Top 6 Business Expectations from CIOs

What are the CIO’s challenges in 2020 from a Business Perspective? What are the Top 6 Business Expectations from CIOs? My goal is to introduce a view of IT from the perspective of the businesses that use it. I seek to make current IT best practices accessible and understandable to business managers. Too often, IT projects and operations fail because business expectations for them are unrealistically high based on ignorance of what can be achieved in each time at a given quality and budget.

Also, too often, CIOs deliverables in each time at a given quality and budget are unrealistically low. This is based on the CIO’s ignorance of (or disregard for) what can be achieved by combining a clearly prioritized set of business needs with well-established, but woefully underutilized, IT industry best practices.

I seek to provide an overview of those industry best practices that businesses should expect in the hope that their expectations will become more realistic and, at the same time, the accountability of CIOs will improve.

The business should expect great service at a low cost. These six key concepts in establishing realistic but aggressive business expectations:

The crucial point here is that IT and CIOs are inseparable parts of the operations of most businesses. A small failure or improvement of IT can have a dramatic effect on the business’s ability to operate and to influence its profitability.

1. Information for Decision

“If you cannot measure, you cannot manage” is critical to understanding what the business should expect from its CIOs. The business needs clear, concise, relevant, and timely information from the CIOs to understand whether all its other expectations are being met. Unfortunately, CIOs tend to be much better at generating data than generating information.

Any discussion about the information needed by the business must start with identifying the information needed to inform the business. Whether its strategic and tactical goals are being met. This should then lead to a discussion about operational performance measurements for the CIOs. That needs to be monitored to ensure continued success.

Finally, a set of measurements is required to give the business information about whether the current supplier of IT services is providing value for money (i.e., compared to their own previous performance and, relative to other providers).

Expectations for those measurements that are related to the performance of the CIOs should be captured in a written agreement between the business and the CIOs, typically called a Service Level Agreement (SLA).

If the metrics defined are to be used effectively, they need to be built into an automated collection, storage, processing, and delivery information system that can deliver dashboards and reports designed to show the right level of information for decisions at any given level of management. These systems also need to allow managers to drill down to deeper levels of detail if required.

Goal-Question-Metric (GQM) technique to establish the metrics that need to be gathered. This technique was developed by Victor Basili and his colleagues at the University of Maryland while working with NASA. Basili and his co-workers defined GQM as a set of six steps where the first three steps identify the right metrics from the business goals and the last three steps gather and use the data from the metrics to enable effective decision making:

2. Business Value for Money

The business must hold its CIOs accountable for “Value for Money.” However, before it applies a blanket strategy across all its functions and all CIOs, the business must establish its own current priorities for IT.

When defining the Roles and responsibilities of the CIO. A CEO should ask these questions to his CIO. One of these is particularly relevant to a business expectation of its CIOs, “Do you view IT as an expense or an investment?”

This is not a trivial question. It must be noted here how important it is for the business to answer this question seriously. Honestly, and with a view to the medium term (on the assumption that very few businesses actually look to the long term even if they claim they do). The answer may or may not be industry-based.

For example, for banks IT is clearly an investment. For a construction company, it may not be. Is IT part of what makes your business competitive? Is it a strategic differentiator? If it is, then you should answer that you view IT as an investment. This has implications for what your business can fairly consider “Value for Money.”

Your Tolerance for failure of mission-critical systems will be lower and, hence, your IT costs higher. The positive impact of IT innovation on your business will be higher, so your willingness to tolerate IT experimentation should be higher and your acceptance of the failure of some of those experiments should be higher.

On the other hand, if IT is a “necessary evil” in your business, then “Value for Money” for you can focus on delivering satisfactory services for the lowest possible cost with some acceptance of risk. Of course, in most enterprises, there will be some environments at sometimes in which IT is viewed as an investment and others where it is viewed as an expense. These will change over time and businesses need a clear understanding of their current portfolio. There will be times when a binary answer is too simplistic.

3. Enterprise IT Risk Management

The one thing that CEOs and all senior managers hate is surprises. The business has a right to expect no surprises from its CIOs. The only way to avoid surprises is to engage in a dialogue about risk management.

