The IT Governance Evangelist

Is IT Governance primarily a function of the business, or a function of IT?

Many organizations are misled by the label. Sure, IT enables IT Governance, but the ITG discipline is a means for the business to govern IT, to ensure IT is aligned, delivering value and appropriately managing risk, resources and performance. The business must govern IT just as it must govern every other important business function, such as Finance or Human Resources.

Recently I received affirmation that some organizations are coming around to this way of thinking.

During a trip to Australia, I spent five days in three cities as the featured speaker in a seminar series entitled "Critical Components of Effective Project Management Offices (PMOs)". While there, I visited with several organizations to discuss their IT Governance challenges.

My very first meeting was with an IT leader from one of the government agencies located in Sydney. He wanted to meet with me to obtain a greater understanding of IT Governance. As he introduced me to his four colleagues, I was amazed to find that not one of them was from IT! They were all from the "business side" of the organization!

This IT leader recognized the role of the business as a partner--if not leader--of IT Governance in their organization. He was hosting this discussion to provide his peers with critical insight into their IT Governance roles and responsibilities. We had a great meeting and they are now eager to work together to achieve the enterprise-wide goals of IT Governance.

As I continue my travels evangelizing IT Governance, I expect the overwhelming majority of my audience will be members of IT. I look forward to the day when they are outnumbered by the real owners of IT Governance--the business partners IT serves.

I recently recorded a podcast with Tim Jennings, Research Director with the Butler Group. The Butler group completed a study finding that 50% of IT projects fail. My brief discussion with Tim focuses on this issue and highlights best practices for guidance on implementing successful project management initiatives in IT organizations.

I find the topic of IT project failure rates interesting and compelling. I speak frequently on the topic, citing numerous studies with varying conclusions. The most optimistic figure I have encountered is 40% and the most pessimistic came from a major analyst study in 2006 that put the IT Project failure rate at 78%!

I thought the 78% number was a bit sensationalistic. I think the number is closer to 60%, which is still quite alarming. Regardless of the number, whenever I talk about the rate of project failures, I think it is necessary to define what I mean by project failure. I do so in the Podcast and was surprised to find that Tim Jennings and the Butler Group agreed with my characterization because, frankly, I thought I was being militant about the subject.

I contend if a project takes longer than we scheduled, it is a failure. If a project costs more than we said it was going to cost, it is a failure. If a project does not deliver the value we said it was going to deliver, then it is a failure. Keep in mind, I am allowing for the variance thresholds agreed upon at the onset of the project. If a project is not completed within those thresholds, it is a failure.

I have shared this view with countless people in my travels. I have found the majority of them find my definition of project failure to be too harsh and uncompromising. I am not surprised by their reaction. In fact, it is their reaction that provides some insight as to why so many IT projects fail in the first place.

We take for granted that IT projects take longer than we think they will. We expect them to cost more than we thought they would cost. It is not realistic to believe we can deliver everything we said the project would deliver. In fact, we have the reasons for this at the ready. Do any of these statements sound familiar?

• It is too hard to estimate the time and cost
• We didn't have enough time to plan
• IT projects are very complex and inherently unpredictable
• The customer didn't know what they wanted
• Our requirements process is terrible
• We don't have enough resources to get the work done
• Production emergencies adversely affected project progress
• We didn't have the information we needed
• Scope creep!!!

I am sure you have heard all of these and more. We have grown accustomed, if not complacent to IT projects taking too long, costing too much, and not delivering as expected. Couple that with the human tendency to wince at the word "failure" and it is easy to understand why people judge my interpretation of project failure to be too harsh if not outright unreasonable.

So how do we change the project failure rate? Anyone who has met me or read my blog knows my answer is good IT Governance and more specifically, good Project and Portfolio Management. Tim Jennings of the Butler Group offers some great insights and ideas so I urge you to listen to our podcast. But first, let's get everyone to agree on our definition of project failure. Let's call the slipped schedules, cost overruns, and missed deliverables what they are - failures. Only then will we aggressively and relentlessly pursue the solutions that will ultimately ensure project success.

