bITa Center

With John Hughes, president of IT management consultancy GrowthWave. His IT career has spanned 26 years, encompassing many roles, positions and industries. He has worked for and helped lead companies ranging in size from $2 million to $17 billion, including Bank One, Worthington Industries and Cendant. Question: You say there are three stages of IT/business alignment — tactical, strategic and innovative — and that they build upon each other. So is it not possible to attain innovative alignment without first achieving tactical and strategic alignment? Hughes: It depends upon the objectives of the company. The alignment model has to do with the mature company where the IT organization has kind of lost its way in terms of meeting the needs of the business. That was the type of organization I was leading when I built the first IT/business alignment team, and we developed this model. It's how you go from misalignment to alignment. But a start-up, for example, might start at the innovative stage and say, "You know what? The tactical stuff is just going to happen." Two things are critical: The business leaders have to make it clear what the objectives are of the organization, and the CIO or IT leaders have to align themselves with those objectives. If that's not clear, if the communication isn't happening, that's where you get frustration. I've seen CEOs throw up their hands and say, "I can't deal with IT. How can I get value out of IT?" But it really starts with the CEO and clear objectives. It sounds so cheesy, but it really takes leadership — business leadership within IT where CIOs have to become business leaders, but also IT leadership within the business. It doesn't mean they have to become technologists, but they have to own the results of IT. At so many companies, they are pumping dollars into this black box called IT almost as if you are supposed to do that — without ever expecting returns out of that. Question: You also say that many CIOs have trouble moving from misalignment to tactical alignment because it can create an image problem with users/the business. Can you explain how this happens, and what can be done to avoid it? Hughes: Unfortunately, it's going to happen in certain pockets. What you have in those mature types of organizations is people within the business that really know how to play the game of IT. They will latch on to a developer, and use that developer as much as they can. That's where misalignment is occurring. Now you have a developer that is setting the agenda, and the priorities of tactical alignment aren't occurring. The problem you get into is, how do you detach those almost personal relationships? These are relationships where people in the business have figured out how to get things done from IT, but they are making it difficult for IT to achieve the business objectives. [Their personal objectives] may not be the highest-return items IT should be working on, the items where the business is going to get the greatest returns for their investments in IT. Then those people feel neglected. What I did in this situation was communicate to the IT steering committee that IT is actually going to be doing less for you. You have to let them know why. In this case, the business understood that they weren't communicating with IT, so IT wasn't doing the right things. You have to explain to them that it'll seem like you are doing less for them over a period of time because you are going to be repositioning how you interact with the business. Tell them you want to minimize the amount of tactical things you do, by automating as much as you can. It's creating capacity; IT has to optimize the work that it does. What a lot of IT organizations do though, is they are really good at creating capacity but they pump it right back into the firefighting. They don't know how to shift it to more strategic objectives. Question: Can you explain the differences between tactical and strategic alignment? Do many companies have difficulty moving from tactical to strategic alignment? Hughes: The leap between tactical and strategic alignment is the most difficult because of the relationship between the business and IT. The bottom line is the communication between IT and the business. IT needs to make sure they understand the true priorities of the business. I've only ever been in one company that got strategic planning right, from the top down. "Most of the companies I've been in would just get the executives together and say, "OK, we are going to do strategic planning" and then send everybody to go off and put together their strategic plans. It took me a few times of going through this cycle, and then I said, "How can IT go and do strategic planning if I really don't know where the rest of the company is headed?" It needs to be more of a trickle-down or waterfall effect. You start with the really true objectives the business has, then sales and marketing and operations fill in their blanks, and then you get to the back office. So that's where it falls down. What should IT be working on? That's what alignment is all about. Question: Is innovative alignment the goal of most/all companies? Should it be? Hughes: It gets back to the "quality is free" concept. If you are executing strategic alignment correctly, with ongoing communication and collaboration between the business and IT, then innovative alignment will happen. On my team, we had full-time strategists whose job was to ensure that this ongoing communication occurred. They would ask the executives in finance and in marketing what are your biggest needs, your biggest struggles, your biggest opportunities? It was the best way to educate IT about the business and, at the same time, we could educate the business about IT, about the technologies we had in-house and technologies that were on the market. When you get this ongoing dialogue and collaboration, that's when you get the innovative opportunities. I need to clarify the concept of innovation. Innovation in this case doesn't mean you are on the bleeding edge of technology. It's business advantage that occurs through this process that might not have otherwise occurred. I don't want to scare anyone away, because they think the concept I am bringing is, "You have to be innovative." That's not it at all. It just happens naturally. Source: IT Business Edge |

