However, together with the good stuff, the less is more thinking is producing a host of dangerous practices and attitudes in some organizations. Theyre dangerous because, instead of being recognized as simply tactical responses, these ideas are acquiring the almost-noble status of accepted business practices, even theories. Very soon they will start producing pain in the organizations that are becoming addicted to them.
The first affliction is an attitude expressed as, We dont need a strategy; well respond when we need to . . .

Just-in-Time Strategy = No Strategic Capability

To be sure, the problem is not new. Years ago, I watched a CEO whose strategic motto was, Hang loose and be ready. For quite a few years, all was (relatively) welluntil the day when the company found itself in circumstances forcing it to make a major strategic change. Loose it was indeed, but what really stood out was how totally unprepared it was to respond.

The lesson: Even the best strategy that works today needs to be tested, retested, and most importantly, subjected to what-if scenarios. This has nothing to do with the assumption that a predictable path to the future can be extrapolated from the experience of the past or that strategic outcomes always can be predetermined. It is all about a steady practicing of strategic thinking that develops a human and organizational capacity, which in turn, becomes invaluable in times that call for a change. Our hang loose company sorely lacked such capacity when it was most needed.

The same is true of IT. While just-in-time thinking certainly is easier, fitting the current anti-technology mood and typically invoking less risk (at least in the short term), it also is a formula that drains IT of high-level skills to analyze, plan, adjust, and respond strategically.

Incrementalism

Another accepted approach that crept into many organizations is insistence that no project can last more than six months. A fine tactic to limit risk, I admit. However, in too many instances, it has developed into a limiting, even paralyzing device. It is one thing to embrace a strategy of radical incrementalism built on a notion of rapid waves of near-term initiatives linked by a shared view of strategic direction. It is quite another, as often happens, to limit ones view to six, or a maximum 12, months.

Properly used, incrementalism works, but some things, and especially the important ones, only can be done through large effort. Com-panies that do not practice large effort are unprepared methodically and mentally. As a result, they tend simply to shy away from anything that does not fit their smallish image.

That, for example, is the key reason so few carriers are ready to execute a major attack on replacing their legacy applications. They know they need to do it, but the risk associated with size and complexity of the task overwhelms and paralyzes them.
CIOs need to have a plan for conquering various phenomena associated with down cycles. That is absolutely essential so that, while moving temporarily at a slower pace, their organizations do not lose their ability to think and act strategically and do not succumb to small-scale and constrained thinking. Smart CIOs achieve that by persistently investing in a process that allows them not just to lead but govern.

The CIOs Weapon:
Good IT Governance

Of course, good IT governance is an effective tool to manage and control the IT risks that are so much more pronounced in times of low economic prosperity. But good governing is not just about effective controls but also, and foremost, about moving things forward. That is the context and scope of IT governance discussed here.

Management of IT assets is more and more important to the performance of most enterprises. A reliable, cost-effective, regulation-compliant, secure, and strategic IT portfolio is more critical today than ever before. The person or group owning IT governance must understand what the technology is and is not capable of. It is not the technical details that are critical but a feel for the two-way connection between strategy and IT.
Hence, IT governance must be looked upon as a vehicle that enforces enterprisewide communication and accountability. It must encourage and leverage the creativity of the entire enterprises brainpower while ensuring alignment with its vision and principles.

There is a growing acceptance of the critical role IT governance plays in delivering high performance in IT. In a 2003 survey conducted by ITGI and CobiT, more than 80 percent of IT managers recognized IT governance or some part thereof was required to resolve IT issues they were facing.

The stock market already assigns premium to companies with excellent corporate governance. There is little doubt a similar premium should be assigned for good IT governance. One MIT study estimates companies with good IT governance receive up to 40 percent greater return for the same IT investment.

IT Governance Defined

First and foremost, IT governance defines a framework for rights and accountabilities related to making IT decisions. Second, it dictates desirable behaviors in the context of using IT resources.
Within such a framework, good IT governance addresses at least four key areas of IT decisions:

IT principles
IT investments
IT architecture
Business solutions

Within each area of IT governance, a set of guiding rules for collaborative decision-making among corporate, the business unit, and IT management needs to be agreed upon. Although the rule patterns vary from company to company, there usually is one predominant variant that fits each area best.

IT principles set the strategic role for IT, including issues such as structure, strategy alignment, culture, mission, values, norms, and balance of business-unit autonomy vs. commonality. The principles provide a practical guidance on how to use IT. Some may be non-negotiable, e.g., The corporate interests and needs come first when introducing and exploiting technology or when contracting with suppliers. Developing these principles is best done by a relatively intimate, small group of business and IT senior executives, for example, the CEO and CIO.

Decisions concerning IT investments and priorities require a larger forum. This is an area where the CIO has to interact with most, if not all, senior business executives. Some decisions, as for example, How much to spend on IT? crucially require not just input but a leading role from the very top (see CIO Chronicles: If I Were a CEO, July 2004, for a more detailed discussion of this topic).

IT architecture is the most difficult nut to crack. Most CIOs understand well the critical role IT architecture plays in creating a cost-effective technology environment able to respond rapidly to business changes. Very few, however, know how to communicate that criticality to their CXOs. Even when they do, the arcane language used to describe architectural issues guarantees to make the eyes of chief executives glaze over. Unfortunately, I can offer no magical solution. Still, I do encourage CIOs to keep placing the issues of IT architectures on the executive meetings agendas. The key reasons are twofold. First, to fight a widespread unawareness of the fact the endemic inflexibility and slow response of IT chiefly is caused by the rigidity of current technology architectures (and not laziness or ineptitude of programmers, for example). Second, to increase awareness that such a poor state of affairs only can be improved through a planned, strategic (i.e., not business-case-driven) investment in architectural upgrades. The goal is to instill a high degree of confidence and trust among business managers that IT can and should take an unqualified lead in making architecture (including infrastructure) decisions. Per-sonal leadership of CIOs on this issue is absolutely essential.

In contrast, decisions concerning business solutions usually should be governed collectively by business and IT units. The only variation is the degree of weight each group carries. It should be noted recent years brought a strong and visible shift toward placing responsibility for business applications in the hands of business people.

Contrarily, in a recent survey conducted by the Insurance Technology Group among midsize P&C carriers, only one company reported an operating model where business was chiefly responsible for business applications. In more than 85 percent of situations, the responsibility remained primarily in the hands of IT. Either the P&C industry knows better, or it needs to pull up its socks.

, a former CIO of Zurich Financial and Pitney Bowes, is a co-founder and managing director of the Insurance Technology Group (www.insurancetg.com). He can be reached at 416-214-3445 or [email protected].

CIO Chronicles is a regular feature in Tech Decisions and focuses on issues of concern to midmarket insurers. Its content is the responsibility of the author. Views and opinions in this article are those of the author and do not necessarily represent those of Tech Decisions.