Posts Tagged ‘governance’

Risk, control and trust in Enterprise 2.0

Posted in Communicate / Collaborate on September 28th, 2009 by Leanne Fry – Be the first to comment

Risk, control and trust. Add any of these words to a business proposal, as issues to be addressed, and you can guarantee someone is going to be nervous.

Dion Hinchcliffe recently highlighted how these three issues were starting to push their way through the excitement of Enterprise 2.0 to become potential show-stoppers. For many organisations they may be already.

He was responding to blogs by Andrew McAfee and Dennis Howlett on what, precisely, Enterprise 2.0 was trying to solve.

In the context of products, customers, services, processes and governance, those three elements – risk, control and trust – are fundamental to a successful business.

And Enterprise 2.0 proponents should also keep in mind that for certain organisations, the penalties for failing to manage risk, to control what needs to be controlled or for breaching trust are significant and substantial. For some organisations operating in a highly regulated environment, brand or reputation damage from a You Tube video or Facebook group may be just the start of the problem.

Risk, control and trust in business aren’t bad. In fact, when you think about it, they are assumptions that underpin a customer’s willingness to engage with you. speed test website Aren’t they?

As McAfee observes, it is unhelpful and wrong to ‘… portray hierarchy, standardization, and management as enemies of innovation, creativity, and value creation.’ I’ve worked in organisations where a finely tuned balance of all of those elements made for a rich, rewarding and successful business.

As I see it, the challenge for Enterprise 2.0 is that the way it achieves things – the process, the interaction, the players and the speed – is so different to an organisation’s current risk/control/trust paradigm. And that happens at both the corporate level, where Ent 2.0 slams up against process, sign-off, hierarchy, and regulation, and at the personal level, where workers function every day using control, knowledge, and well trodden paths of interaction.

There are now numerous examples of Enterprise 2.0 tools facilitating the core business of an organisation, and McAfee lists many in his post.

So the objectives, and rationale, and expected outcomes must be clearly defined, at both corporate and personal levels. And all the enablers (people, process, culture, organisational) must be understood and either in place, or able to be dealt with. Which probably means that Enterprise 2.0 initiatives in many organisations should start as discrete, self contained, well thought out pieces of work. The degree of change required to fully leverage them is broad, and touches on so many important aspects of an organisation. Given the ROI of Enterprise 2.0 could be argued as in its infancy, for many organisations the risks will continue to outweigh the benefits.

Post-GFC: project failure leads directly to bankruptcy

Posted in Governing Programmes and Projects, Practice Areas on August 17th, 2009 by Raymond Young – Be the first to comment

Here’s a situation that may be playing out in companies globally:

A company is on the verge of bankruptcy. It has been particularly hard hit by the global financial crisis and is losing several million dollars a month. It desperately needs to reduce costs and their accounts are not up to the intense scrutiny. A number of key initiatives are being undertaken and the auditor has added the requirement to consolidate the accounting systems. The board has no choice but to agree, but there couldn’t be a worse time to do a new IT project. The chairman has overseen a number of IT projects and “not one of them has succeeded”.

IT said that the systems can be integrated in two months so the edict from on high is that it has to be done before Christmas. The new boss is claiming not to be on top of the detail and plans to delegate responsibility for the accounting system project to a manager. The manager understands the business processes but hasn’t been involved in the decision.

It wasn’t so long ago that the press was reporting on a similar IT project that failed just before Christmas.  I helped Standards Australia produce a handbook for boards and top managers of lessons learned from a whole range of similar disasters (HB280-2006).  In the case above, not one of the guidelines is being followed. It seems no one ever learns. The price this time will be jobs, followed soon after by bankruptcy.

For many, the GFC has all but removed any margin for error. Will boards also pay the price? The precedent was set in 2006 when the CFO, CEO and chair of the audit committee resigned from Australian Pharmaceutical industries following an IT project failure.

Where are the auditors?

My friendly advice in such cases is often rejected with the put down “have you ever implemented XYZ system?” There is little understanding that the real issues actually relate to governance. People fall into the trap of thinking they are IT projects, deferring to the vendor and assuming the business benefits will flow automatically from implementing a system. Fifty years of experience proves it doesn’t.

