Technology is complex and it is quite a task to manage it effectively. With the technology advances happening at regular intervals, and the changes taking place in the environment in which the business operates, the work of the CIO has become more challenging than ever before. Whereas on one hand the competition gets tougher with business expecting more out of IT, on the other hand, technology changes make many of the current components redundant or need upgrades. Not responding to a change exposes the organization to the danger of a business competitor taking a step ahead with new technologies.
Now how would the CIO deal with these challenges? He can either learn and equip himself with new knowledge and put them to work or he can seek an external help. Consultants are often hired for specific requirements and they leave after completing them, but the CIO often needs an agency that can feed him with the latest information and expert advice on various matters pertaining to technology and its application. It was perhaps to fill this gap that IT research bodies came to the scene to serve organizations with their research findings and expert opinion on members’ queries. The more popular research agencies include Gartner Group, Forrester, Aberdeen Group, etc. Many organizations worldwide have been using them and extracting value.
Why should the CIO engage with them
The requirement of using their services arises only if the organization that we work for, is serious about technology application and has big plans to leverage on IT. If we have large projects on the anvil and we have challenges of making choices between various technologies and vendors, it may be good to have the support of IT research organizations who could give us valuable inputs.
Do CIOs resist them
I believe they do in some cases. Sometimes it is the feeling that they are intelligent enough to assess various technologies themselves or that they could seek references from fellow CIOs in the industry. At other times CIOs feel they will dilute their importance in their organizations having positioned themselves as IT experts. They may not be wrong at all times but in some cases it is their own interest that takes precedence over organizational interest. So this needs a proper assessment.
How to use these agencies
When organizations hire them they pay them a handsome fee for using such services. There may be various levels of services offered and each may have their fee structure. Though some organizations may flaunt such association as a status flag, they still have to extract value for the fee they pay. I have used them in the past and was able to get sufficient help to justify the hiring and was therefore able to renew the contract as also upgrade the level of engagement. Let us look at a few ways to utilize such services:
Use their research database: Usually these agencies have several analysts who conduct research on a regular basis and publish such papers for limited viewing. As a subscriber, we can access relevant research notes from their large database and contents of these papers are usually rich and not found in normal publications.
Raising a specific query: Services of their experts can be availed of by raising a specific query either through a mail or we can ask for a telephonic conversation with the expert. If our questions are precise, the answers will be clear and can help us in our decision making process.
Seminars: Seminars are usually held at periodic intervals and though the participation requires paying a fee, it is complimentary for the subscribers. These provide opportunities for a face-to-face meeting with some of the experts. I have found these meets very useful and I often felt that experiencing once such event was equivalent to attending a dozen of usual vendor-led seminars.
Industry meets: Subscription models may include a proactive engagement by these agencies, i.e. their experts coming for these meets to discuss with you specific issues of your organization and to offer advice. They may also arrange for a meeting of your peers from the industry segment so that specific issues of that sector are the focus of the discussion.
Help in vendor negotiation: As the research agencies have in-depth information on vendors and their product sale throughout the world, they can lend assistance to us regarding the likely price points on which our deal can be closed. There are various models of this assistance but some savings is achievable.
Help in seeking approvals from the management: Expert opinion given by these agencies becomes very handy when seeking management approvals for our projects. Managements usually give credence to the endorsement from these agencies.
Many people often get deterred by the huge fees that they have to pay; but I believe, if we really require and avail of such services, it is possible for us to extract value that is greater than the amount incurred.
With increasing complexities of business and with additional load in terms of the assignments to be completed, the CIO looks for some external help to see him through these difficult periods. This external assistance comes from experts in specific areas and they fill in the knowledge and skill gap that the organization has. We term them as consultants and hire them to help us achieve the objectives that we have set for ourselves.
Consultants fill in to help us in the areas of redefining IT architecture or business process improvement or recommending solutions for various business issues or as implementation partners, software developers, security consultants, etc. These consultants play a stellar part in our quest for success and therefore they have to be used well.
