Company size matters: Perspectives on IT Governance

Transcription

1 Company size matters: Perspectives on IT Governance versus large Canadian organizations and IT Governance

2 PwC conducted research for the 4th edition of the IT Governance Institute s (ITGI 1 ) Global Status Report on the Governance of Enterprise IT (GEIT) published January 20. Comparing the results of global and Canadian data sets, PwC s research found that Canadian organizations need to focus on two areas of IT governance: enterprise architecture and cost reduction. The PwC report, Canadian business perspectives on the governance of enterprise IT (GEIT) can be found at: In April 20, PwC prepared a sub-section of data from the Canadian respondents that reviewed the differences in how Canadian small businesses (less than 00 employees) approach IT governance compared to larger firms (more than 00 employees). The results from the sub-section of data showed that smaller firms in Canada have lower IT maturity and require more formal structure and improved IT governance. 1 ITGI is the research affiliate of ISACA, a global non-profit, independent membership association with,000 consultants in 0 countries. The full report is available as a free download at

3 The contribution of IT to the business IT s value contribution to the business is generally perceived more positively by respondents from larger organizations. All respondents from larger organizations agreed or strongly agreed that IT investments create value for the business, compared to 8% of respondents from smaller organizations. At the same time, smaller companies are more satisfied with IT service levels than larger companies. Almost half of respondents from small companies strongly agreed that IT service levels meet their business needs, as compared to only 18% of larger company respondents. Ensuring that IT service levels meet business needs may be easier to achieve in smaller organizations as IT requests are typically less complex and IT service providers may have fewer conflicting demands. r companies view their IT departments as being more agile than smaller firms, with 82% of large company respondents agreeing or strongly agreeing that IT enables rapid business change compared to 48% of smaller company respondents (see Figure 1). An organization s enterprise architecture (EA) is a key determinant of agility and flexibility. er organizations have a lower overall maturity in governing EA (see page 2) which may contribute to the lower levels of agility. This is an important improvement area for smaller organizations, where the right GEIT mechanisms can ensure that there is a focus on agility and flexibility in IT decision-making (see Figure 1). Figure 1: The contribution of IT to the business IT s value contribution to the business is generally perceived more positively by respondents from larger organizations IT investments create value for the business 64 3 IT service levels meet the business needs IT supports the business strategy IT enables rapid business change IT supports business regulation and compliance Strongly agree Agree Neither/nor Strongly disagree/ Disagree/ Don t know Company size matters: Perspectives on IT Governance 1

4 The governance of enterprise architecture (EA) Overall, the maturity of smaller organizations in the governance of EA is lower, with fewer respondents using or planning to use most governance mechanisms. Interestingly, very few smaller company respondents operate with a formal framework in place to govern enterprise architecture. Only % of small companies use a framework for the governance and management of architecture (such as The Open Group Architecture Framework i.e. TOGAF) compared to one-third of larger company respondents (see Figure 2). 63% of business respondents from small organizations describe the IT role as proactive In addition to frameworks, specific focus areas for smaller organizations that want to improve the governance of Enterprise Architecture include enterprise architecture principles, defined architecture processes and defined technology standards. Figure 2: The governance of enterprise architecture A framework for the governance and management of EA, such as The Open Group Architecture Framework (TOGAF) Enterprise architecture principles with which all IT initiatives need to comply Structures such as an architecture review board or committee Defined architecture processes Defined technology standards Exists Planned Does not exist PwC

5 The head of IT as a member of the senior management team The head of IT (CIO, IT manager or equivalent) was more frequently mentioned as a member of the senior management team by respondents from larger Canadian organizations (86% compared to 74% of small organizations); see Figure 3. Since smaller companies have fewer executives on their senior management team, there may be a lower probability for the Head of IT to be included. The role of IT in the organization Both business and IT respondents from smaller companies described IT s role as proactive (68%). Business respondents, particularly from smaller organizations take a more positive view to IT s role than their counterparts in larger organizations (see Figure 4). Business respondents from smaller companies may be closer to their IT departments and might have more insight into their activities. In larger companies, transparency could be improved between the business and IT. Having the right GEIT mechanisms, such as governance structures and processes is a key enabler for transparency. Figure 3: Head of IT as a member of the senior management Figure 4: Role of IT in the organization Member of senior management team Business respondents describing the role as proactive Heads of IT describing the role as proactive All respondents describing the role as proactive 68 Company size matters: Perspectives on IT Governance 3

