Boards of directors are growing increasingly nervous about their companies' dependence on IT, and with good reason. IT accounts for more than 50 percent of capital spending in some companies. But there are no standards for IT governance as there are for areas such as accounting and compensation. In a comprehensive article in this month's Harvard Business Review, Richard Nolan and F. Warren McFarlan lay out an IT governance plan. McFarlan, professor emeritus at Harvard Business School, told Kathleen Melymuka how boards can get a grip on IT.
So the first step toward IT governance is to determine whether the company's reliance on IT is defensive or offensive. Can you explain?
In offensive mode, you're doing things that will give you a significant increase in market share, measurable improvement in service and significant reductions in cost to allow you to better position yourself vis-a-vis the competition. There's a certain amount of risk: Pioneers get arrows in their backs, then the settlers come in behind.
In defensive mode, you see a trend in the industry, and you move quickly to close the gap.
Tell me about the strategic impact grid.
This formulation has been the framework for all my corporate information systems strategies. At the core is a contingency approach to IT management: There is no right way to plan, organize, take risks; it depends on who you are.
There are two critical dimensions. On the vertical: How important is it that your operations run in a bulletproof, reliable, secure, 24/7 [environment with a] subsecond response time? The higher you go, the more you need to spend on backup and security. The horizontal dimension is the strategic impact of what you have under development. Is it really important in transforming the organization offensively? Or is it nice, useful, solid but not really transforming the organization?
The grid has four quadrants. Tell me about those.
The support quadrant is where what's under development is not a huge deal, and if your networks go down, it's not the end of the world. About 5 percent to 8 percent of the IT world is in that quadrant.
The factory quadrant is almost 40 percent. There it's a huge deal if things go down, but if you're late on ERP or other innovations, that's irritating but not the end of the world.
The strategic quadrant is where what's under development is unbelievably important and there is huge reliance on systems day in and day out.
In the turnaround quadrant, what's under development is important, but if your networks go down, it's not the end of the world. Research firms are in this [area]. They may have an eight- or nine-year lead time, so they can take more roughness in the back network than the bank that's running ATMs.
How involved does the board need to be in the various quadrants?
In the strategic mode, it needs to be really involved. Basically, it's a major investment of corporate resources. Over half of capital investment tends to be in this area. There are new initiatives, and the board needs to have a view as to how the company positions itself, where it lies within the industry and whether the back office is being managed in the way it should be for the organization.
This is particularly important now because of Sarbanes-Oxley. The typical audit committee is taking three times longer than it took a few years ago. Since we don't have infinite time, when boards make a shift like that, what gets squeezed is strategy.
How involved should the board be when the company isn't in strategic mode?
We ask for different levels. At the factory quadrant, for example, it's very important to have a member of the board who is actually versed in IT -- an expert to say, "Are the best-practice things being done here?" But in the spirit of the contingency focus, the big, broad focus on IT needs to be in those organizations in the strategic quadrant.
How do you set up the board's IT governance committee, and who's on it?
The IT governance committee includes at least one person deeply knowledgeable in the technology, and the other people have a feel for how the company is competing and are able to ask the necessary questions.
How likely is it that a given board will have that level of IT expertise?
You go out and rifle-shoot. Procter & Gamble, for example, has a technology innovation committee, and Scott Cook, the founder of Intuit, is there to ask the challenging questions. The boards of companies that are in the strategic quadrant are doing this.
Your article gives a very comprehensive set of instructions. What's the most important single thing for getting it right?
The most important thing is to understand that we are living in a fast-changing, information-intensive economy. Many of the board members are not really focused on this as something that's turning the organization inside-out. This is a wake-up call to make sure that your organization isn't asleep at the switch in the Information Age. We've got examples out of the past: In 1984, there wasn't a single IBM board member who had a PC. Today, you can't be running an organization without understanding IT.