Having been a consultant myself, I have seen the story from the other side. I often completed assignments successfully and got sign off from the client, but when I used to visit them later I would find my report lying in a shelf, gathering dust. Though unhappy with the situation, I did learn a lesson: the consultants are not always at fault; a lot depends on the customer organization and its resolve to get the best out of the consultant. So when I got into a CIO role, I decided to practice what I preached. So let me put down a few factors that I learnt were important:
Selection: It is very important to have the right person/ organization to help us in our endeavor to succeed in our objectives. The evaluation process must be adequate to assess the relative strengths and capabilities and important stake-holders in the organization should be involved in the decision making. In some cases the procurement department gets into the picture and influences selection based on the ‘lowest cost’ parameter. This is where many organizations go wrong.
Proper brief to the consultant: The start is of a great significance. Right at the beginning we must give a complete background of the assignment, the stated objectives, expectations, and get the key people in the organization involved in the project. This sets the consultant on the right path and his work proceeds towards the objectives as defined. Consultant’s understanding of the organization and its people gets a firmer footing and he understands the underlying forces that he may have to steer clear of.
Working with the consultant: There is always a tendency to leave the work to the consultant and expect him to deliver. This, at times, can boomerang back at us. It is therefore advisable to interact with the consultant at regular intervals, both formally and informally. This helps in two ways, one that it motivates him since it conveys that we are serious about the work and secondly it helps us correct him in case he has gone off the track.
Regular monitoring: It is important to have a proper monitoring or review mechanism. It is ultimately our responsibility and therefore we need to keep a track of the progress and take suitable measures in case of a slip up. The matter can either be taken up sternly with the consultant or escalated within the organization for addressing it.
Read their final report, whet out and seek resolutions: Often times the report submitted by the consultant is faithfully received and distributed to the people concerned. Since the project gets over, it is business as usual and everyone forgets about the report and its findings. As we say proverbially, ‘the report gathers dust’. This, in my opinion, is criminal. We must take responsibility to see that the findings are implemented and report the matter to the higher-ups if action is ignored.
Take responsibility: In the ultimate analysis, it is the responsibility that we demonstrate which carries us through. It is easy to lead the normal life of a commoner and lament for the sad state of affairs. But it’s a difficult task to take lead in getting the work through and stamp the imprint of success. It is good to be different even if we have to take a difficult path.
I have so far talked about virtualization and possible benefits that arise from deploying it in our organizations. I have also spoken on this subject at various seminars and have been in conversations with my professional colleagues from various companies. However, to my finding, virtualization doesn’t take shape in many of the organizations and its introduction remains a challenge. Let us examine a few such cases.
- Insufficient understanding
Large organizations are usually aware of this solution, but I wish to refer to a host of small and medium organizations who remain untouched by this technology. I have met and discussed this subject with quite a few IT heads from these companies and find that though they have heard about this subject and understood a little bit, they still do not know enough to recommend and use it in their set-up. They take the safer route of adding a few more servers to take care of extra load and this is easy since it involves an incremental investment. It is best for such firms to retain an advisor who can help the management with a long term technology plan.
- Replacing old servers
The story at some of the larger companies is a bit different. Here we have IT Heads who are better informed and well aware of the subject through interaction with various users and vendors in seminars that they attend. However, they hold themselves back not knowing what to do with existing servers. They say that they need only say two servers and cannot do away with other servers they have and hence cannot invest in something much bigger.
I have often asked them when would a time come when they would have to replace all servers so that they can opt for virtualization; for they will always have servers of different vintage. I could persuade a couple of such organizations to start virtualization with new applications and move the older ones as and when the old servers age and get due for replacement. These organizations now look back and say clearly that they took the right decision.
- Not selecting the right implementation partner
Some CIOs do get carried away pinning confidence in the capabilities of the internal team, thus, trying to do most of the tasks themselves. At other times the selection of the implementation partner is faulty and they appoint one who quotes lesser. This leads to an avoidable problem resulting in a failed implementation or a sub-optimal solution delivery. One needs to realize that the technology is complex and needs to be implemented well to derive clear benefits.
