Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Get updates on Compliance Week offerings, including new features, databases, research, and other resources, along with announcements of upcoming Webcasts, conferences, seminars, CPE/CLE opportunities and more.

Published every Thursday, Compliance Week Europe offers a condensed summary of risk, audit, and compliance news either originating in Europe, or of special interest to European compliance professionals. This newsletter will follow developments by the European Commission, as well as those of national governments across the region, or any U.S.-based news that might have consequence across the Atlantic. Frequency: weekly; Thursday a.m.

A fresh edition of Compliance Week delivered via e-mail and online every Tuesday morning, relentlessly focused on the disclosure, reporting and compliance requirements of our 25,000+ paying subscribers.

Published every Friday, Compliance Weekend was launched at the behest of subscribers, and offers a quick Plain English review of the week's key developments. We hope you enjoy this supplement to Compliance Week's Tuesday edition.

How to Weigh IT Investment Decisions

Dan Swanson | February 3, 2009

Corporate management has always been told to invest wisely in IT. The board has always been told to ensure management invests wisely in IT. It’s a truism everyone states all the time.

Too frequently, however, IT investment decisions by management and the board have relied on, and even deferred to, managers of the IT function. That results in what I call the Black Hole approach to IT investment: Throw enough money into technology, and we’ll get something of value in the end.

Corporations can, and must, do better than that. IT is now central to every core business process, and core business processes are central to sound governance. Can more formal, cohesive decisions about IT investment therefore improve your corporate governance? I think so—but those decisions must be directed by the business managers, not the technology managers. The board and executive management must also constantly monitor the company’s significant IT expenditures and participate in all major IT investment decisions.

For years business has encouraged IT to focus on delivering business priorities. At the same time, IT has tried to be an integral part of business planning and align IT efforts and investments with business priorities. At the end of the day, effective IT investment really does require the ongoing and engaged involvement of all key participants. Decisions regarding IT investment in your compliance and other governance initiatives should be driven by management and the board; IT managers should only be providing advice and counsel.

Where does one start? The company’s strategic planning effort should be the first place to look; that is, the board and senior management need to define their strategic direction, key priorities, objectives, and draw up a “roadmap” to get there. After all, if the company hasn’t defined where it wants to go, all the IT investment in the world won’t help it get there.

Apply that same discipline when contemplating governance and compliance. What goals does the business want to achieve? How can IT help it meet them? Answer those questions, and then start mapping out your various compliance and governance efforts and the core IT needs; that is your blueprint to guide your IT investment decisions.

The IT Department’s Role

IT planning efforts must be integrated with a company’s business plans. And since business plans change and priorities evolve, the IT function needs an investment management process so it can continually refine its own priorities as the overall business priorities evolve. IT also needs to acquaint the business with what is currently possible, and at what price. IT needs to explain the consequences and opportunities the business direction imposes on technology.

If not actively involved in the strategic planning processes, IT management at a minimum needs to understand the company’s strategic directions and plans in detail. Simply reading strategy papers will not suffice, since important elements of business strategy often aren’t written down. Think about who really develops strategy at the company, and cultivate a conversation with those people. Engaging with the company’s strategic development and investment management processes is one of the most important roles of the CIO and other senior IT executives.

Particularly for compliance and governance efforts, IT needs to be aware of best practices in the industry—a topic most IT managers don’t know all that well, frankly—and bring forward innovative solutions to tackle problems such as increased regulatory reporting requirements, endless refinements to the compliance and ethics program’s information needs, and so on.

Finally, by matching IT investment decisions to the company’s long-term business plans, IT can go beyond the chronic problem of having too few resources for the current budget cycle. With a longer perspective in mind, the inevitable tactical quick-fix imperatives can be balanced against genuine strategic IT initiatives. Prioritizing and coordinating IT investments needs this broader view. IT also needs to deliver its own assessments of opportunities and threats and work with the company on how to mitigate (or take advantage) of them.