Perhaps we in the profession need to do more. It is disturbing that I often hear that auditors are not suggesting clients follow the 2006 guidelines in HB280 nor the related Standard on the corporate governance of projects (AS8016 forthcoming).

In the building industry, clients are not expected to know whether concrete has been poured correctly or the steel is of the right thickness. We have building inspectors to certify minimum standards have been met. It is completely dysfunctional to defer to vendors just because it is an IT project! Why aren’t our auditors providing ‘project inspectors’. It is not part of the formal auditor training, but it is common practice for audit firms to subcontract specialists when they don’t have the expertise. I’m arranging to provide these services for a mid-tier firm as I write, so clearly it can be done. Why is this not a common service?

Where were the directors?

Perhaps the most disturbing thing of all is that boards know projects have a high failure rate [i]. Why do they and senior management expect a different result when they continue to follow the same process? Governing projects is not rocket science. There are only six basic issues that have to be addressed:

  1. Make sure you know what success looks like (IT is generally only an enabler, it is rarely the real objective).
  2. Make sure you know what has to change for the benefits to be realised.
  3. Make sure you appoint a sponsor who is personally motivated to make the changes happen, and make them accountable for the benefits.
  4. Make sure you have a way to measure if the benefits have been realised (Do not use on-time on-budget. This is desirable but not the ultimate objective).
  5. Make sure you listen. Establish the right culture so that bad news is not filtered out.
  6. Make sure you monitor and intercede as necessary (Something always goes wrong and there are times decisions can only be made at the board and top management level. Political considerations cannot override the need to have the right person accountable. When the consequences include bankruptcy, we all lose).

This advice is usually enough for most people, but there are times more detailed help might be required. We have developed 6Q Governance™ to be the project inspector’s toolkit and when appropriate, we can work with you to transfer our skills.

[i] R.C. Young and E. Jordan, “Lifting the Game: Board views on e-commerce risk,” in IFIP TG8.6 the adoption and diffusion of IT in an environment of critical change, (Sydney: Pearson Publishing Service, 2002), pp. 102-113

Impact of the financial crisis on governance

Posted in Governing Programmes and Projects on July 27th, 2009 by Raymond Young – Be the first to comment

The financial crisis has regulators, governments, and the media focused on economic stimulus. However tough questions will soon be asked about what went wrong. Ineffective governance will be one of the first targets, and it won’t be just the financial sector that faces increased scrutiny[1].

Few doubt that effective governance has value, but to paraphrase Warren Buffet “the tide has gone out, and Sarbanes-Oxley for example, looks like it was swimming naked”. Investor confidence has not increased, management accountability is being called into question and the tens of billions spent by boards for compliance has not stopped or prevented the crisis.

RY picFor years, as an academic and as director, I along with many others have been pointing out the flaws of governance only for the sake of compliance.  Most governance prescriptions are a response to corporate excesses and enacted to reassure the public and few prescriptions actually improve performance or reduce risk[2].

Now the tide is out, higher levels of scrutiny must be expected. What will it expose? I believe the corporate governance of major projects will stand out as one of the highest priorities for attention.

Management of large-scale expenditures is a fiduciary duty requiring careful oversight. However a Deloitte survey of boardroom directors revealed oversight of IT projects was either “blind” (29% with inadequate information) or non-existent (16%)[3]. They warned in 2007 that the results were “tantamount to negligence” and the AICD have long reported statistics suggesting the problem is more widespread[4] (Figure 1). My own research suggests that as many as two out of three projects fail to deliver the expected benefits[5]. Increased scrutiny could reveal the real failure rate. However what might be worse in the current financial environment is to have two out of three strategic initiatives fail to increase revenue, enhance customer service or reduce cost and threaten survival.

To survive, thrive and also to minimise the governance backlash, the first step must be to get the right information needed to govern effectively. The board bears the responsibility to set clear guidelines and expectations about the kinds of information they want to see filter up. What benefits are being targeted? [how is this consistent with our strategic priorities?] Do we have the organisational capacity to realise these benefits and what other risks are involved? How will we measure success? Do we have the right person driving the change? Are there any warning signs that the project is going off track? Are the benefits being realised? These questions seem simple but none of the directors I have spoken to had an effective process to terminate failing projects. Benefits are usually quantified (66%), but they are often overstated (27%)[6], change is not always considered (40%)[7], individuals are not held accountable (5-23%) and few organisations track benefits through to realisation (10%)[8]. Organisations do not focus on the true determinants of success.