- Extracting full benefits of the technology
Implementation of virtualization requires adequate planning with proper allocation of server resources to various applications in a manner that allows an optimum use of resources and at the same ensuring a good performance for all jobs being run. People are often satisfied with some level of partitioning of the processor pool whereas more can be achieved. The technology also provides a good number of features which lets us extract more out the boxes we possess. For example I know of many an organization who do not use features like cloning, dynamic allocation of processor pool, resource management tools, mirroring of applications enabling fall back in case of failure of a processor, disaster recovery planning etc. A vanilla implementation therefore gives us benefits but only as much and no more.
I will conclude with my opinion that this technology is immensely useful and it is for us to make full use of its features to extract maximum benefits.
In my previous post, I tried to demystify server virtualization and made up a case for considering this technology for use as it helps optimize resources. For those who are first time users, doubts arise about its efficacy and its real benefit. Any IT investment proposal, such as in virtualization, has to be supported with a cost-benefit analysis so that it is approved by business.
Benefits are real; I have experienced them. How much we gain will depend on the mileage that we extract from technology and our propensity to try and innovate. Let me explain various benefits that virtualization can bring in. Following are the key areas where we can see gains:
1. Better utilization of hardware resources:
You can subdivide the processor and assign more than one application to it. For instance, I have often run four different applications running under different OSes, assigning them to a single processor. In the normal course, processors may be fully loaded or partially loaded and therefore we have server resources that lie idle and when we count total idle capacity in various servers, we may find a huge unutilized capacity. Since virtualization creates a pool, we can assign desired resources to each application.
2. Minimum physical space required:
Since we utilize fewer servers the space requirement in the data center comes down drastically if servers are stacked in a rack. In these days when space is at a premium, virtualization comes as a boon to us.
3. Lower power consumption:
Since we use fewer servers, the consumption of power would be low, despite the processors being loaded fully. That reduces the amount of heat generated by servers, and correspondingly, even the power consumed by air conditioning systems is also lower. In one of our recent implementations, we proved that the power consumption could be lowered by 40% with virtualization implementation.
4. Lower investment (capex) on hardware:
Proper capacity planning could see a drastic reduction in the capital expenditure that we incur on server buying. For instance, we had blade servers and by creating a pool across several blades we were able to use the available resources and thus put away the investment proposal that was on my desk. In case we host our applications or use external resources, expenses would come down.
5. Less maintenance overhead of IT:
Virtualization simplifies server management as the entire server farm can be managed through a single console. In addition, recurring expenses on AMC and other costs reduce.
6. Provision of resources on demand:
In a conventional environment, since we dedicate a server for each application, we are at our wit’s end when we have to make available sever resources for any urgent requirement. In a virtualized environment, we can make available additional resources on demand from the pool we create. In additional we can cater to a periodic demand (say month end or year-end processing0 by reducing the resource allocation to any non-critical application and make it available temporarily to the ERP or any mission critical run.
7. Easier to do patch management and upgrade:
We used to create a clone of a server and apply patches on the original file. If for some reason, the new version did not run, we could revert to the old version within minutes. The same process applied to software version upgrades and this was a great facility which made these tasks easier.
8. Disaster recovery planning:
Various features exist through which you can recover fast in case of any interruption due to hardware failure. The entire set of programs can be backed up on a different physical server and can be activated quickly.
How to convince the management
These benefits are ones that I was able to enjoy and once implemented we went about quantifying some of the benefits and demonstrating them to the management. The one question that I am often asked is: How did I justify the investment to the management at the time of taking approval?
I, of course, had problems in working out a cost-benefit; and therefore took a different stand. I worked out figures showing investment that we would otherwise make on additional servers if we did not go in for virtualization: that figure being much higher than the investment in virtualization. It worked and I got the required approvals.
Virtualization as a subject has been talked of for many years now but it is only during the last few years that it has come into large scale usage by many organizations and data centers. While large organizations have embraced this technology due to sheer necessity, many small and medium-sized organizations are still out of this gambit. So it makes sense to explain this technology solution and make it easy to understand.
In simple terms, virtualization is a method of running multiple independent virtual operating systems on a single physical computer. Let us say it is the masking of server resources from server users, including the number and identity of individual physical servers, processors, and operating systems. All server resources are put together as a pool from which each application or task draws out the resources it needs, thus making the application or the user believe that his task is running on a separate and dedicated server.