6 Planned IT initiatives Most planned IT initiatives were more frequently mentioned by respondents from larger Canadian organizations. Drastic respondent differences were seen in green IT/sustainability initiatives (0% for large organization compared to % for small organizations), major IT system implementations or upgrades (64% for large compared to 37% for small) and the outsourcing of IT service (% for large compared to % for small). The main initiatives planned by smaller organizations are data or information initiatives, IT cost reduction initiatives and major system implementations or upgrades (see Figure ). These are complex initiatives that often involve multiple stakeholders from business and IT and which reinforce the need for the right governance mechanisms. IT-related issues experienced in the past 12 months In general, respondents from smaller Canadian firms cited IT-related issues as less of a concern than larger companies i.e. larger companies faced more challenges than smaller ones in areas such as return on investment not as expected (23% for large companies; % for small) and IT security or privacy incidents (23% for large companies; % for small), concerns relating to an insufficient number of IT staff (almost half of large companies; % for small), and insufficient IT skills (% for large companies; % for small). See Figure 6. Figure : Planned IT initiatives Figure 6: IT-related issues experienced in the past 12 months Green IT/ sustainability initiatives 0 Increasing IT costs 3 Outsourcing IT services Return on investment not as expected 23 Changing internal IT costing arrangements Serious operational IT incidents Data or information initiatives IT supported compliance initiatives IT risk management initiatives IT cost reduction initiatives IT security or privacy incidents Problems with external IT service providers Insufficient number of IT staff Insufficient IT skills Problems implementing new IT systems Major IT system implementation or upgrades IT disaster recovery or business continuity issues Major IT infrastructure initiatives 4 4 PwC

7 er company respondents indicated that increasing IT costs, problems implementing new IT systems, as well as IT disaster recovery or business continuity issues, are more frequently experienced. Major system implementations may be especially challenging for smaller companies that have fewer resources at their disposal and that may take a less structured approach to aspects such as change management and training. The right governance over these initiatives can ensure the involvement of all the required stakeholders and an adequate focus on change management, communication and training. Figure 7: Prematurely-ended IT projects Percentage of respondents mentioning the premature termination of an IT-related project Figure 8: Drivers for GEIT activities 14 Prematurely-ended IT projects Respondents from smaller Canadian organizations mentioned the premature termination of an IT-related project less frequently. This may be due to less complex projects in these environments, and therefore a lower probability to fail or have significant enough scope or requirement changes to be prematurely terminated (see Figure 7). Drivers for Governance of Enterprise Architecture (GEIT) activities Ensuring that current IT functionality is aligned with current business needs was the driver for GEIT activities for both small and large companies, but was more a concern for 0% of larger company respondents compared to almost 33% of smaller company respondents. Often, larger companies experience greater alignment challenges given the complex nature of their environments. er company respondents cited avoiding negative incidents as a driver for GEIT activities (% compared to only 14% of larger company respondents). It was seen earlier that increasing IT costs have been an issue for 3% of smaller organizations in the past 12 months, yet it is mentioned as a driver for GEIT activities by only % of respondents from these organizations (see Figure 8). er organizations need to understand the role that GEIT mechanisms can play in managing IT costs, for example ensuring that the total cost of ownership is considered during investment decisions, driving re-use, and making decisions that consider the needs of the whole organization versus individual business units or functions. Avoiding negative incidents Managing costs Ensuring that current IT functionality is aligned with current business needs Increasing agility to support future changes in the business Achieving better balance between innovation and risk avoidance to improve return Complying with industry and/ or governmental regulations 14 8% of small companies (vs 4% of large companies) plan data or information initiatives 0 Company size matters: Perspectives on IT Governance

