©2008 Infonomics Pty Ltd ACS Victoria 19 November 2008
The Gershon Report and IT Governance
Mark ToomeyManaging Director Infonomics Pty Ltd
Chair, Standards Australia Committee IT-030
Member, ISO/IEC JTC-1 SC-7 WG1A
Page 1
©2008 Infonomics Pty Ltd ACS Victoria
Gershon’s Terms of Reference
• The terms of reference asked me, amongst a number of issues, to review and report on both the efficiency and effectiveness of the Australian Government‟s current use of ICT, to determine whether the Government is realising the greatest return from its investments in ICT, and to examine whether the right institutional arrangements are in place to maximise the return.
• Is Australia achieving efficient, effective and acceptable use of IT?
19 November, 2008 Page 2
©2008 Infonomics Pty Ltd ACS Victoria
Gershon’s Conclusion
• At the heart of my findings is a conclusion that … the current model of weak governance of ICT at a whole-of-government level and very high levels of agency autonomy … leads to sub-optimal outcomes in the context of prevailing external trends, financial returns, and the aims and objectives of this Government.
• … I have also found that benefits realisation and the measurement of benefits arising from investments in ICT are areas where there is substantial scope for improvement, together with measuring and improving the efficiency of current ICT operations.
• No it is not, and the problem is with top level direction, not with technical delivery.
19 November, 2008 Page 3
©2008 Infonomics Pty Ltd ACS Victoria
Gershon’s Recommendations
• … a major program of both administrative reform of, and cultural change from, a status quo where agency autonomy is a longstanding characteristic of the Australian Public Service.
• there are two critical requirements which will determine the success of this reform program:
– firstly, sustained leadership and drive at Ministerial and top official levels and,
– secondly, ensuring the enablers of change are properly resourced, not only in funding terms but also with skills of the right calibre.
• The people at the top will have to (learn to) do things that they have not previously been required to do.
19 November, 2008 Page 4
©2008 Infonomics Pty Ltd ACS Victoria
Do Gershon’s comments ring true?
• Digital TV to cost Canberra $38m – THE federal government has
announced $37.9 million in funding to drive Australia's transition to digital television.
• Immigration slows release cycles – THE Immigration Department will
reduce release cycles for the $495 million Systems for People project to ease pressure on staff members.
• Defence weak on IT, says chief– AUSTRALIA'S defence acquisition
organisation has … yet to excel at complex computer-related systems, defence head Air Chief Marshal Angus Houston says.
19 November, 2008 Page 5
October 2005
Tanner's IT razor plans 'ridiculous' By Andrew Fraser Political Correspondent (Canberra Times)
IT professionals have reacted with deep scepticism to Finance Minister Lindsay Tanner's plans for significant Budget savings by ending the "ridiculous" fragmentation and "crazy" duplication of government IT provision.
©2008 Infonomics Pty Ltd ACS Victoria
Gershon’s definition of “IT Governance”
• „Governance is defined as the system by which the current and future use of IT is directed and controlled. It involves evaluating and directing the use of IT to support the organisation and monitoring this use to achieve plans. It includes the strategy and policies for using IT within an organisation‟ (Source: AS 8015-2005 Corporate Governance of ICT). The generally accepted principles of public sector governance according to the Australian National Audit Office (ANAO) include accountability, transparency, integrity, stewardship, efficiency and leadership (Source: ANAO (July 2003), „Better practice guide: Public sector governance and the individual officer‟).
• Use the world-leading IP created in Australia, by Australians
19 November, 2008 Page 6
©2008 Infonomics Pty Ltd ACS Victoria 19 November, 2008
Getting to grips with Gershon’s message
• Many government IT departments do their job competently– Rigour– Process– Control– Reporting
• But it‟s not just in IT that problems develop:– Use of IT in achieving goals involves business change
• Process• People• Structure• Context
– And necessarily requires that leaders engage fully:• Being responsible• Setting direction• Planning and implementing
Polishing INSIDE the Kettle improves supply…
… but does not fully address the problem of use!
ITIL Prince2 CoBIT
CMMI PMBOK
Etc
Governance of IT has to deal with how organisations USE IT as well as with how IT departments operate.
Delivery
UseMany issues arise here – outside IT’s sphere of control.
Page 7
©2008 Infonomics Pty Ltd ACS Victoria 19 November, 2008
Gershon’s message is not new
In the case of the ICS, there does not
appear to have been an effective structure or process to direct and control the project, nor to make
suitable risk decisions.
To fulfil this task, Customs has had at
least 10 bodies responsible for different aspects of the management and governance of the ICS, including the interactions with industry…
These bodies overlap in their responsibilities and accountabilities, and
overall the program has no single business owner and accountabilities for its delivery are unclear.
