HEALTH CHECK, WHITE PAPERS/INTERVIEWSFocus on Dr. Jeanne Ross, MIT SloanSchool of ManagementRichard Wood | May 15, 2012This interview features Jeanne Ross and was conducted by Michael Milutis, Executive Director of the ITMetrics and Productivity Institute.Could you tell us a little about yourself, the MIT Center forInformation Systems Research and your current responsibilitiesthere?JEANNE ROSS: I am a principal research scientist at the MIT Center for Information Systems Research(CISR), which is part of the Sloan School of Management.The CISR tackles questions that enable practitioners to get the most from information technology. Thecenter has been in existence since 1974, and I have been on staff since 1993. As a full time researcher, Iam involved in a fair amount of presentations and executive education.From the beginning of my stay at CISR I have looked into questions of IT management, IT governance,enterprise architecture and organizational change. In my mind, these are the critical issues that companiesmust understand in order to get the most value from their information technology.You co-authored IT Governance: How Top Performers Manage ITDecision Rights for Superior Results. What inspired you to write thisbook? What specifically were you trying accomplish with it?JEANNE ROSS: My book on IT Governance was inspired by the work that Peter Weil did with Gartner. Atthe time, Gartner was in the process of surveying 256 companies around the world to understand howcompanies were designing their IT governance. While Peter was working on this at Gartner, I was looking atinfrastructure transformation, ERP implementation and e-business implementation. In the course of my ownresearch, I discovered that companies that were clarifying the decision making process around their ITinvestments were attaining substantial value.We combined all of my qualitative understanding with Peter’s quantitative understanding. It really was agood partnership. He would produce numbers that I would look at and say, “I’m sorry, but that just can’t beright.” He would respond, “Well, the numbers say it so maybe your data can’t be right.”• Figuring out whymy qualitative data seemed to be saying something different than his numbers really helped us understandwhat was going on out there.Usually, if there was a disagreement, we realized quickly that the original interpretation of the data waswrong. Originally, if some factor did not significantly correlate to added value, the assumption was that it wasa bad investment of funds. After further analysis, we found that the lack of value was more a function of badplanning or execution. Rather than presuming that an organization should avoid such an investment, wewound up stressing how important it was to plan and implement the investment correctly.
For example, if you had looked at the purely quantitative data, you would have concluded that architecturecommittees were a pretty bad idea. The qualitative data I had assembled, however, pointed to the exactopposite; namely, that the best companies had great architecture committees. Looking at the entire picture,what we saw was that most companies had an architecture committee, but one that was performing poorly.Our conclusion was that although an architecture committee might be difficult to implement ““ there was anenormous payoff for those organizations that got it right.Why do you think the term “IT governance” is so commonlymisunderstood in our industry?JEANNE ROSS: I think the rational explanation is that the word “governance”• is frequently equated withthe word “politics.” We often hear people referring to “politics” or saying, “This is a political issue.” Theproblem, though, is that at some point different people will use the term “IT politics”• when referring todifferent things. Some people will be referring to culture. Others will be talking about the need for certainemployees to start caring more. Still others will be saying that the priorities of individual business units aresuperceding the good of the company as a whole. All of these things and more tend to hang together, in aconfused manner, when people use the term “IT governance.”•In light of this, could you give us a simple authoritative definition forIT governance?JEANNE ROSS: I will give it to you right from the book. “IT Governance is the decision rights andaccountability framework for encouraging desirable behavior in the use of IT.”• The critical part of thisdefinition is that it talks about the “decision rights and accountability framework”• rather than the decisionsthemselves. Many people tend to view governance as the individual decisions that are made. This isincorrect. It is the overriding framework in an organization ““ the framework that assigns accountability andresponsibility for those decisions – that is truly representative of governance.Could you give us a description of such a framework?JEANNE ROSS: The governance of IT investments might require the following process for deciding whichprojects get funded: individuals submit proposals to business unit managers; managers pick the projectsmost relevant to them; managers then justify their decision by developing a clear business case for theirchoice, possibly explaining how their decision might support the strategic objectives of the largerorganization; the list of projects goes to a committee; the committee prioritizes the list of projects and thensends that prioritization list to senior level management for approval. Such a framework would be part of the“IT governance”• for an organization. The actual decisions themselves would be secondary. What theframework dictates is which person or group will make the decision and how such decisions will be judged.Excellent governance goes beyond assigning a person to make decisions. Governance is about defining thefactors that will govern how decisions are made.Your book features a chapter on the “Five Key IT Decisions.”•Could you elaborate on these five decisions and explain how theyrelate to IT governance?
