The 6 Cs of Effective Governance

Nipun Sehgal knows the challenges of IT governance. For 15 years, he's been involved in managing enterprise software development projects — both internally and from the service provider side. He's worked at Quintant Corp. (bought by iGate), CoVia, Versant and Tata Unisys. And he's on a mission: to help you improve your ability to evaluate how well IT serves the demands of your business. He believes the key lies in better governance — better change control, better cohesion, better management insights, better sourcing decisions. To that end, in 2002 he founded Enlighta, which has software that automates aspects of governance. recently talked with him about the "6 Cs of effective governance."


First, can you define what governance means in the context of IT?

Nipun Sehgal:

Governance of IT has become the function to which business can ensure that IT is meeting its obligations to the business. So it's really a transformation of IT from a purely internal service provider, to a function that really enables and transforms the business.

People who are struggling with this stuff say, "I need to provide executive insight. But How do I do it?" And it becomes, "OK, I've got these three SLAs with my provider. Who should I consider a depository for this data? If I want to know what happened five months back, should I be asking them or should I be asking for the data and aggregate it on my own depository so that I can set up a baseline?" If you were made an outsourcing manager tomorrow for a large relationship, those are the kind of challenges you'd end up facing.

What's the difference between IT management and IT governance?

IT management is the day to day operations and management of the IT resources and the IT services. IT governance is performed by IT or by representatives from the business unit so that the functions performed by IT are actually aligned with the business objectives — and with the strategy of the company. The analogy would be, you may set up a software development organization and you may have defined processes for change management and version control and so on. And it's only when you set up a separate governance organization or an audit committee, let's say, an ISO-9000 audit, that you can actually ensure those processes set up are being followed, and if they aren't being followed, what the gaps are, and what is being done by the organization to move toward reducing those gaps.

So how do we get there?

We have broken those [capabilities] down into what we call the six Cs of highly effective governance.

–> IDEA #1: CXO insight through metrics, dashboards, performance alerts and escalations.

The first C is to provide CXO-level insight… What are the right metrics we should be tracking, and how should those metrics be collected and reported to the right stakeholders? When you roll up metrics — operation metrics — for senior executives, they have to be aligned with the business context. An example. You may be measuring defect rates for an application where the function level has metrics which have to do with application development and management. But really the metric that makes sense to the executives may be much more to the level of satisfaction by the business users for an application or the uptime of an application.

So the first C of highly effective governance is the ability for senior executives to have that aggregate level insight into the outsourced services and then the ability to drill down into lower-level operation metrics from which the high level views may have been derived.

–> IDEA #2: Change management that goes beyond email, Excel and document management.

The second C is the ability to govern change. Change management becomes critical. You may strike relationships and over time those relationships change. In many outsourcing deals, for example, application management [engagements] are three to five years [long]. And over that period of time, you may have changes on the demand side. You may have many more people in the organization through acquisitions than what you had when you signed up, or you can have fewer. So change is a constant. Do you have the ability to review and change the contracts' terms, to review and change the services levels, to review operational processes that you may have agreed upon? In the case of outsourced application development, you may have fix-priced projects, but you know for sure there will be change over a long-term project. Do you have built in mechanisms that allow for that change, to be estimated, to be scoped, and to be ruled out? I think that is critical… You have to assume there will be change. And then you build in the mechanisms for the change.

Change management may be periodic reviews you have built into your operational processes or your contract — the quarterly review of the service levels or the trends of service levels. Or you may have built in provisions that allow you to change the price of the service if it goes beyond a certain band that you thought you would be in. And that may be based on increased demand or lowered demand.

Where you don't want to be stuck is with contracts that have a completely outdated set of assumptions about what the demand will be. And often over a two-year period, the price of the market changes. That has happened in data centers and in application development services where an engineer may have been able to bill at $40 or $50 per hour but in an offshore case its come down as low as $15 or $18 per hour. That's a drastic change in the span of a few years.

–> IDEA #3: Consistent execution that encompasses processes for approvals, prioritization, escalations and reminders.

The third C is really consistency, the ability to set up a consistent set of processes that can actually be governed. Without consistency it's hard for you to build up a reputable mechanism for how to provision services, manage services, and put in place technology that translates into automation.

We're working with a very large service provider, and they had a 600-page operations manual. Every large engagement they're in is clearly supposed to follow those processes, but it's extremely hard for engagements to enforce or follow those processes consistently because it's not automated. There's no systems support for those processes. So they found that while everyone had that operations manual, only a fraction of the engagements were actually complying to those processes. That becomes the big challenge for an organization that claims to be CMM Level 3 or higher. [CMM] 3 says you define the processes, and 4 says you manage those processes, and 5 says you optimize those processes. If those processes are only defined on paper, then they can't be auditable and you can't collect a set of metrics that allow you to reach level four or level five. This really translates into — at worst — chaos in some projects because you're not following the processes or — at minimum — additional cost of keeping things on track.