How this works is simple to understand. Virtual servers work through a middle layer called a ‘hypervisor’, which masks the servers from the users and takes over the task of allocating resources to each task from the server pool. To understand further let us consider the following statements:
Virtualization enables us to combine servers from multiple generations into the same virtualized server pool.
Virtualization allows a group of inefficient servers to be replaced with a fewer number of machines.
Virtualization is a software that allows a piece of hardware to run multiple operating system images at the same time.
In the conventional set up, we keep on adding servers as we introduce more applications in the organization and when the numbers grow very large it becomes unwieldy and difficult to manage. Further, every application consumes resources differently; leading to some servers being strained to the full and some others have it easy with very little usage. This leads to sub-optimal utilization of server resources which is undesirable. Adding to this is the difficulty of provisioning space to host several servers.
If you are thinking of implementing virtualization, I would recommend the following steps:
Clearly assess the requirement of server resources in a three-year horizon, taking into account additional applications that are likely to be introduced; and the projected growth of the organization leading to higher number of users and the increasing size of data to be processed.
Evaluate and select a virtualization software that is appropriate, given the current IT landscape and size of the set-up.
Re-asses the hardware resources and plan new servers that would make use of this new environment.
Choose an implementation partner who has adequate experience and expertise in the software selected.
Work closely with the partner to work out an optimal design that works best to accommodate your applications.
A breakthrough technology?
I think it is. It is amazing how the researchers worked out a way to break the paradigm of considering the processor as undividable and to create a mechanism by which the processor lends itself for manipulation. It is a wonderful solution to leverage on and I hope most of us use this to make optimum use of the resources.
The job of a CIO is a tough one. He has to do quite a bit of jugglery trying to balance various demands that are made on him. He has to engage with the CEO and the board members to understand their visions and aspirations, has to deal with various functional heads to try and resolve cross-functional issues, has to face the music when end-users are in their elements demanding more features and reports, has to handle some errant IT staff and also the technology vendors, who, at times, may play the truant. There are days when he feels happy, having achieved some goals, but bemoans his fortune when he gets caught up with issues that seem never-ending.
Besieged by difficult situations, the CIO often looks lost and forlorn. He feels like hitting back at his detractors; he wishes to argue out points, to rebut objections raised by cynical users, or to escalate matters that he thinks needs attention of higher ups.
He however stops in his tracks fearing a conflict and the possibility of annoying some important functionary in the organization. He is wary of losing whatever cooperation he receives from the users and therefore settles for a compromise. He withdraws from his aggressive intentions and accepts whatever the situation provides him with. He feels sad and powerless and wishes someone rescues him from that situation.
He says that if it was not for the fear of losing his job, he would have been bolder and would have taken a few tough measures to deal with the situation. He may then seek another job but may land up in a similar situation and may rue his luck again. But is that feel of insecurity a valid predicament or is it a perception of danger that the CIO lives with?
Possible measures to overcome this situation
There is, of course, no magic wand that can make the management and the end-users kneel before you or to listen to you without raising an eyebrow. So this is a battle that has to be faced head-on to win. We sometimes lose the battle even before it begins. By cultivating fears, we give up our efforts at resolution right in the beginning and do not even try to put up our views strongly.
It is good to be adventurous. I remember the situations when I feared the most but when I took up the case with a functional head, I was surprised to see a favorable reaction and it happened because he saw some sense in what I proposed. I have not known anyone losing his job for trying something good for the organization; so why harbor unknown fears? What if we attempt and fail – well, understand that the measure has not worked and seek another way out.
A CIO should clearly steer clear of political moves and alignments within the organization and take strength from his professional acumen. Seeking favors from the CEO or an influential senior may give some quick wins but may land him in trouble later with changing political alignments.
A CIO, like other managers, has to be employable at all times. He should therefore equip himself with contemporary knowledge and skills so that he stays effective and may also periodically assess himself in the job market to understand whether he is still relevant in the professional world. That is not to suggest that he can try a quick jump if he is not happy. It is only to give him a reassurance that he is a wanted professional and therefore does not have to live with the fear of losing his job.
