CHAPTER 3: STRATEGY: THE SEARCH FOR COMPETITIVE ADVANTAGE – IT Governance: Implementing Frameworks and Standards for the Corporate Governance of IT


IT is neither low-cost nor low-impact. It is investment-intensive. Innovation in the IT sector is common; speed of innovation and deployment can be critical in developing and maintaining competitive advantage. An organisation must respond proactively to change within its market or see its competitive position eroded and ultimately destroyed. Schumpeter called this process ‘Creative Destruction’:

[The] process of Creative Destruction is the essential fact about capitalism…every business strategy acquires its true significance only against the background of that process and with the situation created by it. It must be seen in its role in the perennial gale of creative destruction; it cannot be understood irrespective of it or, in fact, on the hypothesis that there is a perennial lull…24

IT on its own and of itself is not, however, necessarily a source of competitive advantage. It may be used as such, but in many situations, IT is already commoditised and organisations have to ensure that their systems and processes are as good as (or no worse than) those of their competitors, in order to ensure they do not fall behind in key performance areas.

24 Joseph A.Schumpeter, Capitalism, Socialism and Democracy (Harper, 1975), pp. 82– #8211;85; organisations are seeing a resurgence in this ‘creative destruction’ as the global economy tries to recover from the pre-2008 asset-inflation bubble.

IT makes revolutionary business models25 possible and dramatically transforms the business environment. The challenge of online security slows but does not halt the development of online banking, financial and other e-commerce applications.

The Internet enables small businesses everywhere to compete with larger ones, on a global basis. Digital communication speeds up many aspects of business, including outsourcing, customer awareness and reputation destruction. Green IT, Web 2.0, Software as a Service (SaaS), Cloud Computing, Instant messaging, Voice over IP (VoIP), spyware and sequential auto-responders are technologies as transforming (and disruptive) as Customer Relationship Management (CRM), Human Resource Management (HRM) and Enterprise Resource Planning (ERP) systems were in their day. Of course, the Internet (or Web 2.0) does not replace the need for a real business strategy, or for generating a proper economic return for shareholders; it just transforms the environment within which the board has to create and execute strategy.

It is critical to the survival and ultimate success of their organisations that boards of directors and senior managements put themselves into a position from which they can assess the potential impact on their businesses of emerging and potentially disruptive technologies; they must also themselves be able to understand and oversee in an

25 The term ‘business model’ ‘…seems to refer to a loose conception of how a company does business and generates revenue. Yet simply having a business model is an exceedingly low bar to set for building a company. Generating revenue is a far cry from creating economic value, and no business model can be evaluated independently of industry structure. The business model approach to management becomes an invitation for faulty thinking and self-delusion’. Michael E.Porter, ‘Strategy and the Internet’ in Harvard Business Review, March 2001.

effective manner the technology initiatives underway in their own organisations. More than this, boards must be able to ensure that the technology initiatives within their own organisations are driven by the requirements of business strategy, not the other way round.

Development of IT strategy

The board has a key role to play in the development of IT strategy and, by extension, this role plays out in the board’s involvement in project governance.

As Figure 1 over shows, business strategy should drive information strategy; the information required by the organisation should determine the information systems— #8212;that is, the applications that will collect, manipulate, store and deliver the information—and these applications should be selected so that application and business process are aligned. The needs of the IS strategy should determine the technology strategy; the technology that is deployed should be what is most suitable for the application and information requirements of the organisation. Of course, there are critical feedback loops: in determining the business strategy, the board needs to be aware of what sort of information can be collected, what sort of applications might be available, and the infrastructure implications of these applications.

Figure 1: Development of IT strategy

Business, information and IT strategies

Successful enterprises set their business objectives in the light of the competitive strategy that they have evolved to take advantage of opportunities—or to defend a position— #8212;within their specific industry. While the business strategy ought to take into account the organisation’s own competences, strengths and weaknesses (relative to those of its competitors), as well as the assets (including intellectual and physical assets) that it can deploy to achieve those goals, it will also generate a requirement for the acquisition or manipulation of specific information—starting with product, market, customer and competitor information— #8212;and processes for using that information effectively.

It will also identify the need for specific organisational or business changes to improve the organisation’s position regarding its competitors, both those of today and those of tomorrow. The business strategy has measurable goals and investment will be planned to enable the delivery of those goals.

Information strategy

The development of the organisation’s information strategy is driven by the business strategy. It is likely that the core of the information strategy will be developed in tandem with the business strategy, because the interrelationship is so close. Creation and completion of a useful intellectual asset register should be a fundamental part of developing a business strategy that seeks to exploit those assets. Of course, once you have such a register, you know what you have to protect and, if you have assigned values to your assets, you know the maximum (less than the replacement value of the asset) you should allow to be spent on that protection.