I just finished studying an analyst report entitled "The State of IT Governance In North American and European Enterprises." You already know that almost anything about IT Governance excites me, with an analyst report about my favorite topic high on the list. But, while there was certainly a lot of compelling data in the report, I was left wanting more.

The study focused on 8 areas: Strategic Positioning, The Perception of IT In The Enterprise, Standardization, How IT Is Structured, IT Planning, Architecture and The Role Of R&D In IT, Managing Vendors, and Managing Projects.

While these areas do fall within IT Governance, what I was looking for was information on enterprise efforts to establish IT Governance, or enterprise progress in regards to IT Governance initiatives. I was interested in the 8 areas, but more interested in how they were managed as part of a larger IT Governance initiative. Were the enterprises surveyed even aware that these were the major areas of IT Governance? 

I continue to believe very few organizations adequately understand the nature and discipline of IT Governance. Until enterprises recognize the areas of the Forrester report as subsets of IT Governance, they have little chance of fully achieving the very specific goals, and realizing the very specific benefits, of IT Governance.

But I am hopeful that the day will come. And I am anxiously awaiting the next IT Governance analyst report in my inbox.

I just read an article in the Wall Street Journal entitled "How to Tap IT's Hidden Potential." The article talked about the "wall" between the IT Department and "everything else" and says "That wall has to go." I ask you, is this news?

This article is a wake-up call reminding me, yet again, that we have a long way to go before IT is recognized as a strategic asset to be leveraged by the enterprise. The Wall Street Journal says IT's potential is hidden. Hidden? Given the ubiquitous nature of IT today, could this be true? Sure, 20 years ago we had business projects and IT projects. Aren't those days gone? Don't all of our business projects have some technology component? How can the potential of IT be hidden?

I have met very few folks from the business side or the IT side of the house who don't acknowledge the "us-and-them" mentality that exists between IT and the business. All of my presentations, be they on IT Governance, Project and Portfolio Management (PPM), Project Management Offices (PMOs), IT Service Management (ITSM), etc. stress the need to improve the relationship and level of trust between IT and the Business. I have never had to convince anyone of the need to do so.

Why my strong reaction? I guess my immersion in the discipline of IT Governance may be causing me to treat many things as obvious when in fact, they aren't. I thought that as an industry, we were farther along.

But setting the "Is this news?" question aside, the article makes some good suggestions, though it misunderstands the full scope and potential of IT Governance.

The article listed five primary reasons for the wall's existence: mind-set differences between management staff and IT staff, language differences, social influences, flaws in IT governance, and the difficulty of managing rapidly changing technology.

The article outlined six steps to "shatter" the wall between IT and the rest of the company:

• Begin with IT literacy-and commitment-at the top.
• Hire an IT leader who sees the big picture.
• Create demand for IT solutions.
• Make sure nothing gets lost in translation.
• Rationalize IT spending.
• Create an IT portfolio by evaluating risks and returns.

I liked the specific mention of the IT Portfolio as part of the "rationalize IT spending" solution step but once again, IT Governance was equated solely to investment decision-making. Earlier in the article ITG is described as "the specification and control of IT decision rights." Even if you include more than investment decisions in that basic definition, it still falls short of the full scope and scale of ITG. It isn't just the decisions and decision rights (accountability). It is also the IT Governance processes--which do support the author's six steps--into which we feed those decisions. Those processes include:

• Integrated Business & IT Planning
• IT Investment Assessment, Prioritization, Funding & Benefits Realization Accountability
• IT Financial & Resource Allocation
• Project Prioritization & Decision-making
• Emerging Technology Evaluation & Adoption
• Client Relationship Management
• Building & Maintaining Applications & Infrastructure
• Provisioning of IT Services
• Outsourcing Services
• Audit & Risk Management
• Architecture Management - Standards & Review

As usual I am on the road, meeting later today with a group of executives who want to understand IT Governance and its potential. I am sure I won't have to spend any time convincing them of IT's hidden potential or the wall between IT and the business. Those are the reasons they are talking to me in the first place.

Reader, is the "hidden" potential of IT or the wall between IT and the rest of the business news to you?