We use many solutions in the form of software, whether they are the operating systems, databases, or application packages. Whenever we faced issues as users in the past we had only the vendors to fall back upon. While some were happy with the vendor-support, many others complained of poor response. Vendors, at the same time, were keen to expand their customer-base using the current customers as their spokespersons. This is perhaps what led to the creation of various users-groups.
In India, the early groups created were the Lotus Users Group, Ingres User Group, and a few others; later, many others followed including users of SAP, Oracle, Linux, etc.
Running of the user groups
In the early days, initiative was taken by a handful of good user-organizations who desired a platform to exchange ideas on use of various features in the products they used and to find out solutions for problems they faced. It was natural for them to approach the vendor to help organize meetings. Vendors willingly agreed as they found it useful to meet their customers together and if one of their experts could address all of them and clarify their doubts, they will have built enough goodwill among the customers. Vendors would, in these cases, pick up the tab for hotel expenses, etc., and play host. Along with the experience-sharing by a few members and a clarification session, vendors would also come on to the stage to showcase their new offerings and make up a case for upgrade and for customers to expand their footprint with more packages.
Situations changed; whenever some lead customer-representatives moved elsewhere, the whole movement took a dip and then the vendors took over the center stage. Slowly, many of these groups became vendor-led and some others faded away. Such a powerful medium for the users has often been allowed to slip away.
Vendors-companies also hold their annual events that are grand shows and they attract good participation of users. For example, Sapphire, Oracle Open World, Lotus Sphere, etc., are events that are completely led by vendors and this may also have had a role in weakening of the user movement.
What can be done
I strongly feel that a lack of leadership and absence of participation amongst the user community have led to the weakening of the user movement. I have often seen a few strong personalities taking initiative and starting the movement on a high note. Others do join them, though not as leaders or participants but as spectators. Since the community is not tightly bound through active participation, separation of one or more of the leaders leads to the movement going astray. The user group working is sometimes not institutionalized through creation of executive committee, regular meetings, encouragement of users to share their experiences, and involvement of other members in evolving new ideas for the group. In the absence of strong user-involvement, vendors start exercising greater influence and the sessions move toward product-promotions and acquire a sales-flavor.
I had the opportunity to head two user-groups in the past and my experience was that as long as the initiators held the reigns, the group worked very well; but soon as the original team moved away, the second line did not take over. We were then guilty of not creating a second line by choosing some of the bright users and encouraging them to lead some initiatives.
We often talk of our IT strategy and its alignment with business. We may be right in our intentions but may perhaps have to examine whether we talk of these terms loosely and without fully understanding its import. We, of course, look good saying the right things and striking a good note with our peers, but a close look inwards may reveal our need to understand the subject better.
Let me, therefore, initiate a discussion on corporate strategy―our need to know and understand where the company is headed to―and the alignment of IT with the corporate strategic goals (IT plans that seek to serve the organization’s strategy).
Understanding business strategy
Business strategy is the direction that a company adopts over the long-term, a move which provides advantage to the organisation through its configuration of resources within a challenging environment, to meet the needs of markets and to fulfil stakeholder expectations.
In other words, we have to first enquire, research and understand the company strategy by raising the following questions:
* Where is the business trying to get to in the long term? (The direction).
* Which are the markets / segments that the company is trying to compete in and what kind of activities are involved in such markets? (Markets and scope).
* What are the set of activities that business plans to take up in order to perform better than the competition in those markets? (Competitive advantage).
* What resources (skills, assets, finance, relationships, technical competence, facilities) are required in order to be able to compete? (Strategic resources).
* What external, environmental factors affect the businesses’ ability to compete? (Environment/ changes).
* What are the values and expectations of those who have power in and around the business? (Stakeholders).
Types of business strategies
Strategies exist at several levels in any organisation – ranging from the overall business (or group of businesses) through to individuals working in it.
* Corporate strategy is concerned with the overall purpose and scope of the business to meet stakeholder expectations.
* Business unit strategy is concerned more with how a business competes successfully in a particular market. It concerns strategic decisions about choice of products, meeting needs of customers, gaining advantage over competitors, exploiting or creating new opportunities etc.