In IT, there is a certain mystique about the risk management process area, and it is ignored. The IT industry is bedeviled by an incomprehensible optimism, indefensible in the light of the industry’s track record for on-time and on-budget delivery (this parallels the saying in theater, “It’ll be alright on the night!”).

This optimism and unwillingness even to think about risk management are interesting in that it runs counter to most engineers’ (or even a local car mechanics’) reaction to even the most simple request — a sucking sound made by a sharp intake of breath.

There is a real gap between the difficulties that we as IT practitioners can enumerate for others and those that we admit to ourselves. It is necessary for businesses to drive their CIOs to enumerate and quantify all possible risks.

Businesses should expect each risk to be accompanied by one or more mitigation strategies with associated costs. A business should then choose the risk management strategies it can tolerate in terms of consequences and expenses.

Businesses have the right to expect CIOs to be prepared for different failure scenarios by appropriate forward-thinking and planning.

A new phenomenon for businesses and CIOs is the interest being taken in IT by external auditors of the organization.

External auditors have become increasingly aware of two broad and related risks:

1. An IT operations failure can seriously disrupt or destroy an organization’s ability to operate and its reputation with its customers.
2. One of the causes of IT operations failure is the introduction of new software.

Interestingly, in seeking to assess the scale of the second risk in organizations, external auditors are now working their way back along the software development life cycle processes seeking reassurance from the evidence of audibility and best practices.

The monitoring of key metrics is an essential part of risk management. Businesses should not expect to understand or even receive the data from the IT monitoring systems, but they should expect their CIOs to set performance thresholds that will give an early indication of a possible failure situation in the future.

The appropriate time span for “future” is the time required to have the option of taking corrective action.

Finally, an often-neglected aspect of risk management is the management of people’s risk. Significant IT capital is tied up in the business’s intellectual property that is in people’s heads. It is all too easy to view staff as fungible “resources.”

In most organizations, there are key individuals whose knowledge and expertise are the difference between success and failure in the short and medium-term.

CIOs must be required to perform the same risk management planning for their people as they do for their hardware! This is a particular risk during merger and acquisition events. The business should expect a succession plan for, and from, the CIO.

4. Innovation to Pilots

Innovation tends to be thought of as the introduction of something new. I prefer a much tighter definition which is the introduction of something new that improves measured performance in desirable ways.

In IT, an improvement in the measured performance of one parameter may be at the expense of a reduction in the measured performance of other parameters.  Businesses need to be mindful that CIOs may be offering innovation on a narrow front. The bigger picture is always needed.

With the proviso that businesses must understand their view of IT, as discussed in the “Value for Money” section, businesses have a right to expect innovation from IT. Innovation in and through IT has become such a norm in our society that businesses sometimes forget to think about it in that way.

New software or new operating systems or new hardware can become a “pain” that we would rather not deal with — “innovation for innovation’s sake.” Businesses must remember that the improvement-enabling power of IT endures. That any manual process is a candidate for automation is so obvious that it should not need stating but when did you last look around your business for manual processes?

Our technology is not yet so perfect that it cannot be improved. If it were, the emergence of innovative approaches such as search engines and Web services would find few takers.

The business should expect creative energy from its CIOs whether it’s that top consulting company coming in with a new idea to make millions; the offshore software maintenance company inventing a better, cheaper way to service customer bug fixes; or the CIO proposing to save a fortune by combining two different business units’ similar needs.

These all boil down to finding new ways to deliver value for money. CIOs are uniquely qualified to identify potential applications of modern technologies to old problems and potential applications of all technologies to the latest problems.

Businesses need to create an environment in which their CIOs can contribute thought leadership, business creativity, and process innovation coupled with sound business cases. The definition of “sound” will vary from business to business, but it should not exclude extensive ideas.

Return on investment is crucial but the definition of “return” should include consideration of broader value. It is notoriously difficult to predict the unintended consequences of implementing IT changes, but it should be remembered that sometimes the unintended consequences can be hugely rewarding.

One way to enable but manage innovation in IT, and to make unintended consequences a positive force, is to use some form of Agile Methodology using the principles of the Agile Manifesto. I am firm believers in this approach to incremental value delivery in an innovative project.