I'm always appreciative when someone prods me to look at something familiar in a new way. Therefore, I extend my thanks to Mark Perry for his Gantthead blog posting entitled "PMO Tips: Five A+ habits PMO managers like project managers to have." I've analyzed the objectives, skills, responsibilities and education requirements of a project manager extensively, but I have to say, until I read this blog, I had never given much thought to their habits. That is until now.  

I am familiar with the work of Stephen Covey--author of "The Seven Habits of Highly Effective People," his most well-known book--that triggered Perry's posting. But, while I recognize that, by definition, a project manager is highly effective, I had never considered their habits.

I won't go into details on Perry's posting here--in part because I'm not sure I agree with him--but to be fair, I've included the link above. I replied to it with my own extensive list, which refers not to habits, but to Project Managers' values and associated behaviors. The list is included here for your convenience, but I encourage you to read the posting for yourself.  Maybe you too will come to think of Project Managers in a new light.     

Steve Romero's List of Values and Behaviors of Effective Project Managers

Value 1: CUSTOMERS FIRST
- Keeps commitments to customers
- Understands and anticipates customer needs
- Understands and promotes products and services
- Acts in the best interest of the enterprise

Value 2: INTEGRITY
- Behaves in an honest and ethical manner
- Embraces diversity by treating each individual with dignity and respect
- Acts in an authentic, truthful, and straightforward manner
- Actions are consistent with words
- Deals with conflict in a timely and constructive manner

Value 3: COLLABORATION
- Thinks and acts beyond one's own work group
- Puts enterprise needs and goals ahead of individual objectives
- Takes responsibility to help others succeed
- Freely shares information
- Celebrates success

Value 4: ADAPTABILITY
- Willingly seeks and considers new ideas, approaches and best practices
- Anticipates and embraces change
- Willing to challenge current practices
- Overcomes obstacles to meet goals

Value 5: ACCOUNTABILITY
- Accepts responsibility for individual and group decisions and actions
- Holds self and others responsible for achieving results
- Takes initiative to solve problems personally and avoid unnecessary handoffs
- Acknowledges and learns from mistakes
- Takes personal responsibility for the organization's success

Value 6: EXCELLENCE
- Consistently strives to deliver superior results
- Demonstrates a sense of urgency regarding implementation
- Seeks continuous learning and improvement
- Sets and achieves high standards of performance  

Readers, what values and behaviors have I missed?         

A recent CIO Magazine CIO2CIO Program Study reported the detailed findings of a Business Service Management survey conducted by IDG Research Services. It provided insight into the advent and role of service management in IT organizations worldwide, but there were two items that I found particularly interesting.

The first was regarding the "Importance of IT Priorities in the next 12 months." "Aligning IT with Business Priorities" got top ranking. It received an importance rating of 4 or 5 (out of 5) in 75% of the 300 worldwide surveys and a whopping 87% in the 100 U.S. surveys. I loved seeing this because aligning IT with the Business is the first and foremost principle of IT Governance, and I am, after all, an IT Governance Evangelist.

The second item I found interesting--in an eyebrow raising sort of way--was the professed familiarity with the term "IT Governance." 38% of the global respondents claimed to be "very familiar". The figure was 62% in the U.S.

So there are more people who consider aligning IT with the business a top priority than there are people who are "very familiar" with ITG. That means we're in for some very disappointed businesses--or some very overworked ITG practitioners. You can't have IT alignment with the business without ITG. It's just not possible. I say "IT and business alignment," you say "IT Governance."  

Of additional concern to me is that the "familiarity with ITG" figures are probably overstated. In my experience speaking with groups as large as three hundred and as small as three, I have yet to see a consensus within a group as to what IT Governance really is. This holds true even if the people are from the same company, which is why I am frequently asked to present to individual enterprises for the express purpose of "getting everyone on the same page." I suspect that the 38% global and 62% U.S. figures for those who self-assessed as "very familiar" with ITG would have to be severely reduced if meant to reflect those who are really "very familiar." 

Clearly, my work is cut out for me. I'm challenged to turn the "somewhat familiars" into "very familiars" and to make sure that the "very familiars" are really "very familiar." This familiarity will result in the application of ITG to achieve the high priority business alignment.