* Operational strategy is concerned with how each part of the business is organised to deliver the corporate and business-unit level strategic direction. Operational strategy therefore focuses on issues of resources, processes, people etc.
Once the CIO understands these imperatives, it becomes easy for him to look at IT from the management’s point of view and shape IT offerings in such a way as to help the company win in the markets.
If the IT strategy is to be aligned with business strategy, it will have to reflect steps that help achieve organisations defined priorities and goals. The IT strategy document, many a time, is worked out jointly by CIO and some business heads.
Following are some of the elements of an IT strategy:
(1) Key business imperatives: A report on the main business issues that are sought to be addressed. For example, it could state matters like manufacturing strategy (production planning optimization, material availability, lower manufacturing costs), finance (cost control, lower working capital, budget control etc.), or marketing and sales (order fulfilment, customer complaints re-addressal, marketing and sales analytics, etc).
(2) Priority listing: Some issues may be more critical than others and therefore the ranking of the applications in the order of their importance.
(3) Time frame: Drawing out a broad time frame for their implementation.
(4) Assessment: A scan of the technology environment and a clear technology direction that is most appropriate for the company given the set of business requirements specified.
This may include:
a. The hardware landscape: This may include aspects such as movement towards consolidation of servers and storage, moving towards virtualization, building reliability, etc.
b. Software choices: Of moving in the direction of standard packages, putting in analytics, other specialized packages necessary.
c. Safety and security: Defining requirements and overall policy direction, indicating levels of protection necessary etc.
d. Outsourcing policy: Defining a direction either in the form of strategic outsourcing or selective outsourcing.
e. Taking stock: Resources necessary in the form of funds, people, training etc. for achieving the defined objectives.
(5) A set of deliverables and standards in the form of key performance indicators which would help in drive performance and ensuring that implementation stays on course.
IT strategy is usually drawn out for a period of five years or for a period that the organisation thinks is appropriate.
The IT strategy document, however, is not static and would undergo a change if there is change in organisations strategies and goals or when technology advancements cause a change in the directions we took earlier. This makes IT an integral part of business and can play an important role in making business successful.
Continuing our discussions on ERP, the group of CIOs, who meet regularly to discuss issues of common interest, went on to debate the question: Who should ideally be the project manager (PM) for an ERP implementation? As is usual, different views were expressed; but surely, it was a refreshing debate. We got to know the views of others, and at the same time, we had an opportunity to examine the best available options.
I initiated the discussion citing a few issues that we had faced as CIOs in some of the implementations. People from the CIO assembly agreed that ERP implementation should not be termed an IT project but should have adequate business representation.
Amongst other requisites, the role of the project manager (PM) is one which is critical for a successful run of the project. In most cases, it is the CIO who is one of the main initiators of the move towards ERP, and once approved, he is automatically assumed to be the one to take on the responsibility. The question posed therefore was whether this is the right move for organizations to make when starting an ERP project? Deliberations touched upon various points:
- Should the PM be from one of the business functions, say from finance, sales, operations, etc?
Though the general opinion favored such a move, there were apprehensions expressed about their inadequate exposure to IT and whether they would be able to understand, work out, or guide the team on aspects such as parameter configuration. There were no clear answers. The consensus, however, emerged on the point that selection of a project manager is a challenge since ERP covers more than one function.
- Is a manager from any specific function more suitable for this role than others?
Each of the functions was examined but the larger view veered towards the ‘finance’ function. Participants felt that since the finance plays a controlling role, is in charge of compliance, reports to the Board on results, and since the organization’s performance finally boils down to financial figures, there could be nothing better than a finance manager being on board as the ‘project lead’.
Surprisingly, people did not talk of the organization strategies, the goals of business, the need for transformation and business process improvement, which point towards a business-view of project and the need to go beyond the limited worldview of the finance function. I think we have to grow up to view issues form the management angle.
- Is CIO the best bet?
