It’s Time for New IT Governance Models

If a you get a group of IT executives together around a table and discuss to whom the CIO should report, you will generally find a consensus that, if IT is to be strategic in any company, it should be the CEO.

I used to tell my graduate students that I could tell whether a company’s use of technology was strategic by asking one question: “Tell me who the CIO reports to.”

In reality, it’s not that simple. There are any number of options regarding the reporting relationship of the IT department, and it really begins with an overall assessment of what is expected from IT within the company.

In an earlier article I discussed the various positions of IT within companies depending on the level of service they provided to the organization. They fall into three categories: core strategic, trusted supplier, and utility.

The positioning of IT within the company, and the company’s expectations from IT determine not only how we classify the IT organization, but also to whom the organization reports. However, the traditional IT reporting relationships—other than those for the core strategic—still tend to be problematic for most organizations.

In general, we believe the reporting relationships need to be examined outside of the traditional frameworks in use today.

Core Strategic. Clearly this is an organization which should report to the highest levels in the company; typically the CEO.

Because the work of these IT organizations are central to success of the business, and, if public, to the stock valuation, the CEO should be “joined at the hip” with the CIO. Although, there are other governance models which might work equally, or in come cases, better, than a reporting relationship with the CEO.

There should be some input from a broader cross-section of the senior management, and this might be the traditional senior management committee, the board of directors, or a sub-committee of the senior management committee or board which sets strategic direction for IT.

It would seem obvious that if IT is core-strategic to the company, then the strategy and the oversight of that function should reside at the highest levels of the company. An organization wouldn’t think of making a major acquisition or a change in it’s strategic position without the board’s approval, or the owners’ approval if the company was private, so it’s only natural for IT decisions which similarly affect the company to be vetted in a like manner.

Trusted Provider. Here the traditional reporting relationship has been to the CFO, and in some cases this is appropriate, but I think there is a lack of creative thinking on the part of most organizations about where this level of IT reports.

Why the CFO? It certainly would be appropriate if the main focus of IT was financial reporting, billing, etc., but then the IT organization would not be a trusted provider, it would be a utility.

In general, trusted-providers provide a broad range of essential services, and in many cases provide true competitive advantage without rising to the level of core strategic.

They may significantly lower costs, provide razor-sharp customer focus, or differentiate the company without being the company’s product. In general, reporting to the CFO both hampers the use of more strategic IT within the organization, and burdens the CFO with a function outside his core competence.

Most CFO’s simply don’t have the training or experience to adequately make use of information technology within the modern corporation. A better governance model is to have the CIO report directly to a cross-functional steering committee comprised of senior functional officers.

Although reporting to a committee is an unusual method of oversight, it allows IT to provide a broad range of services against an agenda of competing priorities. It’s really the only way that a trusted provider can ever have a chance of rising to the level of core strategic.

Utility. If the trusted provider doesn’t need to report to the CFO, it would also follow that the utility IT department doesn’t gain an advantage by reporting there either.

The only argument that might be made for utility computing reporting to the CFO is if it is truly viewed as a cost center, and that aggressive cost management is the function of the finance department.

Clearly utility IT is a prime candidate for outsourcing, and an argument can be made that there is some value to having finance in charge of the outsourcing. It could also be argued that a utility could be a function of manufacturing, marketing or the other key operation of the organization.

In general, IT organizations classified at utilities don’t have a CIO, and therefore they don’t get the oversight of the other two classes. The steering committee makes sense for the utility IT department and I would strongly recommend that organizations think about this structure.

Daniel Gingras has been CIO of five major companies and is a partner at Tatum Partners, a nationwide professional services organization of senior-level technology and financial executives who take on leadership roles for client companies. He has more than 30 years of IT experience and teaches computer science at Boston University. He can be reached at [email protected].