Readers, are you "somewhat familiar," "very familiar" or really "very familiar"? What makes you think so?  

I learned about an interesting survey in a CBR article entitled "Corporate boards not serious about IT Governance measures: survey." The study was conducted by IT Governance Ltd, a UK company founded by Alan Calder, an internationally recognized ITG authority and author of numerous books on the topic. The survey results were disturbing-though not surprising. At least to me.

The survey validated something I learned from my own experiences traveling around the world discussing IT Governance. That is, corporate boards, the premier governing bodies of corporations around the world, are not driving ITG.

Of the 100 technology and compliance professionals surveyed, only 12% said their businesses operate board-level oversight of IT resources. The study also cited the lack understanding of the IT risks posed to the business and noted less than half of the respondents had implemented governance frameworks.

Despite the IT Governance Institute's contention that IT Governance is driven by the Board of Directors, few boards are doing so. In all my travels (and I have A LOT of frequent flyer miles), I have only encountered two organizations with board-driven IT Governance initiatives--one in the U.S, and one in New Zealand.

Alan Calder cites the "relaxed attitude of many boards toward their governance obligations." He believes they tune out the stories of lost customer data and expensively failed IT investments or they think it is a problem for somebody else to fix. He warns of the costly fines meted out by regulators and suggests that boards exercise the same governance over IT as they would over finance and marketing.

Despite the threat of fines and the board members' increasing understanding of information technology, I don't expect boards to start governing IT as they govern other business units any time soon. Except for the most sophisticated among them, for the foreseeable future, I believe they will continue to treat IT as being unique and different and therefore beyond standard governance oversight.

So I will continue to deliver my recommendations in regard to IT Governance. CIOs should not wait for a Board mandate. IT should take the initiative to establish IT Governance mechanisms because it makes good business sense.

If "good business sense is not enough," the IT Governance Institute's five principles of IT Governance should provide plenty of incentive. All together now, repeat after me:

• IT is aligned with the business
• IT brings value to the business
• IT manages risk
• IT manages resources
• IT manages performance

Readers, who or what drives IT governance in your organization?

Should IT managers become acquainted with formal project management methodologies? I was recently asked this question in an interview for an Insurance Networking News article entitled "IT Project Management Keeps the Business on Track." I answered yes, of course. But that is just tip the of the IT manager's education iceberg.

For years I have provided incentives to my managers to obtain Project Management Institute (PMI) Project Management Professional (PMP) certification. In addition to the applicability of the discipline in the day-to-day management of work, this knowledge creates a common understanding between IT Managers and Projects Managers. This understanding is a prerequisite to effective collaboration, which is critical to project success. This philosophy extends to other IT disciplines as well. I absolutely believe every process and function in IT is critical to IT Governance success so the more IT leaders know about them the better.

I am a Certified Information Systems Security Professional (CISSP) because I recognize the ubiquitous nature of security in an IT environment. The three tenants of Information Security are confidentiality, integrity and availability. What in IT doesn't contribute to those principles? Though I have never held a position in a security organization I have greatly benefited from being on the same page as my security counterparts - who greatly contribute to the goals of IT Governance.

I obtained my ITIL® Foundation certification realizing ITIL is the premier framework for a service management approach to IT. The framework also contributes significantly to meeting many of the objectives of IT Governance.

I am a member of the Project Management Institute (PMI), the Information System Security Association (ISSA), the current President of the itSMF (Information Technology Service Management Forum) San Francisco Local Interest Group, and a member of the Information Systems Audit and Control Association (ISACA), where the IT Governance Institute was born.

My certifications in these disciplines and my participation in their professional associations provides a wealth of knowledge and insight. This helps immeasurably in my ability to collaborate with groups in IT who often feel misunderstood, like Security, Operations, IT Audit and Project Managers.

I believe all IT Leaders would greatly benefit from being acquainted with these critical disciplines. The knowledge and insight would provide a fantastic foundation for mutual understanding, common values and goals, and stellar collaboration.

Readers, what certifications have you found to be valuable?

ITIL® is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office.

