Realities of Governance

Peter Salmon

Realities of Governance

• Attempts to relate theory to some of the issues we may face in practice

• Draws on experience of myself and others• The case material is based on a number of real situations• In all probability in some situations those of us involved may

well have been found wanting for all too human reasons• Reflects my belief that values and corporate culture underpin

governance, process of itself is not sufficient

Some history

• In reality governance has always been with us, but more recent developments can be traced to the Cadbury Report published in 1992 and subsequent developments in the UK and USA in particular

• Cadbury et al resulted from a series of corporate scandals such as BCCI, Robert Maxwell for example

• More recently we have had Enron, Tyco and Worldcom amongst others leading to Sarbanes-Oxley

• Consequently corporate governance and latterly IT governance have become much greater concerns of directors and managers

Cadbury

Corporate governance is the system by which companies are directed and controlled. Boards of directors are responsible for the governance of their companies. The shareholders’ role in governance is to appoint the directors and the auditors and to satisfy themselves that an appropriate governance structure is in place. The responsibilities of the board include setting the company’s strategic aims, providing the leadership to put them into effect, supervising the management of the business and reporting to shareholders on their stewardship. The board’s actions are subject to laws, regulations and the shareholders in general meeting.

ISO/IEC 38500

• Corporate governance of information technology• Published 1 June 2008• Originally published by Standards Australia as AS8015:2005• High level, principles based, advisory standard• Work is proceeding on a range of topics including:-

– Governance of Projects involving IT Investment– Governance of IT used in ongoing Business Operations

• Provides framework of principles for Directors to use in evaluating, directing and monitoring the use of IT

Definitions• Corporate governance -the system by which organizations are

directed and controlled. (adapted from Cadbury 1992 and OECD 1999)

• Corporate governance of IT- the system by which the current and future use of IT is directed and controlled. Corporate governance of IT involves evaluating and directing the use of IT to support the organization and monitoring this use to achieve plans. It includes the strategy and policies for using IT within an organization.

• Management -the system of controls and processes required to achieve the strategic objectives set by the organization's governing body. Management is subject to the policy guidance and monitoring set through corporate governance.

Principles

1. Responsibility2. Strategy3. Acquisition4. Performance5. Conformance6. Human Behavior

Governance Model

Case Study – Illustration A• As a consultant you have been asked to advise two

organizations on how they might progress a proposed joint venture in the market for technology based solutions .

• Both organizations are well established in complementary sectors of the market. Organization A has many thousands of customers and a strong focus on revenue. Organization B has fewer customers and is focused on large deals with good margin. A is an existing customer of B.

• A & B say they want to proceed rapidly to establish the joint venture and have initially set an aggressive 13 week timeline.

• It emerges quite quickly that one party, A, has difficulties committing resource

Case Study – Illustration A

• Both A & B claim the joint-venture is critical, but whilst in the Top 5 list for B, it is not in the Top 20 list of strategic initiatives for A, who have in excess of 30 high priority strategic projects

• Consider some of the governance issues that potentially arise from each of the following perspectives:-– A– B– The joint venture

• Is there any one key recommendation that you would make above all others after considering the governance issues

Case Study – Illustration B• C is a major financial services group. They decide to sell a new set of

services via the internet through a new company D.• D is established with it’s own board and management• An arrangement is entered into with E, a major services provider, who in

turn engages F, another major provider to provide a substantial proportion of the required services, on the basis that F has relevant expertise and product

• C, E and F have established processes for procurement/new projects• Initially all appears to be proceeding well, until some 2 months have

elapsed. Then significant problems begin to appear in relation to the chosen software solution.

Case Study – Illustration B• You are brought in by E to advise on what to do. You find amongst other matters

the following facts obtain:-– No contract exists between D & E– No contract exists between E & F– The MD of D was formerly a senior employee of E and has close relationships with a number

of senior staff at E– F admit that they have had problems with this solution on the chosen hardware platform– D’s operations manager believes he can get a software solution written by the proverbial 2

men in a back room and has started to do so– F clearly want to avoid living up to any representations previously made– E’s project director is not a company employee, but is from another 3rd party

• Consider the governance issues and required actions from the perspective of :-– C– D– E

Case Study – Illustration C• G is a well established enterprise which undertakes a variety of IT

projects on an ongoing basis, based on an annual list which is an appendix, one of many, to the high level group budget approved by the board

• IT is seen by some board members, as well as some senior managers, as a critical element in the success of the company and by others as a necessary evil

• Although the majority of projects appear to be completed more or less on time, the board is becoming concerned at the amounts of money spent and the return on investment achieved

• In addition, the board has become concerned that at least one current project may have become a runaway, but is not certain that it has a sufficiency of information

Case Study – Illustration C• A new independent director has been appointed and he has raised

concerns about the liability of directors if governance is inadequate• You have been appointed as advisor to the company and have been

requested to report on :-– Issues the board should be considering and possible structure and process the board

could put in place to manage those issues– Actions and mechanisms the management should be taking to control the programme of

work, from a governance perspective within the framework required by the board

Case Study – Illustration D

• You are a director of a successful company, which has been in business for a number of years.

• The IT system which you use is nearing the end of it’s useful life and consequently you go to market for a replacement system.

• One is selected, but after some months the implementation hits major problems. After some negotiation you part company with the system provider and carry on with the old system.

• After a review by consultants, you determine to look for an outsourced solution.

Case Study – Illustration D

• As part of the outsource arrangement you require the outsourcer to take-over the old system, but to migrate your company to a new system.

• The system in place is mission critical as will be the replacement system

• What governance issues would you focus on in particular in such a situation?

• If you were the outsource provider what would be your concerns from a governance perspective?

Conclusion• No formal right or wrong answer as such• Important to gain a full understanding of facts• Have found over the years that a focus on the business

perspective is invaluable• Getting the engagement of all parties is critical• Building a climate of trust aids resolution of

governance situations, rather than a blame culture – often all parties contributed to problems

• When setting up structures and processes, harness culture and people to them, not in competition or combat with them – especially important where incentives may be involved