There is more to an information strategy than simply identifying which information assets to exploit and how to exploit them. Equally important is the identification of the information that will be required to support the organisation in its progress toward its strategic goals. This information ranges from customer and market data through product, financial, human resource, logistic, production and other data, all of which has to be acquired, secured, made available, manipulated and stored. The usual way of determining how information should be managed is to design business processes. Initially high-level, these then have to be translated into detailed, usable tools and procedures.

In most organisations, processes are functionally confined. In other words, there are sales processes, marketing processes, finance processes, HR processes and many others. These processes are traditionally supported by standalone systems, such as customer relationship management (CRM), that work well within the single, vertical information silo, but which do not necessarily work well across the organisation as a whole. One objective of an information strategy might be to break down that vertical separation in order to create integrated cross-functional processes that will speed up data handling while reducing the total processing cost.

The information strategy should, therefore, set out the organisation’s objectives for its use of information (for example, a real-time, organisation-wide view of customer data, and end-of-day product- and store-level performance information, or automated just-in-time inventory) to support its business strategy, and should contain a high-level view of the business processes that should deliver those objectives.

IS strategy

The IS strategy is derived from the organisation’s information strategy, contains the application strategy, and enables the architecture and infrastructure strategies to be developed. The order of derivation is critical, particularly in existing business environments: it is important to be clear about where you need to go, rather than simply accepting that you are where you are.

The IS strategy will contain high-level views of the processes that the organisation intends to deploy; it is important that these views are platform-independent, and developed without influence from existing application concepts. In other words, neither CRM nor ERP (nor any other application) should be considered as a possible solution until the actual business information and process needs have been objectively defined.

For instance, a business strategy based on differentiation through a very high level of customer care might generate an information strategy requirement for business processes that are designed from the customer back into the organisation, with the objective that it should be possible for anyone in the organisation (from sales through accounts to despatch and logistics) to view information about any customer’s transaction through a single user interface (such as a browser) in real time. Out of such an information strategy requirement fall the parameters for the application strategy.

Application strategy

The application strategy’s objective is to deliver the requirements of the information strategy and their business processes. The application strategy could reflect an IT implementation principle such as ‘use out of the box software; amend processes rather than the software’. While there are many applications available on the market, the organisation needs to set its selection criteria before it examines any of the options. Amongst the criteria should be:

• Alignment with the information strategy requirements— #8212;identify which applications come closest, out of the box, to delivering the organisation’s information requirements.

• Total cost of ownership (TCO)—the total annual direct (budgeted) and indirect (unbudgeted) cost of acquiring, deploying and owning the software, including the costs of maintenance, upgrades, user training, administration, etc. Products with low initial purchase prices might have significantly higher TCOs.

• Security and compliance—the application must meet the organisation’s security and compliance criteria.

• Scalability—the application should have the capacity to support fluctuating numbers of users and evolving user requirements if the organisation’s agility is not to be restricted.

• Future-proofing—the application needs to have a reasonable prospect of still being in working shape, and usable by the organisation, at a definable point in the future. This definable point determines the end-point for calculating the Return on Investment (ROI) for the application.

Actual failures of application strategy show up in benchmarking results26:

• Organisations use less than 50% of the application software for which they are paying licence fees.

• More than half the software actually used within a standard application is custom software, written by insiders or consultants.

• Interfaces between vendor code and insider custom code show major internal control exposures.

• Maintenance costs of the custom code are usually out of proportion to its value to the organisation.

26 See, for example, West Trax Applications, ‘ERP benchmarking results, 2003–2005’ reported in Insight (the CIMA newsletter), April 2005.

• The CEO and CFO didn’t know they had a problem.

IT strategy

In many organisations, the relationship between IT and the business is totally dislocated; it is even more often the case that the IT infrastructure does not support the concept of an ‘agile’ organisation. Proliferation of technologies and information silos, increasing complexity, and rising costs are common characteristics of many IT infrastructures. Techno-babble and business-unit cynicism about the effectiveness of IT go hand in hand.

Enterprise IT architecture is a simple concept that can bring light into this darkness. It is fundamental to the IT strategy and is a cornerstone of an IT governance framework, but not a substitute for such a framework. Enterprise IT architecture can be defined as a set of organising principles that determine the way in which the organisation’s information and communications technology will interact with its operating systems, applications and data. Enterprise architecture is sufficiently important for it to be subject to an enterprise architecture committee; the role of this committee is further discussed in Chapter 16 : Enterprise IT Architecture Committee.

A number of different architectures exist; the organisation’s approach should take the following into account:

• Performance—the organisation’s systems need to be robust and able to maintain service levels irrespective of demand (although there may be trade-offs between the costs and benefits of serving extreme demand peaks). The system should be capable of live optimisation to meet changing user numbers and transaction volumes, without bottlenecks.

• Adaptability—as the organisation evolves within its competitive environment, it may need to adapt and modify its processes—its systems should be capable of inexpensive reconfiguration to meet those needs.

• Security and compliance—the security and compliance criteria set by the organisation must be met and, as there are regulatory implications, there must be clear and transparent evidence of this.

• IP ownership models and standards—deployment of proprietary software creates vendor dependence; this may or may not be acceptable. Use of specific standards (of, for instance, data models) should make interoperability of systems less expensive, in both the short term and the long term.

• Information availability—in many organisations, information is stored in vertical silos, and management can get different answers to the same questions from different systems; it would usually be better if there were a consistent presentation of information across all processes and systems.

Application- and hardware-independent service-oriented architectures (SOAs) have evolved to provide business users with a more flexible (usually browser-based) interface than is usually available with monolithic and legacy applications. The benefits of an SOA should include reduced cost and complexity and greater speed in assembling new responses to specific business needs, and an improved return on IT investment through leveraging existing IT resources.

Decisions about ICT can only properly be made in the light of a specific strategy and business plan. Not every organisation needs to deploy architecture x or application y; not every organisation has to be on the cutting edge of technology; not every organisation needs to automate every single one of its processes, or deploy the latest solution pumped by IT vendors. What every organisation needs to do is what it needs to do—no more and no less.

Only once an organisation has decided what it needs to do can the board make an informed decision about which information and communications technologies to deploy in its business, or the time-frame over which they should be deployed. The simple fact of the availability of any particular hardware, software, or communications technology is not a good reason to deploy it; an ab initio preference for one infrastructural technology over another (open source versus proprietary, for instance) could limit the strategic thinking that is fundamental to making the most appropriate enterprise decisions. Once an infrastructural decision is made, the organisation is committed to it for the foreseeable future; changing the infrastructure is a lot harder than simply upgrading it, for many reasons, including the combination of political and financial capital invested in the existing system, the installed user skill base, and business process dependency. Getting this decision right for the business is essential.

The board does not need to get involved in the technical minutiae of any of these decisions; it does, however, need to establish clear principles, guidelines and criteria that relate IT investment decisions to specific business objectives and which enable executives to come forward with proposals that, when implemented, will deliver the business goals.

Of course, the strategic decision-making process does not take place in a vacuum; the board does need to be informed about the ways in which technology is enabling competitors to transform themselves and about the business possibilities offered by new technologies. It also needs to keep the changing technology environment under review, so that it can make early identification of any upcoming changes that might affect its competitive positioning.

Most organisations do not have the opportunity to think their business models through from the outset; they come to IT governance at a time when the organisation already has an installed IT infrastructure which may—or, more often, may not—be fit for the business purpose. Such an IT infrastructure has ‘evolved’ because there has been no effective governance of IT.

It is nevertheless important that an appropriate IT strategy development process is developed and established as early as possible, and that it is clearly understood by senior management (and particularly by business and functional managers). Such an approach will enable the organisation to shift, over a period of time, to effective alignment of IT strategy and investment with business strategy and strategic goals.

The six-step IT strategy process

Risk management and implementation also have roles to play. The development and implementation of the four-stage IT strategy described earlier is, therefore, a six-step process:

• Step 1: the board establishes and agrees the business strategy. This stage is outside the scope of this book.

Step 2: the executive team identifies the information requirements (‘What information do we need, where do we get it from, how are we going to process and use it?’).

• Step 3: the executive team develops the IS or application requirements (‘What business processes do we need?’ ‘What software will enable us to do this?’). This is also an appropriate time to consider the IT services that might be required to support the information and application strategies. (See Information strategy and IS strategy earlier in this chapter.)

• Step 4: the IT architecture committee documents the proposed architecture, reflecting the agreed IT principles and the information and application requirements; this enables a technology committee to identify the operating system, hardware and communication technology platforms, and user access devices that will support the application and information requirements. (See Chapter 16 : Enterprise IT Architecture Committee.)

Step 5: the technology committee applies the board’s risk treatment and compliance/security criteria to the cumulative output of steps 2 to 4 and makes any changes necessary to bring the draft IT strategy into conformance with these criteria. (Risk management frameworks are discussed in Chapter 4 : Governance and Risk Management.)

Step 6: the executive team ensures that required competences and resources have been identified, and that financial and risk criteria have all been met, and then approves the proposed IT strategy and puts it to the board for approval.

