The above article was published in the February 2008 edition of FEDTECH Magazine. It provides a historic context regarding governing organizations, and identifies IT governance as a critical element in the Federal CIOs' "must master" tool bag. The article is one in the series I write entitled "The Business of IT."

1. The Business of IT
By Paul Wohlleben
IT Governance
OMB and the agencies have set
the horses in motion — now
agency leaders and CIOs must
control the reins.
O
ver the past decade, the media During the U.S. expansion after World
has deluged us with stories War II, multinational corporations began
about corporate governance to emerge, as well as the establishment
and the problems that ensue of management separate from the board
in its absence. Enron, WorldCom, Global of directors, requiring a link between
Crossing, Tyco, Fannie Mae and Freddie the board and corporate officers. More
Mac are among those embroiled in some recently, financial scandals have brought
of the most publicized financial scandals to light lapses in the oversight of large
that have racked large public entities. corporations, which are mainly owned
But how does the government by institutional investors who may have
approach IT governance, and what are been more prone to sell their stake than of Management and Budget — and
the opportunities for improvement? attempt to replace management. The most internal management committees to
recent scandals have led to more govern- oversee and monitor compliance. Most
What It Is and Is Not ment regulation of public companies, with companies have similar mechanisms in
In the corporate setting, governance is the Sarbanes-Oxley Act being the most place as well.
most simply defined as a set of processes, prominent example. Information technology governance
customs, policies, laws and institutions To understand the implications is probably best defined as the leadership,
affecting the way an organization is di- of corporate governance within structures and processes that ensure that
rected, administered or controlled. The federal agencies, just replace the term an organization’s IT sustains and extends
shareholders, management and board “corporation” with “organization” the organization’s strategies and objec-
of directors are the principal players (standing for department or agency). tives. It should not be considered an iso-
focused mainly on the issues of account- The same relationships apply between lated discipline but an integral part of the
ability and fiduciary duty. taxpayers (owners), federal appointees overall governance framework.
Several events triggered the develop- and executives (management) and The pervasive use of technology has
ment of robust corporate governance Congress (the board of directors). At created a critical dependency on IT that
practices. The Wall Street Crash of 1929 a more granular level, agencies have requires a specific focus on IT governance.
was the catalyst, especially with respect oversight organizations — such as Successful organizations understand and
to creating a link between shareholders inspectors general, the Government manage the risks and constraints of IT,
and a company’s board of directors. Accountability Office and the Office and consequently, boards and executive
management understand its strategic
importance and the need to govern it.
The Balanced ScOrecard The overall objective is to ensure that the
organization can sustain its operations
One way that many organizations monitor how well their governance process and implement strategies required to
works is through use of a balanced scorecard. But what are the components they meet future objectives using IT.
track to measure IT’s contribution to mission? Boards and executive management
RichaRd Mack/JupiteR iMages
• Customer orientation: How well does IT measure up to customer expectations? expect IT to facilitate organizational
• Organizational contribution: How well does IT measure up to the expectations strategy by delivering business value
of organizational leadership? and return on investment and by creat-
• Operational excellence: How efficiently and effectively are IT functions ing organizational effectiveness through
being performed? efficiency and productivity gains. Of
• Future orientation: How well positioned is IT to meet future needs? course, there are situations where IT
February 2008 | FedTechmagazine.com 37

2. The Business of IT
“agencies have defined and implemented IT
management processes sufficiently to practice
effective IT governance.” — Paul Wohlleben
does not meet these expectations, where containment of IT risks. Does your Much of this work focuses on
organizational leadership is faced with organization’s leadership do this? coordination, planning and oversight.
failure, and as a result, the organization Some agencies lean heavily toward
may not meet its overall goals. IT Governance in Government centralized operations, but many leave
IT governance frameworks must Although the government has employed day-to-day systems operations to the
include items unique to the organization, an array of IT management techniques component agencies.
but certain objectives are universal: over the years, the IT Management Reform The government has made major
• strategic alignment of IT with the Act of 1996 provided the impetus for the improvements in IT management over
organization’s mission; processes now in use. The Clinger-Cohen the past decade. The phases involving
• use of IT to exploit opportunities and Act formally established the CIO posi- planning and justification of IT invest-
maximize benefits; tion and enumerated specific responsi- ments are well developed from a policy
• responsible use of IT resources; bilities to the Office of Management and perspective and fairly mature from an
• management of IT-related risks. Budget and to agencies’ CIOs. execution standpoint. Somewhat less
As the practices established under well-developed are the phases involv-
The IT governance process starts Clinger-Cohen have matured, agencies ing the implementation of plans. There
with setting objectives for the organi- have incorporated new techniques and remain gaps in policy, guidance, and
zation’s systems, providing initial direc- initiatives to improve IT governance, such the ability to execute despite improve-
tion. From then on, a continuous loop as earned value management and other ments and attention provided to this
of measuring performance, comparing tools to better manage the government’s area. Overall, agencies have defined
results to objectives and making course IT infrastructure as a single enterprise. and implemented IT management pro-
corrections should take place. The board Congress performs oversight of federal cesses sufficiently to practice effective
and executive management drive the IT through investigations, Government IT governance.
direction-setting process, but multiple Accountability Office reviews and The CIO is critical to governance.
organizational layers play roles in the hearings. OMB provides direction and That official must champion IT within
ongoing management process. performs executive branch oversight the organization and lead the IT man-
To carry out its role in IT gover- through the Office of E-Government agement process. Only the CIO can
nance, an organization’s leaders need and IT, using the CIO Council as a mech- ensure the components of the process
regular briefings from IT on project anism for coordinating policy. This is are effectively defined, organized and
risks, must include IT as a regular item important work because the scope of fed- executed, as well as integrated into
on the management agenda, need to eral IT is enormous and the capabilities management decisions. Perhaps most
communicate the organization’s objec- of organizations involved in overseeing important, the CIO needs to be out-
tives for IT alignment, must make and it are rather modest. wardly focused on other C-level and
monitor IT investments, and should In reality, agencies perform the lion’s program peers and upwardly focused on
seek independent assurance on the share of IT governance work, with the the organization’s senior leaders.
achievement of IT objectives and the CIO in charge of implementation. To be effective, the CIO must be rec-
ognized as having a solid understanding
The clInger-cOhen MOdel fOr I.T. gOvernance of the agency mission, its management
processes and its challenges. Ultimately,
IT Governance Objectives clinger-cohen Act Requirements the CIO must evangelize how IT can sup-
Enterprise architecture; performance- port the mission, carry out management
elizabeth hinshaw
Strategic alignment and overcome the challenges. IT gover-
based management
nance needs to be a team sport across
Capital planning and investment control;
IT value the organization, with the CIO being
business process redesign
cheerleader, coach and star player.
Capital planning and investment control;
Efficient use of IT resources
acquisition best practices; annual report Paul Wohlleben, a former federal CIO, is
Capital planning and investment control; a partner at Grant Thornton. E-mail him at
Management of risks
computer security paul.wohlleben@gt.com.
38 FedTechmagazine.com | February 2008