Governing IT Decisions: Who’s in Charge?

No longer can IT departments operate in a vacuum, attempting to second-guess what applications the business needs. The business needs to guide IT decisions, say industry experts, especially in an era when the insurance industry relies on IT to manage everything from new applications to claims processing.

Effective IT governance, driven by decision-makers outside of IT and from across the business, provides guidance to IT as to what projects are most critical and what ones are not. IT governance helps IT avoid making decisions inside of a black box, says Jeff Goldberg, senior analyst at Celent, Boston. In many cases IT has unilaterally made major systems decisions without thinking about the business implications, such as the purchase of a content management system, he says. As a result, “multiple IT projects end up competing with each other for scarce IT resources.”

Not that some businesses didn’t intentionally want things this way. “In many organizations, the business leaders like to push off decisions to IT so they’re not really accountable for an IT project going poorly,” Goldberg explains. “They get to complain when things aren’t going the way they want, but they’re not necessarily taking ownership of new projects.”

As a result of such costly miscommunications and lack of accountability, insurance companies are starting to recognize that IT decisions need to be driven more by the business itself than the IT department. A recent survey by the IT Governance Institute (ITGI), Rolling Meadows, Ill., for example, finds that 71% of 749 executives surveyed say they now have IT budgets and plans reviewed by a board. About 68% report that business management in their companies participates to some degree in IT governance. However, in most cases, says ITGI, most of these initiatives are led by IT, and non-IT executives still tend to play more of a peripheral role, versus directly driving decisions around IT expenditures and projects.

Typically, a board or steering committee—consisting of executives from across the business, along with the CIO or top IT executive—directs IT governance. Projects of a certain budget or magnitude are approved and prioritized by this group. Smaller, routine projects, such as software patches, are usually part of a regular IT maintenance cycle, and would not require the input of a governance board.

The inherent advantage of IT governance is that “it requires IT leaders to understand the business behind what they’re trying to do, and it requires business leaders to take ownership of technology decisions,” says Goldberg. “When done properly, IT governance will make IT projects much more successful, which means that you’re attending to truly important projects that have the highest priority, and you have support and finances behind them.”

GATED GOVERNANCE

At Columbus, Ga.-based AFLAC, IT governance has been baked into the executive culture—business line executives from the president on down are involved in decisions regarding technology implementations. The company recognized four years ago that it needed an enterprisewide governance approach to effectively leverage various technology initiatives across its business units.

AFLAC’s IT governance is led by a high-level steering committee, chaired by AFLAC’s U.S. president, says Brian Abeyta, VP of the IT project management office at AFLAC. At the next level is a “C-level” review board run by the company’s chief administration officer, CIO and chief accounting officer. Below that, for smaller projects, are project boards run by line-of-business VPs.

This three-tier corporate IT governance structure, in place for more than two years, has enabled AFLAC to better identify and move forward with initiatives that provide the most strategic value to the company. Previously, Abeyta says, IT staff resources were often consumed with projects that extended beyond their useful life.

Abeyta credits AFLAC’s “gated” governance process, in which proposed IT projects are required to pass through several layers of control gates to get sign-off from managers involved with or affected by the project. “Because our governance process is gated, we’ve been able to, in some cases, make decisions to stop working on a project if we have found, as an organization, that it’s not worth doing anymore,” he explains. “We’ve had some efforts on our roadmap that never actually made it to the approval process, because we determined they’re not worth pursuing. As a result, we saved ourselves from proposing projects that wouldn’t have the return on investment that we initially thought they would.”

Effective, business-driven governance helps AFLAC initiate and manage a wide range of new projects, launching up to 40 a year. “Sometimes the initiatives are top-down driven, but oftentimes they’re bottom-up as well,” Abeyta says. “We begin the year with a corporate-wide roadmap, so we have an idea going into the year what projects we will do during the course of that year. Even at that, the projects still need to go back up to the steering committee, because the executive may decide to pull a planned project, in lieu of another project that has just come to the surface. So we are nimble enough to make those changes and adapt to them throughout the year.”

DRIVING INSURANCE

Insurers in particular face an urgency to better govern the way their IT systems are launched and prioritized. The underlying complexity of today’s insurance systems—due to years of investment in large-scale systems—requires a highly coordinated approach to better leverage the technology behind new product offerings and operational initiatives.

“Insurance companies have many varied systems that manage their business,” says Scott Morrison, VP of product strategy and market development for Sircon Corp., Okemos, Mich. “These systems generally evolved over many years and are stitched together through various methods of integration.” Not only do today’s systems need to address back-end functions, but also pull in data from thousands of partners and agencies at the front end, Morrison adds.