–> IDEA #4: Compliance monitoring of SLAs, contracts and audits.

The fourth C is really compliance. We think governance and compliance can be broken down into multiple ways. One is, of course, compliance at the basic level, compliance to federal and industrial regulations. Many services, outsourced and otherwise, are now highly regulated. I would say the level of regulation has increased over the last seven years. And whether it is soft compliance or compliance to regulations in some industries, you have to make sure that you — as well as the service providers — are simply compliant.

The challenge that is associated with that is in outsourcing. You often have contracts and SLAs that are service level agreements specifying what service levels you need to be complying to, if you're not going to be penalized. So compliance has to be defined, measured, monitored and reported. But beyond that, non-compliances have to be fixed — and it goes beyond regulations and SLAs.

Compliance also has to do with internal policies. You may have HR policies, security policies in IT, and those policies have to be enforced and measured. You may have polices that say if your service provider has access to data, then that data should be in a location that doesn't allow the processors to copy that data to a diskette and take it with them.

Software can play a certain role in that, certain kinds of services — transactional services, services where metrics are recaptured, external systems. You can aggregate that data and track the compliance on an on-going basis to the SLA. But you can also track non-contractual terms and conditions that may be important for that specific service. For example, you may have a certain skill set that you must maintain as a service provider. That would be something that can't be captured in a metric, but it is something which has to be periodically audited and captured.

–> IDEA #5: Connections and cohesiveness to keep analysts, developers, team leaders, business users, management, steering committees and external providers on the same wavelength.

The fifth C is cohesion — the ability to get cohesive and integrated systems. Often the challenge of governance is compounded when you have distributed teams, distributed stakeholders.

I'll just give you an example. We're working with a Fortune 50 organization, which has almost half its business running on SAP. It's a large global manufacturer. They were supposed to be documenting their processes and they went through a software audit recently. With almost half the business running on SAP, they have to show to the auditors that they have well documented processes and they follow those processes. When you have dozens and dozens of global teams in different locations with their own local databases, using email as the primary collaboration tool, with some custom-built access applications, it becomes extremely difficult for the organization to prove that a change requested by the business can actually be translated into changes that get deployed by IT into the SAP applications — or that changes which for some reason have problems get backed out and the business users know about it. It gets very difficult for the compliance with that to be enforced.

So I think a connected repository that actually ties in all the different policies, artifacts, processes, stakeholders into one system becomes critical for effective governance. Many organizations today actually don't have that.

And there are many examples where if you really don't have that, it also becomes challenging to do other aspects of management, such as effective global workload balancing and resource management.

–> IDEA #6: Capacity management, including work plans, monitoring of available capacity, tracking of budget variances and task assignments.

The last C is capacity– and work time management, which is really the ability for an organization to know between the internal service providers and external service providers, for the work that is being requested, who has the capacity, who has the skill set and where work should be delivered.

A big challenge for organizations is what processes and which functions should be outsourced and to whom? Every functional head will think what they're doing for the organization is critical. Of course, for that function it may be critical, but it may not be critical to the organization.

I think that aspect — what you retain and what you outsource — is still something that organizations are grappling with. From a governance standpoint, if you don't have a model by which you approach these problems, it becomes very much silo-oriented. One organization or function head may have the propensity to outsource more and the other may not. But it may not be any thing to do with how the organization should be doing it.

We think these things should be determined by a governance steering committee that has a model which looks at the internal health of that process, looks at the mission criticality of that process and looks at the other client objectives such as cost and other factors that come in. You may be doing a process very, very well internally; it may be mission-critical; but you may be doing it at a price that is four times more than what is available externally. So putting those things together and coming up with a model and saying that it will be these specific things that should be outsourced is a function of the governance team.

How do you encapsulate all of that, a lot of which can't necessarily be automated, into an application — like the software Enlighta sells?

The answer for governance is not a piece of software. The software is an enabling tool. Much like CRM does not actually help you sell. You still have to go selling yourself. It enables you to sell, right, but it does not do the selling for you. Similarly, the software is not doing the governance for you; it is enabling effective governance.

For each of those items we went through, we provide a central depository through which global stakeholders can be on the same page because they're working on the same system. Consistent processes: We have a full automation engine that allows you to take your paper processes and automate them. Compliance monitoring: We allow process metrics to be captured as you are following your processes. We also enable external systems to feed their data onto our system, allowing us to aggregate metrics and report them. Change management: We have built in processes for changes to contracts, changes to scope. We understand that all those things can change, and we have ordered our processes to allow that to change. We have dashboards and scorecards for stakeholders and executives within the organization. Capacity and work management: We look at the workload and planned workload for internal and external service providers and help you make the right resourcing decisions. But we do not do the governance; we enable the governance.

Useful Links: