For many years, it seemed every request for IT expenditure met with management approval and every IT project, no matter how loosely defined, gained executive support.
This has all changed. Around the world, IT budgets are facing unprecedented intense scrutiny and pressure to justify business value.
In a departure from the prodigious technology expansion experienced by companies during the previous 20 years, spending on e-business technologies will drop from an average of 3.5 percent of revenue in 2001 to 3.0 percent in 2002, according to a survey by Forrester Research. The study of nearly 900 high-level IT and business decision-makers found that e-business technology budgets are averaging $29 million in 2002, compared to an average of $41 million in 2001. In addition, the number of firms considering purchases of technology consulting and implementation services fell 28 percent from 2001.
At the same time IT budgets are stagnating or being reduced, corporate dependence on IT has increased. These factors combine to force acute awareness that risks and threats are real and growing. Yet, data and information systems for all organizations must continue to be protected against harm from threats such as errors and omissions, fraud, accidents and intentional damage.
To successfully navigate this changing business landscape, enlightened IT managers are adapting by focusing on IT governance to help ensure the boards of directors to whom they report (and who hold the corporate purse strings) properly understand the importance of IT and the related risks. In particular, senior management must understand why it is essential that information security keep pace with increasing and evolving internal and external threats. Even in a belt-tightening environment, investment in information security must be proactive and respected, both as an ongoing operational necessity as well as an integral part of the systems development life cycle.
Reduced budgets provide the opportunity and the necessity to exercise more prudent governance over all aspects of IT investment. Appropriate governance of IT and information security encourages senior management to focus on the correct business priorities for IT-related spending - particularly in times when all corporate expenditures are under review.
Effective information security governance in the midst of budget upheaval requires coordinated and integrated action from the whole organization. IT investments can be substantial and, if not governed properly, can be easily misdirected, so rules and priorities should be established, monitored and enforced. The need for security within most organizations will be paramount and related expenditures should be 'ring-fenced' and prioritized, but this will only happen if the risks are properly understood and recognized at the highest levels within the organization.
In many organizations, IT budget discussions often are focused on trimming a certain percentage from a predetermined budget. This practice only encourages some technology leaders to bump up their budget requests and include non-essential items that can be eliminated with little pain to the IT function. While IT and business management may feel that, by dropping these expenditures, they have done their part in reducing the budget, the process does not ensure value has been and will be obtained from the remaining plans. Neither will it ensure that IT-related risks have been properly mitigated. By effectively governing the IT process, boards and managers can focus on ensuring that IT delivers the best value for the lowest cost and with the minimum risk.
The basic principles of IT value are on-time delivery of projects (including security projects) that support, enable or enhance the business, within budget, and featuring the benefits that were promised. Increasingly and encouragingly, CEOs and other board members are asking management to demonstrate how they can be assured that the organization is getting appropriate value from its IT investments. Today's economic climate and the fast-paced competitive environment are triggering many more company leaders to make this a priority issue.
Developing a response that provides the board with the assurance it should be seeking is a constant challenge. The primary goal is to ascertain whether a firm's investment in IT is in alignment with its strategic objectives and thus is building the capabilities necessary to deliver long-term sustainable business value. Reaching this balanced state is complex, multifaceted and rarely fully achieved. Focusing on alignment involves understanding IT needs and capabilities as an integral part of the development of corporate strategy.
In many organizations IT budgets are categorized by expense type, for example, staff costs, software and technical infrastructure. A beneficial and revealing exercise for managers is to attempt to link IT budgets, particularly individual project costs, directly to the company's overall strategic aims and objectives.
Simply measuring the cost is the straightforward part. Determining the value is more difficult. However, unless this is attempted, boards of directors will find it difficult to discharge their governance responsibilities with respect to approving IT budgets and investments and, in particular, determining priorities. Security is likely to be one of those priorities, provided those responsible for approving the necessary expenditure properly understand the security-related risks that their business faces and the potential business implications of these risks.
Many large organizations continue to have several hundred IT-related projects in progress simultaneously. This makes little sense and is a throwback to the 'fiefdom' concept that still exists in many large corporate entities. These organizations often would be best advised to re-examine their project portfolio in terms of value vs. cost relative to business priorities. Most companies will be able to identify unnecessary, unfocused or no longer relevant projects that relatively easily could be dropped, shelved or merged, thus releasing resources for the necessary and more strategically aligned projects.
According to an IT Governance Institute (www.ITgovernance.org) case study, one organization that has implemented an IT governance program to help ensure its expectations for IT are met and IT risks are mitigated is the city of Mesa, Arizona, USA. Previously, Mesa's myriad internal departments competed for IT resources in a process that was loosely structured and controlled. Although many projects were started, many were not completed or fell far behind schedule. There was limited communication and collaboration among departments and IT staff, which resulted in overlapping projects and unnecessarily redundant functionality.
After developing a cost allocation system to increase input from internal customers, Mesa's Information Services Division (ISD) dedicated three management positions to improve communication between the ISD and other departments. These technology liaisons focused on improving IT through effective governance and facilitated several linked teams that are responsible for directing decisions on IT-related issues such as strategy, technical direction, resource allocation and budget. At least one representative from all city departments is on each team.
Mesa's IT steering team also began prioritizing IT projects for all city departments, using a combination of project scoring, portfolio management and alignment to determine and budget for financial and human resource availability.
Through its IT governance activities, Mesa continues to manage IT initiatives and provide maximum benefit to its ultimate customer - the public. Its innovative approaches help the service departments ensure there are business benefits for all IT initiatives. Mesa is making better use of its IT resources by avoiding duplication and reducing the number of projects that are started but not completed.
As with the city of Mesa, all boards of directors and executive management must be proactive in monitoring and commencing IT initiatives. With today's weak business outlook and lowered expectations for corporate profits, organizations should focus on obtaining the highest value for their expenditures. Enterprises should rely on IT governance to help ensure strategic alignment and a maximum return on decreased IT investments.
Paul A. Williams, FCA, MBCS, is an independent consultant and immediate past international president of the Information Systems Audit and Control Association (www.isaca.org). He can be contacted at [email protected].