to the business. In a survey of 158 business and 100 IT  leaders in seven countries conducted by George Westerman of the MIT  Sloan Center for Information Systems Research and your author here,  desired outcomes of IT risk management were: Avoiding negative  incidents, Managing costs, Ensuring that current functionality is  aligned with business needs, Supporting changes in the business. Three  of the four are solidly business-focused.

 

What is troubling as I talk with a range of enterprises, is the similarity of the problems that orgaizations face.  Taken together, these five actions can set the stage for avoiding the majority of unpleasant "surprises." A more systematic approach to risk managment has the power to "see in dark corners" and fix problems. Yet, risk management is not an end in itself -- the objective is always to achieve better business performance outcomes.

637 Views 0 Comments Permalink Tags: risk_management, brian_barnier, risk-return, mit, deliver_business_value
Brian Barnier
0

A quick search of IT job sites reveals many postings with the key  words “IT governance” or “governance of IT.” Clicking through the  descriptions reveals a wide range of requested duties and experience,  much wider than is typical for a head of application development,  security or finance. Due to my exposure to a wide range of enterprises  and service on several industry standards and practices committees, I’m  often asked, “What makes a good IT governance leader?”

 

This  post offers a few insights from what I have seen across countries,  industries, business-IT models, IT organization models and enterprise  sizes.

 

To  begin, let’s level set on what “IT governance” is about. Governance, in  general, has a variety of rather wordy legal, human resource-ish and  academic definitions. A more simple, outcomes-focused definition is “Getting  the right information to the right people at the right time to make the  right (or at least better) decisions with accountability.” The “better” is because there is a cost/benefit in gathering more decision information. Managing that balance is crucial.

 

Governance  purely exists only with the board of directors. However, as a practical  matter, it is often delegated. In this context, two requirements are  generally necessary – 1) clear charter from the board or higher level governance body and 2) that the people involved are acting in the interest of the enterprise as governors -- in contrast to daily management silos. These people  (governors) represent the various business line, functional and  geographic units that fund (especially those who own P&L) and  leverage IT to generate risk-return balanced value for the  enterprise (or achieve mission in governments). This value should be  very demonstrable, having impact on ability to launch products, acquire,  expand and satisfy customers. It should be able to be measured by  investors (whether shareholders or an acquiring firm).

 

Because  of the requirement to act in the interest of the enterprise, balancing  across silos, the preferred term is often “enterprise governance of IT.”  This helps guard against the tendency to use “IT governance” to mean  managing the IT shop or the CIO’s staff meeting.

 

The  enterprise governance of IT leader is therefore often principal advisor  (strategic, financial, operational) and secretary (coordinator,  facilitator, catalyst, peacemaker) to this governance body. Thus, key  expertise includes:

  • Business skills 
    • Business strategy (competitive, market, industry, economic)
    • Business products and processes
    • Financial (portfolio management, investment risk-return analysis, capital budgeting, make/buy)
    • Risk-return management (across financial, project and operational areas)
    • Strong  knowledge of industry best practice (e.g. ISACA’s Val IT, Risk IT,  COBIT or academic research such as from MIT Sloan Center for Information  Systems Research)
    • Technology (directions, trends, competitive advantage, cost/benefit implications)
    • Broad exposure to IT operations (not necessarily that deep, but enough to interlock with needs)
  • Inter-personal skills 
    • Independent, executive presence
    • Collaborator seeking common ground
    • Facilitator understanding each governor’s perspective
    • Curious, questioning
    • Negotiator with eye on shared objectives
    • Calming influence
    • Leverages by nature, doesn’t get bogged down reinventing the wheel
    • Personally committed to key governance measures – informed, transparent, agile and accountable

 

Some  of these attributes, such as negotiating, significantly increase in  importance with federated organization models or the more dissimilar the  business lines. Technology trend skills are more important the more  dependent the enterprises’ offerings are on technology for  differentiation in the market. Others shift with the intensity of  competition, riskiness of business initiatives or complexity of business  operations.

 

Finally,  there are points to delete from the job description or include only as  liaison points – compliance, control or audit. These are not only  incidental to the focus on driving and balancing risk-return value, but  also often bring in personal attributes that are “square peg in round  hole” relative to other requirements.

 

Armed  with this information, you can create a more focused job description,  screen, interview, hire and then – crucially – enable your governance  leader for success.

995 Views 0 Comments Permalink Tags: governance, risk_management, financial_management, brian_barnier, risk-return, deliver_business_value
Brian Barnier
0

I recently published an article for CIO Insight, referencing Center for CIO Leadership research and I thought, given the purpose of the Center, you would be interested in reading it. It discusses the shift from IT-centric metrics to business-centric metrics, matching measures to the business-IT portfolio, capturing all costs and benefits, and the importance of consistency.

 

The article starts out:

 

How  do you apply the right measures in the right way to get the insights  you need to improve the value of your IT investments? Start with this  four-step guide.

 

How to Improve IT Value Measurement

 

You've  heard it before. The CFO asks "how do we know what value we're getting  from IT?" The business line leader asks "How do I measure the value of  IT to my P&L, not just help desk tickets closed?" The CEO asks "How  do I know our IT spend is allocated to best support our objectives?"

 

Economic  pressures are putting more emphasis than ever on the CIO's use of best  practice in value measurement -- the right measures applied in the right  way to get the right insights to improve value. Painfully, this came at  the same time that a Center for CIO Leadership study entitled  "Communicating Business Value" reported that only 51% of respondents  agreed with the statement "I have developed business value indicators  that link IT performance metrics and business goals."

 

Read the full article titled How to Improve IT Value Measurement.

1163 Views 0 Comments Permalink Tags: metrics, performance, brian_barnier, deliver_business_value, portfolio


Popular Blog Posts