Michael Krigsman interviewed CA Marketing VP David Hurwitz and I for his "Rearranging the Deck Chairs: IT Project Failure" blog on ZDNet. You may be interested in the posting entitled "Project portfolio management and IT governance." We talked about the cause and affect of the lack of robust IT Governance and the propensity for IT projects to fail. While it contains no direct quotes, you're sure to recognize the source of the reference to the five IT Governance Institute principles.   

In the December 20, 2007 issue of CIO Insight, Allan E. Alter published a research article entitled "CIOs Rank Their Top Priorities for 2008." 250 CIOs were surveyed about their top priorities for 2008, resulting in three lists of top ten priorities for business, management and technology. Each area was interesting but the management priorities most caught my attention.

I was actually very glad to see that "IT Governance" was not mentioned by name in the management list. I dare to hope this is due to the understanding that each of the listed priorities is already an aspect of IT Governance. In any case, it was great to see the ITG principle of "Improving alignment with business objectives" as the #1 management priority. What I found perplexing was seeing "Instituting ITIL" as the #9 priority.

ITIL®, the premier Service Management Framework, is all about the integration of IT and Business processes. This integration is critical to business alignment and moving IT from a system-centric perspective to the more customer-focused service-centric perspective. It appears the survey respondents did not make the connection between business alignment and ITIL.

I am a major proponent of the ITIL Framework. I became ITIL Foundation certified in 2003 and have been an active member of itSMF ever since. I so believe in this discipline that I accepted the position of President of the San Francisco itSMF Local Interest Group (LIG) for 2008. The advent of ITIL Version 3.0 (released last year) and the selection of San Francisco (my home) as the host of the 2008 National itSMF Conference, Fusion 08, promises to make 2008 an exciting year for our LIG.

I see a direct correlation between IT Service Management (the goal of ITIL) and business alignment, and to an even greater degree, to IT Governance. Effective IT Service Management contributes to each of the 5 principles of ITG articulated by the IT Governance Institute (and by now familiar to readers of this blog):  

• Ensuring IT is aligned with the business
• Ensuring IT provides value to the business
• Ensuring IT manages risk
• Ensuring IT manages resources
• Ensuring IT manages performance

After reviewing the CIO Insight research article I can only assume that many IT organizations still need to be educated about the strategic significance of ITIL. More specifically, IT Leaders must learn that ITIL is all about alignment with the business.

My association with itSMF has provided the opportunity to be involved in numerous activities promoting IT best practices through the utilization of ITIL. In my new role as President of our Local Interest Group, I look forward to continuing the advancement of our organization's mission. The CIO Insight research shows that we have our work cut out for us.

ITIL® is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office.

I've been an official "IT Governance Evangelist" for just over a year. During this time, I have spoken on IT Governance in 49 cities. I know this because my family tacked pins in a corkboard map to track my travels. While I have experienced different accents, customs, landmarks, architecture, geography and weather, what strikes me most after a year of near-nonstop travel are the things that are the same. Two come quickly to mind.

The first is the sincere and unending desire of the people I meet to improve the performance of their IT organizations. They attend my presentations in the hope that IT Governance, and more specifically Project and Portfolio Management and PMOs, can make things better. They are there because they care and want to do more for their enterprises. I truly enjoy that each of my visits has this in common.

The second is not so warm and fuzzy and I don't enjoy it at all. It is the common list of problems and issues each person I meet lives with day in and day out. I know this because of a slide I include in most of my presentations entitled "Sound Familiar?" It includes the following bullets:

• We don't have enough resources to get the work done.
• We don't prioritize our projects, or every project is a #1 priority, or our priorities are constantly changing with no explanation.
• In our organization, there is no real portfolio management.
• Everyone is doing end runs around the approval process.
• Funding tends to be very political. 
• We get funding to build duplicate systems for different business units and the end result is an ever-growing set of unsupportable redundant applications.
• We can't kill a project and if we do it always seems to show up again.
• We never have any objective measurements to overcome the politics in decision-making.

I have used this same slide for the past year to "connect" with the audience. I am saddened to say that it is very effective. The room laughs, snickers and shakes their heads in knowing unison. By the time I finish elaborating on each statement there is that sense of fraternity that results from misery loving company. The group is then ready and eager to hear how IT Governance, Project and Portfolio Management, PMOs and the automation to support them can address these issues.