5. Process and Best Practices

Defined processes ensure repeatability and provide a springboard for continuous improvement. Most businesses do not have the time or the knowledge to create best practices for the management of IT.

Fortunately, much of the work of best practices capture and codification has been done already. Businesses should view the implementation of the process by their CIOs as a huge step forward in risk management.

Through the implementation of industry-recognized processes, businesses are benefiting by avoiding the mistakes that others have made to find out what constitutes best practice. Your auditors will be much easier for people to satisfy if your CIOs implement these processes.

Of course, in the spirit of “no surprises” in front of the auditors, implementing these processes also requires that you implement your own internal audit capability.

Numerous processes have been defined for IT. Many are especially useful, some are internationally recognized and standardized, and a relative few have become operationally important at the interface between the business and the CIOs.

For the purposes of this particular section, I believe that all businesses should expect to have a discussion with their CIOs about why they have or have not adopted the following models (or frameworks): COBIT®, ITIL®, and CMMI®.

To understand the differences and overlaps between them, it is important first to understand that these three models were developed and defined independently. Initially, they did not acknowledge each other and did not attempt to interface with each other explicitly.

This limitation has been best addressed by version 3 of the ITIL. From the business perspective, think of the three models.

The outer model is COBIT, which is designed to provide a framework for governance and control of CIOs. The middle model is ITIL, which focuses on best practices for the IT operations or, more succinctly, keeping what is running.

The inner model is CMMI, which is focused on best practices for systems and software development. It is appropriate for any business to expect its CIOs to have implemented all three of these models or to articulate exceptionally good reasons for not doing so.

The day-to-day involvement that the business needs to have in each of the three is symbolized by the three models, most involvement with COBIT, much with ITIL, least with CMMI.

In addition to these three models, businesses and their CIOs may wish to consider using Six Sigma as a quantitative approach for identifying and rectifying areas in need of improvement (particularly relevant for CMMI Level 4 and the CMMI continuous representation).

Six Sigma is not an IT-specific model and has both pros and cons for the business – IT interface. On the plus side, Six Sigma may be in use in the business for business process improvement purposes and using the same approach in IT could be powerful in reinforcing corporate culture. On the minus side, if CIOs do not have a reasonable level of IT maturity, the focusing effect of Six Sigma may leave too many IT capability gaps.

Customer requirements or the needs of other parts of the business (e.g., manufacturing) may lead the organization to consider (or require) compliance with ISO quality standards in its CIOs.

Finally, project management is a key capability for all CIOs, and the Project Management Institute (PMI®) provides several models of best practice.

6. Responsiveness

The business must expect responsiveness from IT to three key stakeholders who may not seem so visible (or important) to the CIOs as they do to the business:

1. Business customers
2. Business users
3. Business managers

It may seem odd to prefix all these stakeholders with the term “business” but it is important to recognize that IT customers, users, and managers are often different from those of a specific business unit. Indeed, two business units usually have different customers, users, and managers.

Even good CIOs who are on top of their game in serving their businesses can face conflicts of priorities between different business units.

Unless the business sells IT services or products, the best form of responsiveness that CIOs can deliver to business customers is invisibility. The technology should never be the problem and, if it is, the CIOs should get IT out of the customers’ eyes as quickly as possible.

For business users, the CIOs should be expected to share the urgency of the business need. Further, the CIOs should establish processes for engaging with business users. These engagement approaches include participation in requirements gathering, training, support, and easy accessibility.

For business managers, CIOs must be expected to provide information, not data. The distinction being that CIOs must be able to report to business managers in context-relevant ways to enable business decision making. CIOs should be required and able to participate in business planning and provide responsive leadership to offer the business IT-based opportunities for business growth and cost savings.

Summary

I describe six things that a business should expect from its CIOs. I introduce the important process best practices that CIOs should implement. Like any successful partnership, the business–IT partnership will succeed through mutual support and mutual understanding of the expectations in both directions.

Running IT is a tough job and good CIOs are hard to come by. To do the job properly, a good CIO will expect to contribute to all the same critical success factors that drive the business executives. So, in its dealings with IT and the CIO, the business leaders must be openhanded with information, evenhanded in risk management, fair-minded in resolving conflicting priorities, and tough-minded in evaluating value for money and return on investment (ROI).