Source: The Australian IT (online) and Booz Allan Hamilton Report “Review of the Integrated Cargo System”
Change Governance
Problemon a
Massive Scale.
Page 8
9:25/2
©2008 Infonomics Pty Ltd ACS Victoria
Gershon’s message is not uniqueKPMG Global IT Project Management Survey (Sep 05)
• Traditional measures of success (time and budget) are being superseded:
– “Achieving benefits – keeping commitments – is now the key determinant of project success.”
• Since 2003, performance of projects has improved marginally:
– Failure rates are still appalling;
– Many organisations do not focus on realising or measuring benefits.
• “The key element (that makes some organisations more successful) appears to be an appropriate governance framework – to complement planning and prioritisation of activities and to help ensure execution controls are in place until benefits are realised.”
• “The board must put in place, through management, a rigorous oversight framework to monitor achievement of budgets, the meeting of timelines and to help ensure that the agreed benefits are realised. To achieve this, the board must receive the right information at the right time”.
19 November, 2008 Page 9
Those responsible at the top of the organisation must govern…
©2008 Infonomics Pty Ltd ACS Victoria
Corporate Governance: The System by which
entities are directed and controlled.
(Cadbury)
Governance Domains and SystemsCorporate Governance visibility and control
Management Responsibility
Information (IT) assetsFinancial
assets
Relationship assets
Humanassets
IPassets
Physicalassets
Understanding Gershon: Understanding Corporate Governance of IT.
Page 10
CorporateGovernance
Corporate Management
Evaluate
Pla
ns,
Policie
s
Perf
orm
ance
Confo
rmance
Direct Monitor
Pro
posals
Projects Operations
CorporateGovernance
Corporate Management
Evaluate
Pla
ns,
Policie
s
Perf
orm
ance
Confo
rmance
Direct Monitor
Pro
posals
Projects OperationsCorporate Governance of IT:The System by which the current and future use of IT is directed and controlled.
19 November, 2008
©2008 Infonomics Pty Ltd ACS Victoria
CorporateGovernance
Corporate Management
Evaluate
Pla
ns,
Policie
s
Perf
orm
ance
Confo
rmance
Direct Monitor
Pro
posals
Projects Operations
The System for Governance of IT:Current and Future Use
19 November, 2008 Page 11
©2008 Infonomics Pty Ltd ACS Victoria
CorporateGovernance
Corporate Management
Evaluate
Pla
ns,
Policie
s
Perf
orm
ance
Confo
rmance
Direct Monitor
Pro
posals
Projects Operations
The System for Governance of IT:Current and Future Use
19 November, 2008 Page 12
Future Use:
Business Projects
Current Use:
Business Operations
©2008 Infonomics Pty Ltd ACS Victoria
The S
yste
m o
f M
anagem
ent
Current Use:
Business Operations
The System for Governance of IT:Two domains of responsibility.
19 November, 2008 Page 13
Future Use:
Business Projects
StrategicBusinessFuture
Dem
and
Supply
Effective IT enabled change
Ongoing business
operations
Dem
and
Supply
Reliable IT Service
ITIL, ISO 20000, ISO 27000, CoBiT etc
Business Domain: How IT
is used to enable and operate the
business
IT Domain: How IT is
managed and delivered.
ValIT
©2008 Infonomics Pty Ltd ACS Victoria 19 November, 2008
The S
yste
m o
f M
anagem
ent
Ongoing business operations
StrategicBusinessFuture
Supply
Supply
Reliable IT ServiceEffective IT
enabled change
Business Domain: How IT is used to enable and operate the business
IT Domain: How IT is managed and
delivered.
ITIL, ISO 20000, ISO 27000, CoBiT etc
Dem
and
Dem
and
ValIT
CorporateGovernance Oversight
ISO 38500
Rules, Direction,Behaviour
Performance,Conformance
The System for Governance of IT:An integrated system overseen by the Board
Page 14
Managem
ent
Resp
onsi
bili
tyBoard
ove
rsig
ht
The S
yst
em
of
Gove
rnance
©2008 Infonomics Pty Ltd ACS Victoria 19 November, 2008
The S
yste
m o
f M
anagem
ent
Ongoing business operations
StrategicBusinessFuture
Supply
Supply
Reliable IT ServiceEffective IT
enabled change
Business Domain: How IT is used to enable and operate the business
IT Domain: How IT is managed and
delivered.