I have already updated my presentations for 2008. I have made some content and formatting changes, but my "Sound Familiar?" slide has remained unaltered. I will continue to use it to connect with the people I am trying to help.

I very much look forward to the day when I present the list and people shake their heads, not in recognition, but in question. The advent of effective IT Governance, associated Project and Portfolio Management processes, and effective PMOs will bring that day. Instead of having the list of problems in common, the thing they will all share is the question, "What the heck is this guy talking about?"

That trip will be marked by a special pin on the map.

Is simplifying always a good thing? I recently read a Forrester report entitled "How CIOs Should Spend Their Day" describing a formula for how CIOs should allocate time among their various constituencies. In short, Forrester invokes its 30-30-30-10 model to force "disciplined balance across constituents, which are classified into four groups: above, across, below, and yourself." Forrester goes on to say, "This time model will keep IT front-of-mind in the business and allow CIOs to do what they do best: proving and delivering IT value to the enterprise."

Though I agree with the principles of the article and the articulation of the constituents on which a CIO should focus, the model used to allocate time to each is oversimplified. Yes, each constituent requires the CIO's attention, but I believe the amount of time devoted to any one constituent is dependent on the following critical variables:

• The nature of the business and resulting IT archetype
• Current strategic goals and objectives
• Tactical and operational necessity

It is easy to see how different conditions and circumstances associated with the variables listed above should influence how much time a CIO devotes to the four constituents Forrester describes.

Again, I agree with the Forrester article in principle, but I think it suggests an over-simplified solution to a complex problem. I concur with the notion of a disciplined balance of time allocation across constituents but I don't believe a set formula should be prescribed for all CIOs. It is incumbent on the CIO to consider and assess the state of the variables above. This will enable them to appropriately determine how much time they allocate on each constituent, ultimately optimizing their time. Is this difficult? Yes. Is there a simple formula? No.

So this article left me with more evidence of our unending desire to come up with simple answers in a world that is increasingly complex. I think we want to make things simpler than they actually are. This thought stopped me in my tracks.

Our message at CA is Unify and Simplify. Was I in defiance of this message? From its inception, I had always agreed with the Unify and Simplify message as its implied benefits were so obvious it was easy for me to immediately advocate and support. Did my response to this article put me at odds with a key goal of my company?

A light bulb came on. At CA, we are not trying to make complex things simple, thus defying their complex nature. We're trying to help enterprises simplify aspects of their Information Technology capability that are unnecessarily or needlessly complex. Our solutions reduce or eliminate complexity so they can unify and simplify IT management and decision-making. 

Phew! That was a close one!

I recently was asked how we should teach future IT leaders, and I couldn't hold my ITG tongue for long. This is what happened:

I was recently invited to attend the Board meeting for the Center for Electronic Business, which is sponsored by San Francisco State University. The mission of the CEB is "to promote interaction among students, faculty and practitioners that results in the sharing of knowledge, experience, and expertise in electronically-based business activities, and to foster cooperation and collaboration among participants through joint applied research, sharing of best practices, student internships and related programs."

One of the agenda items was a general discussion on curriculum content for the university's MBA Information Systems Program. The vastness of technology related information coupled with the incredible rate of change creates a significant challenge for academic institutions. What should they be teaching graduate students who want to lead our information technology enterprises and organizations of the future?

The list of required and elective courses currently offered at the graduate school includes the following:

• Building Advanced Business Applications with Java...C+...COBOL (!)
• Internet and World Wide Web Business Applications
• Business Application Design and Development with .NET
• Object-oriented Business Applications Development
• Information Systems Projects
• Software Testing for Quality Assurance
• Information Security and Governance

Members shared ideas on what was being offered today versus what should be offered in the future. The discussion focused largely on specific areas of technology, frameworks and theories. Their greatest challenge is ensuring the curriculum is relevant and stimulating while preparing graduate students for the challenges that lie ahead.