JEANNE ROSS: We found a remarkable consistency across organizations from a wide range of industries.Each of these organizations was making five identical IT business decisions. The difference was that eachorganization was not necessarily governing these decisions.The first key decision is IT principles. Each company we looked at needed a clear understanding of the rolethat IT would play in their organization. For example, a commodity-based company might be using ITpredominantly to cut costs and to make their company more efficient. Another company, such as a financialservices company, may not view cost cutting as the most important use of IT. Their main focus might beproviding the best possible service to their clientele. In short, a financial services firm may decide to sacrificecost-cutting in order to ensure high quality customer service. These are very different principles. And thisdecision itself ““ the decision on IT principles – may be one of the most important high-level decisions madein an organization. If a company does not identify their IT principles correctly, everything that follows forthwill be off the mark.The second key decision involves capabilities. It draws entirely from the previous decision about ITprinciples. For example, if your IT principles are focused on the lowering of costs, then your capabilities mustbe built around that focus. Likewise, if the principles declare that the company will operate as a singleenterprise, then a tremendous amount of integrative capability will have to be built for data sharing amongglobal customers. Whatever has been decided, the IT department will have to concentrate its efforts onthese areas.The third key decision involves infrastructure. Once it has been decided what capabilities should be built, itmust then be decided who will have access to what information. What data will be shared? How long willemployees have access to the information? These are the kinds of questions that come into play with thethird decision.The fourth key decision revolves around who will formulate the requirements for individual applications.Should each individual business unit decide on their own application requirements or should applications beprovided to each unit in a more collaborative way? As in the case of the second and third decision, the fourthdecision relates directly back to the original IT principles.The fifth and final key decision centers on IT investment. Who gets to decide on the prioritization of projectsin the organization? What projects will be funded? What projects will not be funded?For many companies, IT governance is focused solely on investment, the final decision, rather than all five.What this entails, essentially, is that senior management dictates to IT exactly what they want. And ITresponds to management by relating how much it may cost and how long it may take. Everyone knows thatthis is a poor model, but many companies are stuck inside the mindset.What is the correct way to implement IT governance?JEANNE ROSS: First of all, a mechanism is needed to implement governance properly. Many companiescreate a senior committee that oversees these five decisions and that either takes responsibility for them orassigns responsibility to others. In addition, many companies will create overlapping ownership acrossmanagement teams for each of these five decisions. For example, the CIO may be part of both theprinciples team and the investments team. As a result of overlap, decisions become more cohesive. Second,organizations must come to terms with the fact that they are not going to get everything right the first time. ITgovernance is a learning process. In light of this, it is important for someone to take the responsibility – to
check and double check ““ that the company is receiving the business value they desire from theirprocesses. Generally speaking, the committees that are created and the processes that are initiated will notrun smoothly from the start.Third, you need to create processes that can be pushed down through the organization. The best example Ican think of would be a post-implementation review of a project and that project’s impact on business value.A post-implementation review allows for a clear analysis of a given project’s value. Some of the reviewshould compare results to the original business case, while other parts should be more testimonial, i.e.people reporting about their experiences with this new capability.A final thought is to never give up. Even when you feel like things have not significantly improved, youshould continue to diagnose why they have not improved. At times, this may involve changing personnel. Inother cases, it may involve changing incentives. In the end, it is important simply to stick with it and to realizethat IT governance is a very important component to the success of the business.How can we convince our organizations about the importance of ITgovernance?JEANNE ROSS: Every organization can relate to the importance of their finances. They understand theimportance of budgets and of standard costing. They understand the importance of variance analysis and oftarget income levels. They understand the need for internal auditing. All of this is necessary for anyorganization to run efficiently.I would argue that a company should relate to IT governance the same way they relate to financialgovernance. Since IT spending is a significant component of overall costs, I would contend that special caremust be applied to ensure that appropriate decisions are being made. Having clear and precise processesbehind such decision making will allow your business to better understand and control the overall ITspending.What are some of the biggest misconceptions that you encounter inour industry about IT governance?JEANNE ROSS: Perhaps the biggest misconception about IT governance is that it only governs how muchmoney should be spent on IT and what that money should be spent on.Deciding where money should be invested is only half the story. The other major factor to consider is how toderive value from those investments. Until an organization understands how to derive value from theirinvestments, it will never make good investments.As I mentioned earlier, this is a learning process. By measuring the actual value from our investments, wecan learn a great deal about the process of investment. We will learn why we succeeded or failed. We mighteven experience benefits that we were not expecting. This kind of feedback cycle often gets ignored.For those organizations that lack an IT governance framework butwould like to establish one, how would you advise them on gettingstarted?
