While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
Over the past decade, the media has deluged us with stories about corporate governance and the problems that ensue in its absence. Enron, WorldCom, Global Crossing, Tyco, Fannie Mae and Freddie Mac are among those embroiled in some of the most publicized financial scandals that have racked large public entities.
But how does the government approach IT governance, and what are the opportunities for improvement?
In the corporate setting, governance is most simply defined as a set of processes, customs, policies, laws and institutions affecting the way an organization is directed, administered or controlled. The shareholders, management and board of directors are the principal players focused mainly on the issues of accountability and fiduciary duty.
Several events triggered the development of robust corporate governance practices. The Wall Street Crash of 1929 was the catalyst, especially with respect to creating a link between shareholders and a company’s board of directors.
During the U.S. expansion after World War II, multinational corporations began to emerge, as well as the establishment of management separate from the board of directors, requiring a link between the board and corporate officers. More recently, financial scandals have brought to light lapses in the oversight of large corporations, which are mainly owned by institutional investors who may have been more prone to sell their stake than attempt to replace management. The most recent scandals have led to more government regulation of public companies, with the Sarbanes-Oxley Act being the most prominent example.
To understand the implications of corporate governance within federal agencies, just replace the term “corporation” with “organization” (standing for department or agency). The same relationships apply between taxpayers (owners), federal appointees and executives (management) and Congress (the board of directors). At a more granular level, agencies have oversight organizations — such as inspectors general, the Government Accountability Office and the Office of Management and Budget — and internal management committees to oversee and monitor compliance. Most companies have similar mechanisms in place as well.
Information technology governance is probably best defined as the leadership, structures and processes that ensure that an organization’s IT sustains and extends the organization’s strategies and objectives. It should not be considered an isolated discipline but an integral part of the overall governance framework.
The pervasive use of technology has created a critical dependency on IT that requires a specific focus on IT governance. Successful organizations understand and manage the risks and constraints of IT, and consequently, boards and executive management understand its strategic importance and the need to govern it. The overall objective is to ensure that the organization can sustain its operations and implement strategies required to meet future objectives using IT.
Boards and executive management expect IT to facilitate organizational strategy by delivering business value and return on investment and by creating organizational effectiveness through efficiency and productivity gains. Of course, there are situations where IT does not meet these expectations, where organizational leadership is faced with failure, and as a result, the organization may not meet its overall goals.
IT governance frameworks must include items unique to the organization, but certain objectives are universal:
The IT governance process starts with setting objectives for the organization’s systems, providing initial direction. From then on, a continuous loop of measuring performance, comparing results to objectives and making course corrections should take place. The board and executive management drive the direction-setting process, but multiple organizational layers play roles in the ongoing management process.
To carry out its role in IT governance, an organization’s leaders need regular briefings from IT on project risks, must include IT as a regular item on the management agenda, need to communicate the organization’s objectives for IT alignment, must make and monitor IT investments, and should seek independent assurance on the achievement of IT objectives and the containment of IT risks. Does your organization’s leadership do this?
Although the government has employed an array of IT management techniques over the years, the IT Management Reform Act of 1996 provided the impetus for the processes now in use. The Clinger-Cohen Act formally established the CIO position and enumerated specific responsibilities to the Office of Management and Budget and to agencies’ CIOs.
As the practices established under Clinger-Cohen have matured, agencies have incorporated new techniques and initiatives to improve IT governance, such as earned value management and other tools to better manage the government’s IT infrastructure as a single enterprise.
Congress performs oversight of federal IT through investigations, Government Accountability Office reviews and hearings. OMB provides direction and performs executive branch oversight through the Office of E-Government and IT, using the CIO Council as a mechanism for coordinating policy. This is important work because the scope of federal IT is enormous and the capabilities of organizations involved in overseeing it are rather modest.
In reality, agencies perform the lion’s share of IT governance work, with the CIO in charge of implementation.Much of this work focuses on coordination, planning and oversight. Some agencies lean heavily toward centralized operations, but many leave day-to-day systems operations to the component agencies.
The government has made major improvements in IT management over the past decade. The phases involving planning and justification of IT investments are well developed from a policy perspective and fairly mature from an execution standpoint. Somewhat less well-developed are the phases involving the implementation of plans. There remain gaps in policy, guidance, and the ability to execute despite improvements and attention provided to this area. Overall, agencies have defined and implemented IT management processes sufficiently to practice effective IT governance.
The CIO is critical to governance. That official must champion IT within the organization and lead the IT management process. Only the CIO can ensure the components of the process are effectively defined, organized and executed, as well as integrated into management decisions. Perhaps most important, the CIO needs to be outwardly focused on other C-level and program peers and upwardly focused on the organization’s senior leaders.
To be effective, the CIO must be recognized as having a solid understanding of the agency mission, its management processes and its challenges. Ultimately, the CIO must evangelize how IT can support the mission, carry out management and overcome the challenges. IT governance needs to be a team sport across the organization, with the CIO being cheerleader, coach and star player.