7 Principles for IT Excellence and Governance


The latest insights from your peers on the latest in Enterprise IT, straight to your inbox.

The CIO’s balanced scorecard helps corporate boards monitor and assess IT’s performance.

By Len De Villiers, Group Chief Information Officer, Telkom South Africa

We’re all aware that Information technology is central to a company’s success. No longer merely an enabler of business, IT is integral to corporate strategy – especially as most enterprises become digital enterprises.

Given this, it shouldn’t come as a surprise – though it undoubtedly will to some – that here in South Africa the IT function is today the most audited component of the business. Just as publicly traded companies are required to audit their financial accounts, the boards of companies listed on the Johannesburg Stock Exchange are required to monitor and assess IT’s performance in areas ranging from network security to capital investments.

This means that CIOs must justify their activity and performance to the board. But board members, although they increasingly understand the crucial role that IT plays in corporate success and failure, usually aren’t very IT savvy, compared to their financial acumen.

So I have devised a tool to help boards understand where IT is meeting strategic expectations and where it isn’t. Such a tool, tailored to a particular company’s situation or business environment, may prove useful to CIOs in other countries – even though they might not face the scrutiny from regulators that IT does in South Africa.

A New Burden for Boards

The third report of the King Committee on Corporate Governance, issued in 2009 (following earlier reports issued in 1994 and 2002) and known as King III, described the changing role that IT plays in business. E-commerce, electronic communication, the automation of many operational tasks – these and many other developments had made businesses heavily reliant on information systems while creating new kinds of risks. And whereas information systems once were business enablers, they now were central to business strategy. This “pervasiveness of IT in business today mandates the governance of IT as a corporate imperative,” the report said.

Corporate boards were charged with overseeing a number of specific areas of IT responsibility and following a set of principles when making decisions about IT. This put a heavy new burden on board members. The world of technology is a fast-moving environment. It’s difficult for even the most tech-minded of us to stay abreast of it all, and most board members are not well versed in technology.

I wanted some way to help boards fulfill their responsibility. The result was a balanced scorecard that the board could review at every one of their quarterly meetings. The balanced scorecard, which originated as a performance measurement framework that added strategic non-financial performance measure to traditional financial metrics, has become a widely used tool for providing a concise snapshot of how certain activities are furthering an organization’s strategic agenda.

With a scorecard devised specifically to meet the requirements of the King III code of governance, we can quickly and clearly show the board how we’re doing – good, bad, or indifferent – against the seven key issues they are charged with tracking. When they see a green, they know we are doing well and they can move on. An amber indicates that things are not in good shape, but there are plans to address the issue and bring it back in line. When it’s red, they know we’re off track and they need to pay attention to the problem. (See the sidebar "A Balanced Scorecard for IT").

Seven Principles of IT Excellence

We take what we’re doing in IT and fit those activities into the seven principles of good IT performance outlined in the code:

 • Board oversight • Performance and sustainability • IT governance framework • IT investments • Risk management • Information security • Governance structure

(See the sidebar “South Africa’s IT Governance Principles.”)

For performance and sustainability, for example, we created a matrix that outlines the performance of the strategic systems integral to our operations. If there are major outages, we indicate what the root causes were and what plans we’ve introduced to prevent recurrence. In terms of sustainability, we let the board know, for example, which systems may be decommissioned and which are going to be replaced by new technology.

Information security garners the most attention from the board these days, given the high-profile cyber-attacks that have made headlines in recent years. We give our board members assurance that the information assets of the firm are securely protected through authentication, firewalls, active monitoring of access, and the like. They want to know that our data assets are as locked down as they can be.

Other CIOs have taken their own approach to explaining IT’s performance to the board, but I find the balanced scorecard works best. Board members don’t want a big report to read. They’re busy people. They have much more to worry about than IT. They like a flash of light on what’s really important. We need to be circumspect about what we give them. This way they can see all the statuses on two pages and move on.

Of course, IT is more than the sum of its metrics. So we supplement the balanced scorecard with an outline detailing the overall performance of the technology function—including the softer side of what makes IT really work. We inform them about the more nuanced dynamics critical to successful IT delivery: how we’re doing managing our people, for example. How many people have we lost? How many new employees have we recruited? How is IT morale?