The web site has two halves:

• The first half provides an insight to the Management Gurus, who have influenced the business world, their Management Books and their thinking in term of Management Methods and techniques.
• The second half that tries to distil all the ideas into an overall management framework called the Unified Management Framework (UMF).

The web site was launched in May 2007 by the efforts of a small group of maturing interim managers and management consultants to provide the insights that they have gained both from their personal working experiences and also their experiences in making use of the methods and concepts laid down by the management gurus, and most importantly helping managers deal with their not infrequent negative consequences. Have a look at: 

www.mangurus.com

Many CIOs arrived late to Sarbanes-Oxley efforts Are CIOs sufficiently involved in their companies’ compliance efforts?

When it comes to Sarbanes-Oxley (SOX) compliance, at least, many compliance and security experts contend CIOs are actually insufficiently involved, and often supplanted by chief financial officers (CFOs).
That doesn’t bode well for companies’ other compliance efforts. According to Michael Rasmussen, the vice president for risk and compliance research at Forrester Research, “I do agree that the CIOs haven’t stepped up to bat, and they could have more influence and direction in Sarbanes-Oxley.” That’s especially true since companies increasingly implement automated IT controls—ideally, overseen by CIOs—to ensure compliance.

Did CIOs simply miss the boat on SOX? “I can’t disagree, just based on the number of individuals I’ve talked to in publicly traded companies, as well as from my experience at the SEC,” says Chrisan Herrod of Scalable Software, executive consultant for compliance solutions, and the former chief security officer of the U.S. Securities and Exchange Commission (SEC). What accounts for this state of affairs? Simply put, “The CFO stepped up and said, ‘I’m the chief officer who’s designated to go to jail here, so I’ll be taking charge of the SOX effort, thank you very much,’” notes Charles Le Grand, the CEO and founder of CHL Global Associates. Legislators, of course, initially crafted SOX to combat perceived business problems and a handful of high-profile financial reporting irregularities. “It was because there were bad actors in companies that manipulated the processes; it wasn’t thought about so much as an IT problem,” recalls Herrod. “When it was finally coupled with IT—because all your financial systems run on applications which are part of your networked environment—people also realized it was also about technology, and the CIOs were brought in, but at the end of the game.”

CIOs’ Involvement Increasing With SOX compliance efforts maturing, are more CIOs getting involved? “Yes, slowly,” notes Rasmussen. Their involvement parallels the increasing use of automated controls to help ensure compliance. “If people tried to put a quick solution in place, they did it by using manual controls—in other words throwing bodies at it. In the first year of SOX, that’s certainly how people got through it—by having people, for example, reading all the security logs.

But that’s not sustainable,” notes Murray Mazer, co-founder and vice president of corporate development for Lumigent Technologies Inc. By contrast, automated controls help ensure compliance in a more sustainable, demonstrable, and economical manner, and thus more companies are adopting them. “I’m hearing and seeing people become absolutely more aware within organizations that IT controls—specifically IT security controls—are going to be extremely important, and that these controls have to be put in place and constantly tested and monitored.