Key takeaways:

  • The CIO and other senior IT executives should actively participate in the organization’s business planning.

  • The organization’s leadership should be involved in IT strategic planning and investment management activities

  • The board should ask management to describe how business planning and IT planning are being integrated and encourage frequent and ongoing dialogue between board members, the management team, and IT leadership.

The Internal Auditor’s Role

Although achieving and maintaining IT-business alignment is really a management issue, the internal audit department can help. Internal audit evaluation of an organization’s strategic planning efforts, including how IT supports the business priorities, can provide valuable feedback to the board and senior management.

An audit of IT investment processes should determine whether:

  • significant business priorities are appropriately identified and assessed on an ongoing basis;

  • changes to those priorities are monitored;

  • significant investment management controls are operating effectively and consistently;

  • risk-management techniques are in place and effective;

  • management and staff have the processes in place to recognize and respond to new business opportunities as they arise; and

  • IT-related investments are effectively and efficiently managed.

There are two distinct elements to most audits of IT investment management. First, the auditor evaluates the specification, design, and implementation of the IT investment management processes. Then the auditor examines how the IT investment management processes actually operate, including an assessment of the business priorities currently being addressed.

And how would this improve IT investments in compliance and governance? By helping to ensure the organization is defining its business priorities and has an investment process that aligns IT expenditures to those priorities.

Four Critical Issues to Evaluate

Does management have a strategic IT plan in place that is updated regularly and supports the annual plans, budgets, and prioritization of the various IT efforts?

Ideally, an IT strategic plan would be developed and approved by the board, although the IT planning document may take many forms. It could be a separate IT plan, something combined with the organization’s overall business plan, or a series of business case submissions over time.

An overall strategic planning process regarding IT investment and IT spending prioritization should exist. Always remember that business planning should drive the IT priorities and IT investment decisions; that’s critical. Successful projects happen when business management retains control of the initiative and sets clear and balanced business requirements.

What level of investment in IT (and IT security) has occurred in the past two to three years? What is planned for the coming two to three years? Is there a reasonable level of expenditure, compared to the overall operating and capital budgets?

While no specific level of investment in IT can be labeled “appropriate,” management should be able to explain the reasonableness of the IT and IT security expenditures in relation to the overall capital and operating budgets. The IT expenditure trend should be in line with the business and IT plans. A key board concern is always whether the company is spending too much or too little on IT and IT security.

Have the roles and responsibilities for IT management, oversight of IT investment, been defined and assigned within the company?

The responsibilities for the various IT activities within the organization related to IT management and IT investment should be defined and assigned to specific personnel. There should be a logical allocation of IT responsibilities within the organization.

Does management monitor IT’s performance, as well as IT’s capability to continue providing the services the company relies on?

What are the major issues reported to senior management regarding IT and IT security? Is there a healthy debate at the board level regarding concerns raised by management or the board? If not, what could be done to improve the situation? This question also explores the operational monitoring that is performed by management regarding IT operations—and whether IT is outsourced or managed internally, it should be occurring.

Practices That Support Alignment

Key management practices driving more effective alignment, and consequently improving IT Investment results, have been identified by the IT Process Institute. They include:

  1. Identify opportunities to use emerging technology to meet business objectives.

  2. Have an effective process and methodology for justifying and prioritizing IT investment decisions.

  3. Develop and enforce enterprise infrastructure standards.

  4. Have a project management office function to provide oversight to business prioritized IT projects.

  5. Have a formal periodic process for the IT department to identify what is needed by the business.

Oversight of IT investment must be integrated into a company’s ongoing strategic planning effort, to ensure IT efforts consistently contribute to the organization’s priorities. Executive management should revisit how it defines IT investment priorities, and the board should encourage a review of current practices to identify key improvement priorities.

With limited dollars available, investments in IT for compliance and governance improvement must be balanced with other competing priorities; involving all key stakeholders in that reconciliation will help move the organization forward. There should also be an organizational culture that encourages IT and the business to work together continually.