A board is usually driven by metrics like return on equity, profits, revenue targets, earnings before interest, taxes, depreciation, and amortization. But they also realize that the culture of a firm is the underlying success factor in delivering effectively against those key performance indicators. So we let them know what we’re doing to motivate our workforce or improve our Net Promoter Score.

Seeing Red

As board members review the scorecard, they discard all the green. The simply don’t have time to waste reviewing those things that are going well. They give their attention to the red statuses first and ask the CEO— whom I brief—why something is red and what the prognosis is for getting it to green.

For example, one of our biggest programs is a ZAR 12 billion rand (US $830 million) next-generation network project that we are implementing over a five-year period. It’s the most capital-intensive project we’ve embarked upon and will bring fiber connectivity to every home and business in the country. It involves significant coordination among 25 project managers. And if any project stream is off track, it shows up as amber on the balanced scorecard. If we miss a target date, it’s red. If the board asks why, for example, we are delaying the rollout into the eastern Cape region, we can go in and explain why.

Nowhere to Hide

The balanced scorecard has been well received by our board of directors and corporate leadership. It gives board members transparency into what IT is doing, and that gives them a sense of assurance in meeting their fiduciary responsibilities. In some cases, a board member may ask me to come explain things to him individually and in private so that he can be best equipped to make decisions and ask questions during the board meeting. In addition to the openness, they appreciate the brevity, simplicity, and ease of use. At the same time, it is meaningful information.

But behind that simplicity is massive complexity. It’s difficult to build and track and report all the data necessary to deliver a concise and digestible scorecard. It’s not easy to populate. You have to make sure you’re tracking the right things. That doesn’t come overnight. We worked over many months to develop our own system for producing the report. There’s a whole machine and system behind the matrix to gather data, monitor system performance, review incidents, and scrutinize projects.

You must resist the urge to boil the ocean on these issues, but rather get to the point on them. Why is this project in trouble? How will it be resolved? I always tell my fellow CIOs that board members don’t care about the labor pains, they just want to see the baby. You should be able to cover everything in 15 minutes—what the issues are, what commitments you are making to resolve them, and when you will report back to the board on your progress.

Once you have a prototype scorecard in place, it’s important to take it to the CEO and ultimately the board and have them review it. You need a good relationship with the board members and corporate leaders for this to work. You must sell the concept to them. It’s critical to talk to them about it privately and see if it resonates. That buy-in is critical. Here, we went to the audit and risk committee of the board to give us initial guidance. A standard approach won’t work for every firm. You have to customize it to your culture, run a few pilots, and continue to refine it over time. Some of our metrics are solidly in place, while others are evolving. As each board meeting comes and goes, the process gets better and better.

The key selling point of the balanced scorecard system—its transparency—means that IT has nowhere to hide anymore. That’s clearly a benefit for the board, but it can be difficult for the IT group.

Consequently, I make sure that we, as an executive team, do make time to celebrate the successes. That’s critical in motivating my team to continue to delivering a steady stream of greens on the red-amber-green color spectrum of this transparent performance scorecard.

South Africa’s IT Governance Principles

The following principles are laid out in Chapter 5 of “King III,” the third installment of the King Report on Corporate Governance, which was issued in 2009 and applies to all companies listed on the Johannesburg Stock Exchange:

5.1 The board should be responsible for information technology (IT) governance

5.2 IT should be aligned with the performance and sustainability objectives of the company

5.3 The board should delegate to management the responsibility for the implementation of an IT governance framework

5.4 The board should monitor and evaluate significant IT investments and expenditure

5.5 IT should form an integral part of the company’s risk management

5.6 The board should ensure that information assets are managed effectively

5.7 A risk committee and audit committee should assist the board in carrying out its IT responsibilities

A Balanced Scorecard for IT

[Click to Enlarge]


The Takeaways 

In South Africa, regulations for publicly traded companies mandate that the Board of Directors is responsible for oversight of the IT function, given its importance to the business. Consequently, IT generally has become the most audited business function, subjecting it to formal scrutiny not commonly found elsewhere.

A balanced scorecard, prepared by the CIO and using the red-amber-green mechanism, can help boards monitor and assess IT’s performance in areas ranging from network security to capital investments.

The balanced scorecard tool, tailored to a particular company’s situation or business environment, may prove useful to CIOs in other countries, even if they don’t face the scrutiny from regulators that IT does in South Africa.