Being new to the forum, I wanted to observe and absorb before offering opinion. I was especially hesitant due to the significance of the question being raised: What do we teach? I did my best to listen intently and focus on the points being made. I say I did my best because I had a very immediate response to their quandary.

My good friend Mike Nelson, President of SecureNet Technologies, saw me struggling to hold my tongue. Mike has known and worked with me for almost 20 years and had sponsored my invitation to attend the meeting because he thought it was a great fit and was intrigued at what I might offer.

The other members of the Board noticed Mike's attempts to prod me into speaking up. As the group's attention turned to me I quickly voiced my reluctance and begged their pardon. I was new to the group and this was a meaty subject at the heart of their purpose. I was sharing a forum with academic leaders and participating in their field on their turf. Though I was not intimidated, I was very respectful.

The Board is comprised of an intelligent, affable and unpretentious group of people who are inquisitive and genuinely open to new ideas. They encouraged me to share my thoughts.

I told them I found myself responding to the question of "What to teach" with the same reply I give to people in IT who ask, "What should we do?" My answer is the same--IT Governance.

My rationale is based on the reality that technology, frameworks, methodologies and approaches will constantly and forever change. What does not change are the IT Governance processes they enable:

• Integrated Business & IT Planning
• IT Investment Assessment, Prioritization, Funding & Benefits Realization Accountability
• IT Financial & Resource Allocation
• Project Prioritization and Decision-making
• Emerging Technology Evaluation & Adoption
• Client Relationship Management
• Building & Maintaining Applications & Infrastructure
• Provisioning of IT Services
• Outsourcing Services
• Audit & Risk Management
• Architecture Management--Standards and Review

I contend that everything we do in IT falls under one or more of these IT Governance processes. I also believe these are the processes that all IT concerns should execute to meet the five principles of IT Governance articulated by the IT Governance Institute (ITGI), which I have written about previously in this blog:

• Ensure IT is aligned with the business
• Ensure IT delivers value to the business
• Ensure IT manages risk
• Ensure IT manages resources
• Ensure IT manages performance

So my reasoning was if they taught these subjects, their curriculum foundation would never need to change. The content and subject matter would change as technology, frameworks, methodologies, etc. changed, but the class titles would remain the same.

They were intrigued by my ideas and we adjourned shortly thereafter. That evening I received a note expressing appreciation for my involvement and inviting me to join the Board as one of their Industry Members.

I am very excited at the prospect of evangelizing IT Governance to the technology leaders of the future.

I recently spoke at an Executive Leadership Conference CA sponsored in Los Cabos, Mexico. The opportunity to visit such a wonderful destination was enticing, but it was the prospect of presenting my ideas about IT Governance (ITG) to a room full of CIOs that provided the greatest thrill.

I talked about the value of IT Governance and how Project and Portfolio Management (PPM) is a good place to start when approaching ITG. I provided a brief overview of each of the ITG processes to demonstrate the ubiquitous nature of the discipline. I then went into more detail on PPM processes to substantiate why PPM is a good place to initiate their journey into IT Governance. As in all of my ITG presentations, I stressed the processes required and the importance of great process management discipline.

Jose Mora, CA Product Marketing Director, joined me to give a CA Clarity presentation. All went well despite the language barrier. (Yes, surnames aside, Steve Romero and Jose Mora both spoke in English to a fortunately bilingual audience.) Little did I know that I would soon go from being pleased to being outright delighted with the conference.

The final items on the day's agenda were the roundtable discussions focused on Governance, Management or Security (following CA's three Enterprise IT Management pillars of Govern, Manage and Secure). Of the 38 conference participants, 16 chose the Governance roundtable.

I insisted they speak in their native tongue, which I knew would make their conversations more productive. I was content to stand by for any questions they might have or insights they may have wanted me to share. They wasted little time getting started; passionate and animated exchanges quickly ensued. Their level of enthusiasm would have been gratifying enough, but what pleased me the most was a word I heard repeated again and again--processo.

It began as a smattering of the word here and there, but by the mid-point of the forum, it was constant--processo, processo, processo in almost every sentence!

I am an IT Governance Evangelist because I believe in what IT Governance enables an enterprise to achieve. I am passionate about it and I love sharing that passion. I am even more passionate about process management.