That definitely brings CIOs into the equation,” says Herrod. As a result, “I think you’re going to see a drastic improvement in collaboration in the C-levels.” For example, she says, she knows of one mid-size public company located in Florida that discovered it had a SOX compliance problem last year. “It learned a lot of painful lessons, and was trying to hire somebody specifically dedicated to IT compliance, under the auspices of the chief operating officer, with a dotted line to the CEO.”

by Mathew Schwartz, 8/29/2006, read more

According to critics, the Sarbanes-Oxley Act has caused a litany of ills: Executives are retiring early, public companies are going private, foreign firms are listing abroad and U.S. firms are losing their competitive edge. The sweeping law, written in the wake of the Enron scandal, has served as a scapegoat for all the evils facing corporate America since it was passed in 2002.

Starting Saturday, however, the law's foes will have one less reason to complain. Foreign companies listed on U.S. exchanges must start complying with Sarbanes-Oxley beginning with fiscal years ending after July 15, if their market capitalization exceeds $75 million. Toyota Motor (nyse: TM - news - people ), Sony (nyse: SNE - news - people ), HSBC (nyse: HBC - news - people ), BP (nyse: BP - news - people ) and hundreds of other companies that previously escaped the law will now be forced to comply. That's good news for U.S. companies, which can now compete on a more level playing field.

But many European firms are chafing at the new requirements, and 17% would consider delisting to escape the law, according to a survey by Mazars, a Paris-based auditing firm. Only 43% of European companies think the law's benefits will outweigh its costs.

Latin American and Asian firms are more receptive. More than 72% of Asian respondents and 81% of Latin Americans think the benefits will exceed the cost, and none would consider delisting. That's because companies in developing economies "are willing to do anything to achieve credibility with U.S. investors," says Louis Osmont, a partner with Mazars.

By contrast, Europe has been experiencing an outbreak of Sarbanes-Oxley panic. As exchanges merge and more trading moves online, it's not always clear who should have regulatory power. The head of Britain's Financial Services Authority, Callum McCarthy, ignited controversy in June when he suggested that British firms might be subject to U.S. regulation if Nasdaq acquired the London Stock Exchange.

The New York-based exchange has built a 25% ownership stake in its British rival. "That has just sent a shiver down the collective spine of Europe," says Jim Kim, editor of FierceSarbox.com. "European companies, especially, really are just chafing at the mere prospect that they will someday have to comply with Sarbanes-Oxley."

For those companies listed in the U.S., however, the threat is already real. Most foreign firms have fiscal years ending Dec. 31, and they don't have to submit their compliance reports for another six months after that. Nevertheless, preparation began two years ago at many companies, according to Robert Lipstein, a partner at auditing firm KPMG.

But others haven't even started the compliance process, according to Trent Gazzaway, managing partner for corporate governance at Grant Thornton, an accounting and audit firm. Some are hoping it will "go away," he says. Others are procrastinating. "Just like many regulations, there are a lot of people who wait for the last minute to do it," Gazzaway says.

Companies in denial may end up with more pain and less gain. The process is more expensive and cumbersome when completed in a time crunch, Gazzaway says.

Foreign companies have an advantage, however. Thousands of American firms have already gone through the process and learned from their mistakes. "The foreign companies are probably overall in better shape than U.S. companies were two years ago when they were going through it," says Scott Taub, acting chief accountant at the U.S. Securities and Exchange Commission. "That's not to say they like it."

Source Forbes

The Basel II Capital Accord and Sarbanes-Oxley have brought regulatory concerns over operating risk to the top of the corporate agenda. While different geographies adopt disparate legislation, international organisations have been addressing compliance.

The Sarbanes-Oxley Act brings significant change to American federal securities laws and organisations are under tremendous pressure to meet its rigorous requirements. Managements must now audit the effectiveness of internal financial controls and certify proper backup procedures. The complexity of enterprise data protection and the continued explosion in information has made this difficult. Companies should assess data policies and performance immediately to start evolving towards best practice.

