Gobernanza de TI conmemora, hoy, el primer aniversario de la publicación de la norma ISO/IEC 38500:2008. Con motivo de esta especial celebración, la sección ”Firma invitada“, incorpora un demoledor y clarificador artículo (original y traducido, como viene siendo habitual en esta sección) de un apreciado colega. Se trata de Mark Toomey, fundador y Presidente Ejecutivo de Infonomics, Pty. Ltd., Presidente del Comité Técnico IT-030 de Standards Australia y co-creador de las normas AS 8015:2005 e ISO/IEC 38500:2008.
Bajo el título “Being on top …”, Mark ofrece una clara descripción del concepto de ‘gobierno corporativo de TI’, del porqué de la necesidad de establecer dicho buen gobierno y de cómo en la raiz de tal necesidad se encuentra el alejamiento (asincronía) que se ha ido dando, con el paso de los años, entre las personas que dirigen las organizaciones y las que están a cargo de sacar adelante las nuevas iniciativas tecnológicas y de mantener plenamente operativas las existentes.
En definitiva, Mark describe un panorame en el que, quienes debían hacerlo, han dejado de estar encima.
Being on top …
When I began my career in information technology, the first “mini-computers” were being adapted to commercial applications, and organisations that had never before used anything more powerful than an adding machine were beginning to automate their businesses.
There were no Chief Information Officers in those days – and few established IT departments. We worked directly with the people who knew the business, and ran the business, to design new ways to operate the business more effectively and efficiently. We developed the software in parallel with redesigning (however minimally) of the business and as the new systems were installed, everybody in the business was retrained and adapted. The people at the top took a great deal of interest, not just monitoring progress, but actively participating in the work to maximise the value of what we were doing.
Most of those projects were very successful – delivering what the organisation wanted, at a price that was acceptable, and leading to both better performance and growth of the business.
Since then, the technology has become cheaper, the capability of the software has increased, the dependence of the business (and people) on information technology has become profound, the projects that organisations undertake have become more ambitious, and the certainty of success with IT has diminished!
Why is success so elusive today? Why are organisations so often victims of failure in both projects and operations that involve significant dependence on IT? Is it that the technology is no good? Is it that the people delivering the technology are poorly trained, or incompetent? Is it that the methods that we use are unsatisfactory? No! Today even the cheapest PC is much more reliable than the mini computer of 1975. Software from the 1970’s was extremely simple and narrow in functionality, yet much more prone to faults than it is today. Today we have high expectations based on the enormous capability of software, and so we tolerate software faults less. Thirty-five years ago, most IT people were not university trained – few had degrees. Some were chosen for their roles because they had an aptitude test – but most got involved because their employers needed somebody who knew the business to help get it automated. And as for methods – thirty years ago the development of methods in computing was in its absolute infancy – with no maturity in anything and definitely no standards.
So today on the technology side we seem to be much better off than we were in the 1970’s. Yet now we have IT projects failing at an unacceptable rate, many marginally successful projects failing to deliver any tangible, measured benefit, and business at risk of damage from systems that fail. Why?
I think that the major reason for this problem is not that we have failed to get better on the technology side – but that we have actually developed a problem on the business side. Where once the top executives were involved and the board monitored closely, now the top executives are too busy and too remote, and the board is hardly involved at all. Business engagement in IT projects is left to middle managers – many of whom are grossly overloaded following round-after-round of cost cutting, and many of whom are poorly briefed on their roles and responsibilities in the success of projects.
Thirty years ago, what we today call IT projects (that is projects that change or improve the business through the use of IT) were well governed because the people responsible for top level governance were directly engaged. Nowadays, as that engagement has diminished, so too has the effectiveness of the governance arrangement. And experience of the past few years has shown us that while governance is important, attempting to fix the problem with yet more rules, tools and frameworks that invariable focus on the management of IT does not lead to good outcomes.
Effective corporate governance of IT depends not on tools, or processes, or frameworks, or organisation structures. It depends, simply and fundamentally, on the people who govern the organisation – the board and the top executive, understanding and delivering on their responsibility to apply their governance skills to the use of IT as they do to the other aspects of the business.
When they do that, the tools, frameworks, structures and other resources that we have devised to help us control and assure the effectiveness of IT use will add their most significant value.
For those top executives and directors, the straight forward guidance they need on their job is found in ISO/IEC 38500. It is written in their language, is as concise as any guide on corporate governance can be, and enables them to control what they do not understand, by focusing on the things that they do understand.