Measurement and quality

A fundamental aspect of any meaningful IT governance framework is the measurement of IT activity. Measurement of IT is also one of the many areas in which businesses have traditionally failed in their governance responsibilities. Decisions about what to measure should be made alongside the development of the business strategy, and should be embedded in the process of translating strategic business needs into IS strategy and, ultimately, IT strategy.

The Balanced Scorecard, which is now widely used in organisations across the world, can be extended to the IT function. In organisations that already use the Balanced Scorecard, this will not be a revolutionary step. Organisations that do not currently use the Balanced Scorecard can deploy it within the IT function without having first used it elsewhere in the organisation.

The IT Balanced Scorecard

Measurement matters: “If you can’t measure it, you can’t manage it.” An organization’s measurement system strongly affects the behaviour of people both inside and outside the organization. If companies are to survive and prosper in information age competition, they must use measurement and management systems derived from their strategies and capabilities. Unfortunately, many organizations espouse strategies about customer relationships, core competencies, and organizational capabilities while motivating and measuring performance only with financial measures. The Balanced Scorecard retains financial measurement as a critical summary of managerial and business performance, but it highlights a more general and integrated set of measurements that link current customer, internal process, employee, and system performance to long-term financial success.27

27 Robert S.Kaplan and David P.Norton, The Balanced Scorecard: Translating Strategy into Action (HBS Press, 1996).

Measurement matters even more in IT; after decades of over-promising and under-delivering, measurement that pertains to the organisation’s goals and to the contribution that IT makes to achieving them is essential. The Balanced Scorecard has increasingly been deployed over the last five years for managing IT organisations. In early 2001, Robert Gold28 identified four key lessons important for IT leaders when developing an IT Balanced Scorecard. These were:

1 Set the agenda: concisely define the IT organisation’s objectives and communicate them clearly to stakeholders, seeking to showcase the IT unit’s performance, offset criticism, or integrate the Balanced Scorecard with IT team performance management.

2 Involve business-unit managers in defining the IT strategy, preferably in moving from proving business competency to contributing to value creation in the business units.

3 Align IT spending and investment plans with business-unit expectations, ensuring that, where budget factors are outside the IT organisation’s control, these are clearly understood and the IT organisation’s performance is focused around delivering required value within the budget constraints.

28 Robert S.Gold, Building the IT Organization Balanced Scorecard (HBS Publishing, 2002).

4 Commit to change: the benefits of implementing an IT Balanced Scorecard take a long time to show through and will require behavioural change at all levels in the IT organisation. It is important that everyone in the IT team commits to the required changes and will ‘stick with it’.


The generic Balanced Scorecard has four perspectives: financial, customer, internal, and learning and growth. An IT organisation might make use of these perspectives in the following way:

1 Financial: budget management, return on investment (taking into account all IT projects, successes and failures), enterprise total cost of ownership (TCO), IT intensity (ratio of headcount to IT investment at original cost), intangible relevance (ratio of intellectual capital value to total organisational capitalisation)29.

2 Customer (internally): user satisfaction (system efficiency—the measures used in internal and external service level agreements (SLAs) could be consolidated here), cost-effective/competitive sourcing and delivery, speed of solution delivery, innovations that create business value. This perspective could probably also include regulatory and statutory compliance reporting.

3 Internal (to IT organisation) processes: implementation of enterprise IT architecture, reduction of system conflicts, reliability and functionality of systems, data integrity, system and information availability, response

29 See Chapter 3 of Alan Calder, IT Governance: Guidelines for Directors (ITGP, 2005), available at .

times, costs, new product development, management of outsourced IT operations, project governance, etc. This perspective could also include regulatory compliance relating, for instance, to data protection and privacy, information security, and business continuity.

4 Learning and growth: IT organisation staff satisfaction, IT skills and competences in relation to those required to achieve the organisation’s IT strategy, managerial skills and competences.

The Baldridge National Quality Program’s Criteria for Performance Excellence provides a rich source of input for the type of measurements that might be used in the IT organisation Balanced Scorecard. Every organisation will have to develop and apply its own IT Balanced Scorecard. It must be developed specifically to suit the requirements of each organisation and must certainly be integrated with the whole-organisation version of the Balanced Scorecard (if one exists) if the IT version is to be a genuinely useful tool.

Balanced Scorecard implementation

Of course, implementation of an effective measurement process may, initially, be a politically sensitive step. Many in the IT organisation may fear the implication that their performance has been inadequate, and some of the senior IT leaders may resent the loss of day-to-day operational power that is such an inescapable component of any effective board-led measurement framework. Implementation of a measurement framework, a quality management process, is not a new business skill; there already exists substantial guidance on and experience of the introduction and management of change, and such guidance would certainly be worth following when introducing an effective measurement system.