8 Level of GEIT measures in place Figure : Level of GEIT measures in place The governance of IT is a higher priority in larger Canadian organizations as demonstrated through higher maturity profiles. Eighty-six percent of respondents from larger organizations have at least some ad hoc GEIT mechanisms in place or higher level of maturity; only 37% of respondents from smaller organizations claim this level of maturity or higher (see Figure ). None of the respondents from small organizations reported that they have a performance measuring system in place or that they are continuously optimizing IT governance processes. Many of the respondents from smaller organizations understand that IT governance is an issue and are starting to define what needs to be done (42%). er organizations need to ensure that they have the right level of governance in place for their unique circumstances and needs. This should start by defining key decisions in different domains and require involvement of both business and IT stakeholders. This decision-making model can be used to drive the design of optimal IT governance structures and processes. We do not think that this is important We understand that this is an issue but are just starting to assess what needs to be done We are well aware that this is important and we have a number of ad hoc measures in place We have well-defined governance of IT measures and processes in place We have well-functioning governance of IT processes and a performance measuring system in place Our processes relating to governance of IT are continuously optimized Don t know Factors that influence the implementation of GEIT practices The culture of the organization, its way of working and human factors influence GEIT implementations in large Canadian organizations. This may be the result of larger organizations often having more intricate cultural dynamics, which are an important consideration during GEIT implementations. For 63% of respondents in smaller organizations, business objectives or strategy play the most significant role, compared to 41% of respondents in larger organizations (see Figure 10). Figure 10: Factors that influence the implementation of GEIT practices The culture of the organization, its way of working and human factors The regulatory environment and specific compliance requirements The business objectives or strategy Industry or market forces 21 6 PwC

9 86% of respondents from larger organizations have at least some ad hoc GEIT mechanisms in place or higher level of maturity; only 37% of respondents from smaller organizations claim this level of maturity or higher. Company size matters: Perspectives on IT Governance 7

10 Outcomes of GEIT practices Perceptions on the outcomes of GEIT practices are fairly similar for both small and large organizations, with the exception of improved communication and relationships between business and IT, which is more frequently experienced in larger organizations (4% compared to % for small companies); see Figure. In smaller organizations, it may be easier to maintain relationships, which is why this may not be a significant GEIT focus area and therefore, a less frequently experienced outcome. The most frequently experienced outcome in smaller organizations is improved management of IT-related risk and improved IT delivery of business objectives. The challenges of implementing GEIT Since smaller companies operate in less complex environments than larger ones, issues concerning change management (41% for large companies; % for small), communication issues (half of large companies; % for small), and high levels of organizational complexity (41% for large companies; % for small) are relatively easier to manage during governance of enterprise IT implementations (see Figure 12). er companies may face more difficulty demonstrating value and benefits since the case for governance is usually easier to make in the more intricate environments of larger organizations (multiple role players in different business units and/or territories, often with conflicting interests). The top challenge for smaller organizations is trying to do too much. er organizations should ensure that IT governance implementations are viewed and managed as any other initiative, including the development of a business case that defines the envisioned values and benefits, properly scoping the initiatives and ensuring that the benefits are achievable. Figure : Outcomes of GEIT practices Figure 12: Challenges implementing GEIT Improved management of IT-related risk 42 0 Change management 41 Improved return on IT investments Communication issues 0 Lower IT costs 23 Lack of senior management commitment and support Improved transparency of IT and its activities 23 Difficulty demonstrating value and benefits 37 Improved communication and relationships between business and IT 4 Getting required business participation Improved tracking and monitoring of IT performance 21 Ineffective current enterprise governance 14 Improved IT innovation High levels of organization complexity 41 Improved IT delivery of business objectives 37 4 Trying to do too much at once 0 47 Improved business competitiveness 18 8 PwC

11 Outsourcing of IT activities According to the results, smaller organizations indicated they use full outsourcing more frequently, whereas partial outsourcing is more common in larger firms. organizations typically retain some IT services or activities in-house, while smaller organizations may find it easier to fully outsource in their less complex environments (see Figure 13). Infrastructure maintenance, the IT help desk and end user support in particular, are more likely to be fully outsourced by smaller Canadian organizations. Outsourcing is an important focus area in IT governance. Mechanisms such as Vendor Management Offices (VMOs) can add significant value by ensuring the proper oversight over and management of contracts, service level agreements and vendor performance. The top challenge for smaller organizations is trying to do too much when implementing GEIT. Figure 13: Outsourcing of IT activities Infrastructure provisioning Infrastructure maintenance Application development and/or maintenance IT help desk End user support Fully outsourced Partially outsourced Not outsourced Company size matters: Perspectives on IT Governance