Add to this the fact that insurance company operations tend to be more highly scrutinized than companies in other industries. The insurance industry “is highly regulated and one cannot forget the compliance component that also impacts this industry,” says Alex Bell, insurance industry partner at Blackwell Consulting Services in Chicago. “Because insurance companies have a fiduciary responsibility and operate a highly intensive transaction business, data is king. The ability to improve the operation and create new products is based on data. So, IT strategy must be aligned with the business strategy, after which to govern, companies have to set specific measures to track how the IT functions are impacting business goals.”

Typically, IT governance at insurance companies was driven more by finance departments than other business decision makers, relates Jim Hatch, chief tactical officer for Insurity, Hartford, Conn. “IT governance at insurance companies was a financial exercise focused on year-to-year growth in IT expenditures. It focused on discrete projects for business constituencies. For instance, ‘This year’s strategic IT focus will be claims; next year’s strategic IT focus will be policy administration.’ Governance was a matter of managing costs to budget and as a percentage of premium or revenue benchmarked against competitors,” he says.

Leading insurers, however, are now taking the concept of IT governance to a whole new level, recognizing that business leaders need to take an active role in IT decisions.

“Some far-thinking insurance companies are using IT strategically to drive change within their organization, achieve commonalities of process and approach among disparate affiliates and to get control at the corporate level of the parts and pieces that drive the entire enterprise’s success,” Hatch says. “They are using IT to address regulators’ concerns, correct fundamental weaknesses and exploit opportunities such as acquisitions. These carriers are walking the talk of using IT as a strategic weapon as opposed to the lip service they’ve been playing to that concept in the past with tactical administrative oriented IT projects.”

12 MARKETS

Like technology itself, governance comes in many flavors, and is based on different types of standards and approaches. The goals are typically the same, however—to increase communication and involvement by business units that benefit from the technology implementations. There is even a set of common best practices, Control Objectives for Information and related Technology (COBIT), designed to facilitate such intra-enterprise interaction. COBIT is intended to help provide managers, auditors and IT users with a set of measures, indicators, processes and best practices to assist with IT governance.

The ITGI survey finds that use of COBIT has doubled over the past three years, from 8% in 2005 to 16% this year. Awareness has grown to about 50% of the 749 executives surveyed.

Prudential Financial, Newark, N.J., recently implemented COBIT as the foundation of its IT governance framework across its far-flung Asian operations, Prudential Corp. According to a report from ITGI, various IT teams in each of the corporation’s 12 markets had already implemented a series of their own IT initiatives. However, Prudential Asia’s regional head of information technology Emmanuel Rodriguez recognized “it was time for Prudential to adopt a standardized IT governance framework across the region to cut repetition and build synergies.”

The greatest challenge with effective IT governance is that it requires leadership from non-technical business users, Rodriguez said. “IT governance can appear to be a boring subject to our colleagues in business operations, and without any background in IT, many of them may never understand it,” he told ITGI. “The last thing we want is to give our business and project managers the impression that IT governance is all about what they cannot do rather than what they can do. For this reason, we adopted COBIT as our framework because its language is so easy for non-specialists to understand, and it will enable our business colleagues to develop an interest to understand what doors IT governance can open for them.”

Prudential reported that its regional IT team “has already seen results in enhanced communications between IT and business operations, better responsiveness in project management as well as an improved environment for risk assessment for each of the corporation’s 12 market countries in Asia.”

As demonstrated by Prudential’s diversity across various markets, the diversity and size of today’s insurance companies require greater standardization of techniques and best practices to manage information technology. David Thomae, manager of program advisory services for Ernst & Young, New York, advises throwing the old models for IT governance out the window. “There’s a whole new governance dynamic,” he explains. “The types of IT programs today span multiple business units, business divisions and geographic borders. They are reaching other areas that, perhaps in the past, were not as IT-intensive as far as their kind of systems.”

Insurers tend to have distinct and separate lines of businesses within their walls, which means conflicting agendas—something an effective IT governance process can address. The fact that many insurance companies are run as separate organizations results in complicated scenarios, according to Celent’s Goldberg. “They usually have different policy administration systems, with different pieces to plug in. An organization could be paying for two $10 million policy administration systems. With a strong IT governance process, different people will have the opportunity speak up about these decisions.” While the business may ultimately decide it is in its best interest to maintain duplicate systems, the important thing is that the business—and not just IT—made the final decision, he adds.

Joe McKendrick is an author and consultant specializing in information technology, based in Doylestown, Pa.

(c) 2008 Insurance Networking News and SourceMedia, Inc. All Rights Reserved.

For reprint and licensing requests for this article, click here.
Policy adminstration
MORE FROM DIGITAL INSURANCE