Well, you bet, the CIOs think so! They say the CIO is the only executive in the company who has an overview of the business processes across the organization since he is involved in automating them. They further say that a CIO is neutral and not function-specific in his approach, and therefore, has an edge over any other functionary. He also has an in-depth knowledge of hardware requirements, software functioning, and networks and therefore can manage the entire project better than any other functional manager. They feel that an IT head with a business understanding is an ideal choice for the Project Manager. A few questions however remain unanswered.
Need for a balance
But is the knowledge of business processes adequate to bring about fundamental changes to those processes and is it equivalent to understanding business? While we may say that the CIO is neutral, his technical orientation could lend a bias which may not be desirable. Knowing IT may not be a qualification essential to be a project manager, as the PM has the overall responsibility of ensuring success of the project.
Again here was a situation where CIOs were keen on holding on to their turf and not willing to let others play this role.
In my opinion, CIOs have to take a broader view and consider the matter from the organization’s perspective. The purpose of the ERP project should be to serve business, and therefore, the project should be led by a person who is most suited to bring about the desired transformation to business using ERP. The community, therefore, would have to move a little higher in terms of thinking and lay focus on business benefits that he can bring about.
Governance, risk, and compliance or ‘GRC’ is an increasingly recognized term these days and widely talked about and discussed at various forums. GRC reflects a new way in which organizations are adopting an integrated approach to these important aspects of their business.
GRC is the umbrella term covering an organization’s approach across these three areas. Being closely related concerns, governance, risk, and compliance activities are increasingly being integrated and aligned—to some extent—to avoid conflicts, wasteful overlaps, and gaps. It is expected that companies would follow certain norms of governance, ensure that they have the right processes to recognize business risks and their mitigation and that they conform to the laws of the land.
As managements try to address these issues, the CIO has a fiduciary responsibility to assist the management in its efforts to address GRC issues. Let us understand each of the elements of GRC.
Governance describes the overall management approach through which senior executives direct and control the entire organization, using a combination of management control structures and the right management practices. One of the requirements of governance is that that the critical management information reaches the executive team in a form that is adequate, accurate, and timely to enable appropriate management decision making. It also involves providing the control mechanisms to ensure that strategies, directions, and instructions from management are carried out systematically and effectively.
So the CIO has his role cut out; he has to proactively provide the required support to the management through robust information and control systems. IT systems should also facilitate maintenance of documentation of various transactions, approvals, record of critical business discussions, decisions, etc.
Risk management is the set of processes through which management identifies, analyzes, and where necessary, responds appropriately to risks that might adversely affect realization of the organization’s business objectives.
The first need, therefore, is to do a risk assessment and identify all possible risks that the company could be exposed to. The next step is to analyze those situations and determine criticality of the risks and their possible impact on the organization.
Once the risks are analyzed, the company has to define measures that it can take to contain any adverse fallout. The response to risks typically depends on their perceived gravity, and involves controlling, avoiding, accepting, or transferring them to a third party.
It then becomes the duty of the CIO to introduce policies and technologies for risk coverage and mitigation. He covers risks against hacking by external users, institute measures for user authorization and control, ensure safety of data through regular back-ups, implement disaster recovery and business continuity plans, conduct user education sessions, etc.
Compliance means conforming to the stated requirements. At an organizational level, it is achieved through management processes which identify the applicable requirements (defined, for example, in laws, regulations, contracts, strategies, and policies), those which assess the state of compliance, and the ones that assess the risks and potential costs of non-compliance against the projected expenses to achieve compliance. It also involves defining management processes that can prioritize, fund, and initiate any corrective actions deemed necessary.
Here, the CIO has to be in touch with the company secretary / legal head or concerned departments to make a list of various statutory requirements that the company is required to comply with. He needs to facilitate the creation of facility to record requirements, to remind people on due dates, to help monitor compliance and help create a report on the status.
Various software packages are available that helps meet these requirements including those from leading ERP vendors, software majors, and many other small firms who create such specialized tools.
A 360-degree approach
GRC, therefore, is a holistic view of issues that the managements of companies are obliged to address. In my opinion, a CIO can play a significant role in helping his organization meet its obligations. Since most documents and processes reside on IT systems, it becomes incumbent on the CIO to ensure that all requirements are taken care of. Here is an opportunity therefore for the CIO to fill this space and rise to be an executive of significance.