ITIL, ISO 20000, ISO 27000, CoBiT etc
Dem
and
Dem
and
ValIT
CorporateGovernance Oversight
ISO 38500
Rules, Direction,Behaviour
Performance,Conformance
The System for Governance of IT:An integrated system overseen by the Board
Page 15
Managem
ent
Resp
onsi
bili
tyBoard
ove
rsig
ht
The S
yst
em
of
Gove
rnance
Ministers and Department Secretaries
©2008 Infonomics Pty Ltd ACS Victoria
An essential realisation in the post-Gershon era:
• IT is now a fundamental enabler of change and is leading to new business models and new business practices
– Eg e-Government
19 November, 2008 Page 16
Process Structure
People
Technology
The Business System
Process Structure
People
Technology
The Business System
The Business System
Technology
People
StructureProcess
“Traditional” IT Change Project
©2008 Infonomics Pty Ltd ACS Victoria
An essential realisation in the post-Gershon era:
• IT is now a fundamental enabler of change and is leading to new business models and new business practices
– Eg e-Government
• Implementing IT enabled change involves attention to every facet of business models and practices
– Internal and external factors
19 November, 2008 Page 17
• Governing IT Enabled Change involves much more than governing technology activities.
Process Structure
People
Technology
The Business System
Process Structure
People
Technology
The Business System
The Business System
Technology
People
StructureProcess
“Traditional” IT Change Project
Change Program• Business System
•Process•Technology•Structure•People
• Business Context•Process•Technology•Structure•People
ChangedProcess
ChangedStructure
ChangedPeople
ChangedTechnology
Changed Business System
©2008 Infonomics Pty Ltd ACS Victoria
The Framework for Governing IT in the post-Gershon era:
• Responsibility
• Strategy (Planning)
• Acquisition (Spending)
• Performance
• Conformance
• Human Behaviour
19 November, 2008 Page 18
CorporateGovernance
Corporate Management
Evaluate
Pla
ns,
Policie
s
Perf
orm
ance
Confo
rmance
Direct MonitorPro
posals
Projects Operations
©2008 Infonomics Pty Ltd ACS Victoria
What we have learned about the state of the art
19 November, 2008 Page 19
Principles Responsibility Plan Acquire Perform Conform Human Factors
Corporate Governance of ICT - Indicators
Exemplary
Good
Basic
Weak
None
No view
Principles Responsibility Strategy Acquisition Performance Conformance Human Behaviour
RMIT and Infonomics research 2006-7. Published in “Achieving Business Sustainability” (Infonomics), and “Information Technology Entrepreneurship and Innovation”, edited by Fang Zhao, published by IGI Global, 2008.
©2008 Infonomics Pty Ltd ACS Victoria
Gershon’s recommendations address gaps in conformance to the principles
Respons-ibility
Strategy Acquisition Perform-ance
Conform-ance
Human Behaviour
Pan-government governance
X X X X X X
Agency governance
X X X X X X
BaU funding X X X X X X
APS IT Skills base
X X X X X X
Data Centres
X X X
IT Marketplace
X X X X X X
Sustain-ability
X X X X X X
19 November, 2008 Page 20
©2008 Infonomics Pty Ltd ACS Victoria
Responsibility
• Ensure clearly understood (and appropriately allocated and discharged) responsibility for IT:
– Ministers set the tone for use of IT;
– Department heads ensure that IT is effective:
• Within their departments;
• Across whole of government.
– And efficient
• Not just allocating investment $:
• Achieving goals;
• Realising benefits;
• Controlling costs;
• Advancing capability and opportunity.
• Ministers and Department Heads are responsible for efficient, effective and acceptable use of IT.
19 November, 2008 Page 21
©2008 Infonomics Pty Ltd ACS Victoria
Strategy (Planning)
• Plan IT (all aspects thereof) to best suit the organisation:
– The organisation is the nation and the government overall – not just the individual departments;
– Secretaries committee to set whole of government strategies
– Allocating the resources to best serve the needs of the nation;
– Seize opportunities for efficiency at whole of government level;
– Fix problem – data centres;
– Fix problem – basic business systems replicated with no genuine effort to standardise business process;
– Fix problem – plans for developing a competent internal workforce and plans for nurturing development of the domestic industry.
• Stop doing the same things over and over without improving: instead optimise the mundane and open the door to real opportunity for innovation and advancement.
19 November, 2008 Page 22
©2008 Infonomics Pty Ltd ACS Victoria
Acquisition
• Acquire IT validly (decisions to allocate and spend resources on IT)
– Look for opportunities to reuse and expand benefits portfolio;
– More scrutiny of “Business as Usual”
• (Has the industry been complicit here?)
– Move government to high efficiency, rather than high cost;
– Avoid and remove barriers to entry for smaller businesses;
– Consider IT implications of changing government policy.
• Scrutinise all aspects of spend equally, and require every outlay to be properly justified. Redirect unnecessary expenditure to areas of need and opportunity. Consider do-ability as much as need and value.