In the absence of guidance, management has turned to so-called ‘best practice’ and focused on efficiency measures such as on-time and on-budget. Unfortunately on-time on-budget reporting was never the most appropriate focus for governance. It is certainly not enough in this new world. Only effectiveness will count because average or below-average performance will not guarantee survival. Above-average performance gained through acceptable levels of risk is the true objective of governance[9], the standard to which the board must aspire and the standard to which management must be accountable. Governance effort for compliance only, even if it is with a so-called ‘best practice’ framework, is a governance luxury we can no longer afford.

[1] 2009 Corporate Governance Conference: New Risk, Accountability and Leadership Challenges. Toronto 6- 7 May
[2] See related article providing A brief history of corporate governance 15 July 2009
[3] What the Board Needs to Know About IT: Phase II Findings (Deloitte, 2007),,1002,sid=36692&cid=151800,00.html
[4] D. Lovalla and D. Kahneman, “Delusions of success: how optimism undermines executive’s decisions, Harvard Business Review,” Harvard Business Review July (2003): 58
[5] R. Young, “What is the ROI for IT Project Governance? Establishing a benchmark.,” in 2006 IT Governance International Conference (Auckland, New Zealand, 2006)
[6] Chad Lin, Graham Pervan, and Donald McDermid, “IS/IT investment evaluation and benefits realization issues in Australia,” Journal of Research and Practice in Information Technology 37, no. 3 (2005): 235-251
[7] KPMG, “Global IT Project Management Survey: How committed are you?,” 2005,
[8] John Thorp, “Unlocking Value – Delivering on the Promise of Information Technology,” in Delivering Value, 2008,
[9] F.G. Hilmer, Strictly Boardroom: improving governance to enhance company performance (Melbourne: The Business Library, 1993)

Preparing directors for the governance backlash

Posted in Governing Programmes and Projects on July 23rd, 2009 by Raymond Young – Be the first to comment

Executive Summary

  • Following the GFC – governance practices will almost certainly be questioned
  • New governance requirements are likely to be introduced
    • Historically new requirements are introduced reactively
    • There is a risk new requirements will not add value
  • We should anticipate these developments
    • It takes longer for management to respond than for the board to ask
    • We should identify the key areas that need to be governed
    • We should check we have effective systems to monitor the key areas, and introduce new mechanisms where necessary
    • Governing major projects is one area worthy of attention
    • New Standards AS8016, HB280 have much to offer.

A backlash against lax governance

The Global Financial Crisis (GFC) will inevitably lead to higher levels of scrutiny. It is likely to expose the high rate of failure of large investment projects. The Australian Institute of Company Directors highlight the problem in a number of modules in their highly regarded Company Director Course:

  • ¾ of mergers and acquisitions never pay off
  • most large capital projects fail to live up to expectations
  • majority of efforts to enter new markets are abandoned in a few years
  • 70% of new manufacturing plants are closed in their first decade

Leading audit firms have commented that management of such large-scale expenditures is a fiduciary duty and imply that current practice, with IT projects in particular, is “tantamount to negligence” [i]. Until now this matter has not received much attention and boards have not been held accountable. The backlash following the GFC is already being felt and the lax levels of supervision are unlikely to be tolerated in the future.

Boards and their advisors are strongly encouraged to implement regimes that will increase the success rates of their investments. The six questions from Standards Australia’s handbook on the corporate governance of projects [ii] is a framework that would make a difference. In the presentation below, some of our early work is presented to suggest how the questions could be implemented in practice.

A version of this article was originally prepared for submission to the Australian Company Director Magazine. The key points were also presented at an ISACA Summit held in Sydney on 31 March 2009.

[i] Deloitte, What the Board Needs to Know About IT: Phase II Findings: Maximizing performance through IT strategy (Deloitte LLP,  2007)

[ii] Standards Australia, HB280 How Boards and Senior Management Have Governed ICT Projects to Succeed (or Fail) (Sydney: Standards Australia,  2006)