I know process management is all about an acute and unyielding focus on the customer - and delighting that customer. I know good processes and good process management result in making work possible and practical. I know process management executed correctly is enabling, empowering and even liberating for people participating in the process. So hearing processo again and again was joyful for me. But it gets better.

The long day was followed by a magnificent dinner on the beach. It was a great way to conclude the event and it provided me the opportunity to have one-on-one conversations with some of the participants.

One of the CIOs sought me out because he wanted to talk to me about process management. At the end of our conversation he told me he was going to meet with his CEO and ask for funding to staff a Process Consulting group. Somehow I expressed my endorsement without jumping up and down and hugging him.

I ran an IT Process Consulting Group as part of my IT Governance organization in a previous position. It was a task force formally and primarily dedicated to IT Governance and Process Management - the product of my passion and a very forward-thinking CIO. Though I suspect they must be out there, I have yet to personally encounter another organization with an internal staff dedicated to providing process management consulting services to their enterprise.

Our systems and solutions are nothing if not accompanied by good processes. Without good process management, our processes are barely worth the paper on which they are printed. I know how critical the discipline of process management is, and I believe every organization should have people dedicated to providing process management expertise and ultimately ensuring process success.

I was overjoyed to witness this CIO's conviction to convince his leadership to invest in the discipline of process management. I bid the CIO good luck and managed to express my sincere desire that he succeed while barely maintaining a professional demeanor.  Inside, I was delirious.

Viva Processo!

I recently spoke at the Oceania CACS (Computer Audit, Control and Security) IT Governance Conference in New Zealand, sponsored by the Sydney, Australia ISACA Chapter. (My topic was "IT Governance - Empowering the Confident CIO," but more on that in a future blog.) I arrived very early on day two, having lost day one on the flight from California. I managed to attend a couple of IT Governance sessions after a shower and brief how-do-you-do with the welcoming and hospitable Kiwis running the conference.

One of the two sessions I attended focused on the intriguing notion that there is no such thing as IT Governance. Being an IT Governance Evangelist who was speaking at an IT Governance conference, which was themed "Practical IT Governance in a Connected World," well, let's just say that my curiosity was piqued.

The speaker contended that there is no such thing as Information Technology Governance (ITG) and that the theme of the conference should instead be the Business Governance of Information Technology (BGIT).

Acronym implications aside, I did find it easy to accept the notion that the IT Governance frameworks, approaches and methodologies being discussed at the Conference are just as applicable to the business as they are to IT. I found it insightful when showed how the CobiT Framework could be applied to the Marketing, Sales and HR organizations - reinforcing the contention that the governance of IT should not be thought of as unique, just as the governance of other business units is not considered unique, but rather business as usual. The speaker promoted the idea that it is the business and not IT that should be driving IT Governance - governing IT just as it governs other business units.

While I agree with every aspect of this position, I strongly disagree with the conclusion that there is no such thing as IT Governance.

The IT Governance Institute (ITGI) rightfully contends that IT Governance should be driven by the business and more specifically by the Board of Directors. When ITGI formally documented the notion of IT Governance it was because it recognized the need for "business governance of IT" just as the speaker suggested.

The fact that very few ITG initiatives and endeavors are driven by the Board of Directors or, for that matter, the business, doesn't change the fact that ITG by definition is business governance of IT. And though I applaud the idea that governance of IT should be synonymous with the governance of all other business units, I also believe there is a valid need to focus on ITG and dedicate frameworks, approaches and methodologies to achieving its goals.

Consider that ITG was born because the governance mechanisms that evolved from the beginning of Board oversight of an enterprise did not serve the governance of IT. For years IT was relatively ungoverned. It is generally accepted that we need to establish the governance necessary to ensure:

• IT is aligned with the business
• IT brings value to the business
• IT manages risk
• IT manages resources
• IT manages performance

So whether we call it BGIT, or ITG, I think an acute focus on the discipline of IT Governance will be necessary for years to come. I look forward to the day when governing IT is considered just another component of governing the entire enterprise.

But until that change takes place, I'll be keeping my title.