Basel II was devised to set a new global standard for financial institutions to measure risk and allocate capital. The new, stricter regulations have left some unsure of how to store data and exactly what to keep in order to comply.
Twin compliance is a widespread issue, as is whether these two operational mandates are in conflict. Although both require a common framework and governance model, Sarbanes-Oxley applies to all US public corporations, while Basel II covers financial institutions in over 100 countries. Sarbanes-Oxley aims to restore investor confidence by addressing issues such as financial reporting and conflicts of interest. Under Basel II, financial institutions must manage operational risk in order to reduce capital reserves.

In effect, Sarbanes-Oxley and Basel II are complimentary, not competitive mandates. However, there is real competition in the cost and prioritisation of resources necessary for financial institutions to meet the compliance guidelines. Some aspects of Sarbox continue to cause headaches and has caused many companies delayed quarterly filings.

The impact that building a compliant organisation has on people and processes is often underestimated. The operational impacts touch virtually every department, with technology staff bearing the brunt of the changes. When our company is involved early in data protection compliance process we can minimise disruption, create broad visibility and establish a smooth path to compliance.

Since Sarbanes-Oxley we have seen an increased demand to measure service level agreements and we anticipate their growth in importance for organisations preparing for Basel II. While expensive and time consuming, new regulations have prodded organisations into improving their core business processes and developing greater efficiency in their data management, security and protection procedures. They may well find it has also helped them become more profitable in the long-run.

COMPANIES around the world are complaining about the costs and headaches of compliance, but Ernst & Young's global chief Jim Turley says it has turned investors into winners.

Mr Turley, the accounting firm's global chairman and chief executive, said the boom markets of the post-Enron era were in part the result of greater investor confidence.

And that was because regulators around the world had introduced tougher compliance regimes.

"We have come through a cycle where the public outcry over the scandals of four or five years ago drove increased focus on compliance," Mr Turley said.

"And if you look at the recovery of financial markets, there are a lot of different reasons why financial indices are near all-time highs, and M&A volumes are very high. But notwithstanding global security threats and higher energy costs, economies are very strong.

"Part of that is the confidence that comes from compliance."

"What you hear investors say is that it's our money being spent on compliance, not the company's money, and on balance we think it's being spent wisely and our interests are being protected."

However, Mr Turley, who is visiting Australia this week, acknowledged that the increased focus on compliance had also created companies that saw corporate governance as a matter of ticking boxes.

One example, he said, was the agonising over the increased workload for audit committees.

Five years ago these committees might have met four or five times a year, with each meeting running to no more than an hour. Now they were meeting 12 times a year and meetings were running up to five hours, he said.

"There is a lot of discussion about quantity and there is not enough discussion of the quality of the dialogue that's taking place and the quality of the oversight and diligence and effort.

"Without question, there is some sort of tick-the-box thinking that's taking place and red tape that is involved."

Mr Turley said Sarbanes-Oxley had helped transform the culture of many US companies.

Critics of the legislation claim that the tough audit rules are crippling American business, but Mr Turley is not buying into the debate.

"Our view is we are going to to try and implement whatever the requirements are. It's not our job to write it, it's our job to faithfully apply the rules. But … there have been positive cultural aspects coming out of it."

Accountants have also been the winners from tougher compliance and audit rules. Audit fees have soared, and accounting firms have been cashing in.

But Mr Turley said that was the cost of greater investor protection. "There's no question that the level of effort has gone up. Partly, that's because of the demand from investors for more risk protection. We have greatly increased demand for our services the world over, and that has resulted in more costs for clients."

Leon Gettler, August 25, 2006 / source it business edge

is now available for download as a PDF. This report describes the new ITIL structure, governance and plans, and lists the content of the five core guides which are based on the new ITIL life stages model of IT Service Management.

Yesterday, 21 june 2006 a new organisation Business Rules Platform was launched in the Netherlands. It aims to be an independent platform to share ideas and to foster knowledge about Business Rules Management (BRM).

More information on: www.brplatform.org