12 Current and planned use of cloud computing er Canadian companies are less likely than larger firms to be currently using or planning to use cloud computing. None of the respondents from smaller organizations indicated that they are currently using cloud computing for mission-critical IT services and only 18% are planning to use cloud in the future. In contrast, 13% of larger company respondents are currently using cloud, and % are planning to use it. For non-mission critical IT services, only % of small companies are currently using cloud computing with a further 18% planning to use cloud computing, compared to large companies with 20% currently using and 47% planning to use (see Figure 14). Forty-five percent of small company respondents indicated that they are not planning to use cloud computing for nonmission critical IT services. Respondents from both small and large organizations who are not planning to use cloud computing, listed data privacy and security as their main concerns. The adoption of cloud is a complex decision where governance is critical. Governance can be an enabler for cloud computing adoption by ensuring that the right stakeholders are involved in addressing concerns around security and data privacy. Figure 14: Current and planned use of cloud computing For mission-critical IT services For non-mission critical IT services Currently using Not planning to use Planning to use 10 PwC

13 Initiatives implemented in response to the economic downturn Figure 1: Initiatives implemented in response to the economic downturn Respondents from larger Canadian organizations mentioned the reduction of staff numbers (both permanent and contract) as a response to the economic downturn more frequently than smaller Canadian companies. The use of contract employees is likely lower in smaller firms as the organization is often much leaner, providing less opportunity for reducing staff numbers. Infrastructure consolidation, a reduction in application licenses and the centralization of IT procurement were also more likely in larger than smaller organizations (see Figure 1). er organizations were more likely to implement stricter investment evaluation mechanisms and were also more likely to invest in technologies that can reduce process or business cost. Investment evaluation is a key IT decision-making area and reinforces the need for optimal governance mechanisms. Reduced permanent staff numbers Reduced contractor staff numbers Consolidated sites/ data centres Consolidated infrastructure (servers, networks, etc.) Reduced application licenses Consolidated the application portfolio Optimized the project portfolio Implemented stricter investment evaluation measures Centralized IT procurement Only % of small organizations implemented centralized IT procurement in response to the economic downturn, compared to % of large organizations. Redefined service level agreements (SLAs) with external service providers Redefined service level agreements (SLAs) with the business to better manage demand Invested in technologies that can reduce process or business cost Changed sourcing arrangements 14 Changed approach to governance of IT 18 None of the above Don t know Company size matters: Perspectives on IT Governance

14 Mechanisms to promote IT innovation IT respondents IT respondents from smaller Canadian organizations indicated the assignment of responsibilities for monitoring emerging technologies far less often than their counterparts from larger organizations (only % for small compared to 47% for large). There may be a less significant focus on emerging technologies in smaller organizations since they are sometimes later adopters once technologies have further matured. They are also less likely to have special investment appraisal mechanisms (% for small companies compared to 20% for large). See Figure. er organizations are more likely to allocate time for employees to spend working on experiments or trying out new ideas as a mechanism to promote IT innovation. This may be easier to implement in the less structured HR environments of smaller versus larger organizations. Figure : Mechanisms to promote IT innovation Training for IT managers to better understand how IT innovations can create business opportunities Assigned responsibilities for monitoring emerging technologies and their potential business application Special investment appraisal and funding mechanism to perform pilots with emerging technologies Allocation of time to spend working on experiments or trying out ideas Collaborative programmes where IT and business staff can work together on innovation IT innovation is an area with the potential of significant value-add to the business. er organizations need to ensure that they have the right evaluation and selection mechanisms in place to ensure there is an optimal balance between innovation and operational activities and initiatives. Other Don t know Views on employee use of social networking Respondents from smaller firms are more risk averse than those from larger organizations regarding employees using social networking. For the most part, they considered social networking risky with only % of respondents from small companies agreeing that the benefits of employees using social networking outweigh the risks, as opposed to 8% of small companies agreeing that the risks of employee use of social networking outweigh the benefits (see Figure 17). It is likely that small firms will have a lower risk appetite to other emerging technologies as well. GEIT mechanisms can ensure a greater level of communication and education about emerging technologies so that a balanced view of risks and benefits can be taken. None of the above 7 Figure 17: Views on employee use of social networking The benefits of employees using social networking outweigh risks The risks of employees using social networking outweigh the benefits The risks and benefits of employees using social networking are appropriately balanced 21 Don t know 12 PwC