19 November, 2008 Page 23
©2008 Infonomics Pty Ltd ACS Victoria
Perform
• Ensure that IT performs well, whenever required (several facets – projects, systems, resources etc):
– Lift the capability of government agencies
• Relevant frameworks and standards including AS8015;
• Whole of lifecycle management including the business (demand) side;
• Capability to deliver intended outcomes and benefits of projects;
– Ensure that operational risks are known and managed
• The Canberra power grid has a single main feed!
– Ensure that staffing arrangements can serve future needs
• Knowledgeable, well trained, capable and mobile core workforce.
• Pay attention to the reality that IT is a non-negotiable imperative underpinning all government activity, and do properly the job of ensuring that it is fit for purpose.
19 November, 2008 Page 24
©2008 Infonomics Pty Ltd ACS Victoria
Conform
• Ensure that IT conforms to formal rules
– A lack of relevant formal rules for government
– AGIMO lacks the authority to enforce even basic guidelines
– Ministerial committee to establish top level IT policies;
– Ministerial scrutiny of opt-out requests;
– Secretaries committee to enforce conformance.
• Effective, efficient and acceptable use of IT requires rules that are followed honestly. Individual preference is not a valid reason for breaking rules.
19 November, 2008 Page 25
©2008 Infonomics Pty Ltd ACS Victoria
Human Behaviour
• Ensure that IT use respects human behaviour
– Resolve tendency to avoidance of human issues
• Over-customisation of COTS software to avoid organisational change
– Delays projects
– Increases costs
– Minimises reuse
– Blocks benefits
– Introduces future constraints.
– Properly recognise IT profession as a career
• Establish a career structure;
• Remove incentive to move to suppliers and contracting;
• Diversify locations.
• IT itself is not the issue. The key problems are with the people who should be controlling IT use, and are failing to do so, the people who are affected by IT use and who are shielded from the impact, and the people who deliver the IT capability, who are undervalued.
19 November, 2008 Page 26
©2008 Infonomics Pty Ltd ACS Victoria
Where is the opportunity
• Implement Gershon‟s recommendations to:
– Become VERY Capable of delivering IT enabled change;
– Improve the business operational performance of many federal government agencies;
– Streamline and integrate public interaction with government;
– Move to a higher plane of IT use to create new capabilities for the nation;
– Make Australia significantly more competitive as a trading nation;
– Release resources from mundane activity to focus on truly significant innovation;
– Position Australia as an exemplar of good governance of IT.
• Move from a culture of waste where IT is criticised and constrained to a culture of value and performance where IT is cherished and embraced.
19 November, 2008 Page 27
©2008 Infonomics Pty Ltd ACS Victoria 19 November, 2008 Page 28
Top priorities of local CIOs
2006 2007 2008
Aligning IT and business goals 1 1 1
IT-enabled process improvement 4 4 2
Business continuity/risk management 2 3 3
Improving internal user satisfaction 3 2 4
Controlling IT costs 5 6 5
IT staff development 6 5 6
IT governance 8 8 7
Revenue generating services/products N/R 11 8
Measuring & communicating IT value 10 7 9
Improving project management discipline 9 9 10
Data Privacy N/R N/R 11
Regulatory compliance 11 10 12
Source: CIO Australia Magazine „State of the CIO Survey‟ (2006/7/8)
©2008 Infonomics Pty Ltd ACS Victoria 19 November, 2008 Page 29
Top priorities of local CIOs
2006 2007 2008
Aligning IT and business goals 1 1 1
IT-enabled process improvement 4 4 2
Business continuity/risk management 2 3 3
Improving internal user satisfaction 3 2 4
Controlling IT costs 5 6 5
IT staff development 6 5 6
IT governance 8 8 7
Revenue generating services/products N/R 11 8
Measuring & communicating IT value 10 7 9
Improving project management discipline 9 9 10
Data Privacy N/R N/R 11
Regulatory compliance 11 10 12
Source: CIO Australia Magazine „State of the CIO Survey‟ (2006/7/8)
2006 2007 2008
Aligning IT and business goals 1 1 1
IT-enabled process improvement 4 4 2
Business continuity/risk management 2 3 3
Improving internal user satisfaction 3 2 4
Controlling IT costs 5 6 5
IT staff development 6 5 6
IT governance 8 8 7
Revenue generating services/products N/R 11 8
Measuring & communicating IT value 10 7 9
Improving project management discipline 9 9 10
Data Privacy N/R N/R 11
Regulatory compliance 11 10 12
©2008 Infonomics Pty Ltd ACS Victoria 19 November 2008
Questions
www.infonomics.com.au
Page 30