JEANNE ROSS: Generally speaking, the push for an IT governance framework will come from the CIO, onewho comprehends the extent to which good governance can help the company.The first hurdle the CIO will face is senior management; convincing them that IT governance is well worththeir time. A common mistake is for the CIO to talk to executive management – in esoteric terms – about therole of IT in the business. The CIO might ask the CEO or the CFO to decide how IT should be used or toestablish principles for IT. This is a mistake. It would be much more productive to engage senior managersin a discussion about how to save money on IT or how to get more value for that money. Consequently, myadvice is to identify a few areas where senior management might be able to help themselves financially andthen try to encourage their enthusiasm about involving IT in the solution.Meanwhile, at the project level, I think the CIO needs to work more on project methodology. He should begetting his IT department to clean up projects, make them more targeted to business value and then putmechanisms in place to assess that business value upon completion. Being able to inform the company thatit spent a lot of money and did not realize any value from it will surely jump start discussions about ITgovernance.How widespread is good IT governance? How many companiesare doing it right? How many are not doing it at all?JEANNE ROSS: I suspect that on some level every company has a small amount of governance going on.However, the evidence seems to indicate that most companies are not doing it very well.Our best metric for measuring governance implementation is simply to ask senior managers how ITdecisions are made in their company. On average, only 38% of senior managers could tell us how ITdecisions are made. We did not ask them about their knowledge of financial decisions but I would suspectthis to be close to 100%. Until IT decisions get the same level of recognition as financial decisions, we arenot going to see good IT governance across the board. We quite clearly have a long way to go.Are there any companies out there with exceptionally good ITgovernance in place?JEANNE ROSS: UPS (United Parcel Service) has extraordinarily good governance. Considering howeffectively they use IT, it is not surprising that they are governing it well. ING Direct also has anextraordinary governance process which has really kept them on target.Taking UPS as an example, one consistent item we noticed was that IT governance was highly correlatedwith general management. Companies that understood the principles of good management and good overallgovernance tended to be the ones that were managing IT effectively. Another trait they shared in commonwas solid financial performance. That does not necessarily mean that good IT governance made thesecompanies successful. It is more likely the case that these companies were very well managed and thatexcellence in governance accompanied the excellence in management. It would really be hard to have onewithout the other.Could you tell us about your latest book – Enterprise Architectureand Strategy?
JEANNE ROSS: Our newest book, published by Harvard Business School Press, evolved from working withe-businesses. We were trying to understand how companies were converting e-business into value. Itbecame clear that much of this was rooted in transparent decision making processes around howorganizations invested in IT and how they pushed for value from their investments. At the same time, wewere recognizing that some companies were building IT solutions, while others were building IT capabilities.Those companies that were building IT solutions were becoming better at building solutions, but in theprocess were becoming less agile. On the other hand, the companies that were building IT capabilities hadmuch broader platforms and enterprise-wide thinking. Consequently, these latter companies were more ableto focus on the kind of organization they wanted to be and on how to utilize IT to get there.It was these ideas that became the foundation for the enterprise architecture book.Biography of Dr. Jeanne RossDr. Jeanne W. Ross is Principal Research Scientist at the MIT Center for Information Systems Research.Her research focuses on the management of the IT unit, particularly on the management of the ITinfrastructure and on changes in management demanded by new technologies and new organizationalforms. Much of her work involves development of case studies that describe the human, technology, and IS-business relationship resources of firms that have successfully implemented technology-based changes.Her current research focuses on the management of technology infrastructures that enable organizationaltransformations and on the discussion of IT value between IT and business management.