Does your board have IT expertise at the table?

“IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives.”

 "Board Briefing on IT Governance" second edition 2003:

Board members need diverse skills and expertise in many areas - and that includes information technology and IT governance. 

Essentially, boards are as accountable for IT and the associated strategic risks as they are for finance and legal compliance issues. Governance starts at the top and the board should provide the leadership and oversight in setting strategy, managing risks, delivering value, and measuring performance.

Technology is ubiquitous in organizations, and because Information Technology affects every area of an organization, boards need to review how critical IT is for the delivery of their company's strategy.

One of my goals as an IT professional is to increase the awareness of IT governance at the executive and board level.  

Exit Excel Hell - Part 2

In my previous 'Exit Excel Hell - Part 1' blog I started talking about how sending all those Excel attachments is a misuse of the email system. Other problems also exist. When you ask staff to update a spreadsheet and email it back to you, how do you incorporate multiple staff input changes? Doing that manually just creates an opening for errors. You might be surprised at the number of copies of a given spreadsheet in an organization. Which is the most recent and correct version? And, what happens to a spreadsheet that is used annually and is dusted off each year: does the creator and/or user relearn the contents and how it is used? Old spreadsheets are breeding grounds for errors because people will automatically assume it was correct. Or for that matter, if a user builds onto a spreadsheet that someone else developed, they often have to reverse engineer it to truly understand it. Furthermore, as Excel users become more sophisticated, their spreadsheets get more complicated and they start using external links and hidden references creating even more risk.

 

Well, how can this proliferation of spreadsheets be controlled and what other controls can be used for spreadsheets?

My first preference is, obviously, not to use a spreadsheet. But if you must, and if it is to be shared by multiple staff, it should be in a repository (or an Electronic Document Management System) where only one person can check the spreadsheet in or out to modify it at a given time.

Another control feature you can use is to put a password on a spreadsheet or part of a spreadsheet so someone can change or access only certain cells. In addition, important and complex spreadsheets should be documented. How would you document a spreadsheet?

There are several ways. The first is to use named cells wherever practical. For example, when calculating revenue, the most popular way is to multiply two cells — for example, F12=N12*P12. But why not define columns N & P and name them Cost and Quantity so column F becomes Revenue=Cost*Quantity. The formula itself becomes more descriptive and understandable to anyone looking at the spreadsheet. You can also insert comments in the cells to help explain the reason for your calculation or process. You can embed instructions right into the cells themselves, or create an external documentation manual, or even create a spreadsheet tab call 'Instructions'. You could maintain a revision history in which each person who makes a change to the spreadsheet logs what they did and when.

Some companies, when they have important spreadsheets, will follow a structured methodology similar to developing software. Some call it the Software Development Life Cycle (SDLC) which includes user requirements, design, development, testing, training, and so on. But unfortunately not many Excel users have formal SDLC training and they usually develop a spreadsheet in more of an ad-hoc fashion.

When you have an important memo or communication to send to a lot of people do you have someone else look at it before it is sent out? I do. I want someone else to give it a once-over. I want to make sure the message I’m trying to communicate is free of grammar and spelling errors, but also I want see how someone else interprets my message.

That same concept is exactly what should happen with Excel spreadsheets. Someone, other than the creator, should be auditing and verifying the spreadsheet. It’s too easy for those of us who create the spreadsheet to become so close to give it a truly objective look. You’re unlikely to find all your own mistakes. This is even more important for monthly, quarterly or year-end financial statements which are so often rushed.

Ideally, if it is a financial report, have the report come directly from the financial system. With the flexibility and options in report writing these days, you can even get a nicely formatted report. If the report, which can be run anytime, comes from a single official corporate source, there is far less chance of error than re-entering the summary data into some spreadsheet report.  If you must use Excel for financial reporting or some other corporate reporting function, consider having your IT department develop scripts to automatically query the corporate database and deposit the data in the spreadsheet (Excel can do SQL queries to a database). This will at least avoid transcription data entry errors. 

Spreadsheets provide a great analyzing tool. Personally I think spreadsheets are great for individuals to do their job, but I try to categorize spreadsheets two ways. It’s either for personal job working purposes or for corporate use (i.e. many staff use it). By that I mean when that person leaves the company, their files, and I refer to Excel files in this instance, should be thrown out, deleted along with all the other files in his/her data directory. If it is a corporate Excel file that should be kept, it should be documented and kept in a location other than the employee’s data directory.

Any file that is used by more than one staff member should be in a department or corporate directory or an Enterprise Document Management System (EDMS) or an Enterprise Content Management System. When a person leaves, the supervisor or manager can quickly look at files in that employee’s data directory to see if any might be useful to the next incumbent in that role, but for the most part, good file management procedures should include deleting the personal directory of staff members when they leave the organization.

Enterprise Content Management System, or ECM as it is commonly referred to, is a formal way of storing and organizing corporate documents or other content in a central repository. I will tackle ECM in another blog.

IT Matters

Boards naturally expect management to optimize IT efficiency and deliver projects on time and on budget. But sometimes the CEO and the senior management team don’t have IT knowledge or experience. Their comfort level - and knowledge - is limited, so they will abdicate IT governance to the CIO, CFO or IT Director.

Why? Sometimes the CEO really doesn’t understand the technical aspects of IT, and secondly, many CEOs trust their staff completely in this area.

How IT decisions get made should not be about trust; it is more about teamwork, and executives and board members need to be part of the team.

So why aren’t they?
 

A lot of reasons. Executives and boards haven’t involved themselves in IT governance because they think IT requires more technical insight in order to understand how it can help the company. Or they see IT as too complex. Or IT has been set up within the organization as a department separate from the business itself. Whatever the reasons, organizations really should not let ‘technical literacy’ be a roadblock, good IT oversight requires governance skills, not technical skills.

Many CEOs tend to be in that boat where they’ve delegated the technology oversight to their CIO or CFO mainly because I don’t feel technically up to speed. After all, they’re the experts. The CEO thinks he/she doesn’t have to be, and many CEOs don’t plan to spend the time to get technical.

The reality is you don’t need to be technical to understand IT governance. It is a governance process, and Board members and CEOs certainly understand governance. CIOs still deal with all the technical aspects, but good governance focuses on the business, creating integration of business and IT and creating value. Boards and CEOs need to get involved because IT does matter.

What do you think the CEO should know about IT?

Have you ever wondered why there is a disconnect between IT and business in many organizations? Does it start at the top?  

Regardless of your position in any organization, can you explain how IT decisions get made?

Some business articles allude to a poor relationship between IT and other departments being a function of poor management.  Would this gap disappear if the C-suite had a better understanding of Information Technology?

What do you think the CEO or anyone at the C-suite should know about IT?  Here are my top items: 

• Clear understanding of how IT decisions should get made
• IT Governance
• How to integrate business and IT
• How to use the business case in IT and other divisions
• How project management methodologies for all divisions can make an organization more effective
• How data integrity is critical to the operation of the organization
• How to make the IT department's services efficient
• How to protect the organization from natural and man-made disasters 
• Why it's important to protect data
• Fundamental understanding of the cloud
• Basic understanding of big data and business intelligence
• Know that IT can be socially conscientious with green IT, and finally,
• How to undertake the development of an IT strategy

Recognizing that CxOs often don't understand IT as a starting point, I wanted to explore what the CxO should know about IT using a non-technical, easy-to-understand, conversational story. So have a read of the book The IT Chauffeur (Available at Amazon.com or at CreateSpace).