15 Key IT governance focus areas for smaller Canadian organizations The survey emphasizes a number of key focus areas for smaller Canadian organizations from an IT governance perspective: The value contribution of IT is perceived lower in smaller organizations than in larger organizations, with IT enabling rapid change as a key area for improvement. This is related to a lower level of maturity in the governance of enterprise architecture in smaller organizations. Specific governance mechanisms, that smaller organizations could consider, include enterprise architecture principles that all IT initiatives need to comply with, defined architecture processes and defined technology standards. The most important initiatives planned by smaller organizations are data or information initiatives, IT cost reduction initiatives, and major systems implementations or upgrades. It is critical to ensure that the right business and IT stakeholders are involved in the decision-making process for these complex initiatives. This can be facilitated through the right set of GEIT mechanisms. The main issues experienced by respondents from smaller organizations in the past 12 months are increasing IT costs, problems implementing new IT systems, as well as IT disaster recovery or business continuity issues. It is interesting to note that while 3% of respondents mentioned increasing IT costs as an issue, it is reported as a driver for GEIT activities by only % of respondents. er organizations need to recognize the role that GEIT mechanisms can play in managing IT costs, such as ensuring that total cost of ownership is considered during investment decisions and driving re-use. Governance mechanisms can ensure that there is an adequate focus on change management, communication and training during major system implementations in smaller organizations. The overall GEIT maturity profile of smaller organizations is much lower than larger ones. er organizations need to ensure that they have the right level of governance in place for their unique environment. They should start by defining key IT decisions and the required involvement of different IT and business stakeholders. The use of full outsourcing is more prevalent in smaller organizations, than in larger ones. GEIT mechanisms such as a vendor management office or function can add significant value by ensuring proper oversight and management of contracts, service level agreements and vendor performance. In response to the economic downturn, smaller organizations were more likely to implement stricter investment evaluation mechanisms and to invest in technologies that can reduce process or business cost. Investment evaluation is a key IT decision-making area that reinforces the need for optimal governance mechanisms. It is critical to ensure that the right business and IT stakeholders are involved in the decision-making process Company size matters: Perspectives on IT Governance 13

16 How PwC can help Organizations looking to improve their governance of enterprise IT should start by defining key IT-related decisions that need to be made. Various domains should be considered such as enterprise architecture, sourcing, emerging technologies, investment evaluation and applications. A decision model should then be formulated that defines which business and IT stakeholders should be involved in each decision and in what way. Stakeholders could include individuals such as the CFO, IT manager, business unit leads, as well as current structures e.g. the executive committee. This will enable the right governance structures to be defined. Outputs may include changes to the mandates or compositions of existing structures or the definition of new required structures, such as a vendor management office or committee. The right governance of IT structures needs to be supported through effective processes, policies, standards and principles. These enablers will guide the execution of decisions made by the structures. Taking a holistic approach to these different enablers and dimensions of GEIT can help smaller organizations achieve the governance objectives of value delivery, risk management and resource optimization. PwC Technology Consulting team At PwC Canada, our dedicated team of Technology Consulting professionals has experience in helping a wide-range of companies develop, implement and manage their technology strategies. Combining deep technical knowledge, with expertise in business transformation, stakeholder engagement, and business strategy, we find the right solutions for all of your business needs. Gert du Preez, Author gert.du.preez@ca.pwc.com Philip Grosch pgrosch@ca.pwc.com Tony Balasubramanian tony.r.balasubramanian@ca.pwc.com Richard Jhang richard.jhang@ca.pwc.com PwC Technology Consulting Services 20 PricewaterhouseCoopers LLP. All rights reserved. In this document, PwC refers to PricewaterhouseCoopers LLP, an Ontario limited liability partnership, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity