SearchCIO.com | Six decisions IT people shouldn't make

Extract, courtesy SearchCIO.com

Six decisions IT people shouldn't make

By John Hogan, SearchCIO.com News Editor
01 Dec 2003 | SearchCIO.com





IT professionals don't expect business executives to reboot servers or write lines of code. Conversely, senior managers shouldn't burden IT executives with critical business decisions related to IT.

Collaboration is vital to a successful relationship between IT and the business side of an organization, but there are good reasons for leaving IT out of the final say on some key matters involving IT, said Jeanne Ross, a principal research scientist at the Center for Information Systems Research at MIT's Sloan School of Management.

At a recent Gartner Inc. Web services conference in Baltimore, Ross offered her take on "six decisions that IT shouldn't make." She said that the first three are strategic decisions that involve IT strategy. The second three are executive decisions that revolve around IT implementation and execution. To make her point, Ross used several real-world examples of the good, the bad and the ugly.

1. How much should an organization spend on IT?

This is the basic question that comes up in any discussion about IT, Ross said, and it's one that often gives CIOs and IT managers nightmares. "Clearly, this is not a decision IT wants to make on its own," she said.

It's also a premature question to ask until an organization decides what it hopes to get out of an IT project.

For example, FedEx is only two-thirds the size of rival shipping company UPS, and yet both profess to spend about $1 billion a year on IT. That doesn't mean FedEx spends too much or UPS spends too little, Ross said. It simply means that they have different priorities to achieve different business goals. The former bases its IT decisions around a business model of providing niche services -- at a premium, of course -- to its customers. The latter uses IT to create new business efficiencies that drive down costs.

2. Which business processes should get IT funds?

Once the first question is answered, the challenge becomes how to divvy up the IT budget. Ross said that because many organizations have far more IT projects requests than they could possibly fund, decision gridlock becomes a problem. "What we found is that they end up not making any decisions and going for more than they can handle," she said.

An example is the case of Hershey Foods, which a few years ago tried to simultaneously implement ERP, CRM and supply chain management systems. What the candy giant ended up with was a crisis in which product deliveries were botched for the critical Halloween season.

The lesson here, Ross said, is that senior management needs to step in and decide what the organization's top IT priorities should be. "If we can't do everything, what can we do?" she said.

3. Which IT capabilities need to be company-wide?

It may seem like a great idea to have an IT system span the enterprise, but it's not always a good choice. Ross said. If IT makes this decision on its own, there's no guarantee that the business as a whole will benefit from it.

GTECH, a provider of lottery services to government agencies, has a strong incentive not to make mistake about which IT systems to deploy across the business. Many of its government contracts stipulate that GTECH will pay customers $10,000 for every minute of lottery system downtime.

"That gives them a lot of motivation to spend a lot of money making sure they have no downtime," Ross said. "Most organizations don't have that same motivation."

4. How good do an organization's IT resources need to be?

When Dow Corning deployed an ERP system, business management demanded that there be no downtime. The IT organization said that through disaster-recovery planning and backup systems, that was entirely possibly, but it would cost "an arm and a leg." Armed with that knowledge -- and two arms intact -- management was able to determine how much downtime it could realistically afford without having a negative impact on business operations. The answer? Four hours at a stretch.

5. What security and privacy risks will we accept?

Determining security and privacy risks are similar to determining levels of system reliability. Ross said. In this instance, however, it's a matter of both technology spending as well as expending time and effort to train users on policies and practices.

Last year, Yale University launched a Web site where applicants could enter their Social Security numbers and birth dates to find out whether they were among the lucky 10% to win acceptance. Unfortunately, since high school students often apply to several colleges, Ivy League rival Princeton had much of that data and beat some applicants to the punch. Fireworks graphics and a congratulatory greeting were displayed for only the first time the site was accessed, so some accepted students thought they hadn't made the cut.

The resulting controversy was a privacy nightmare for Yale and an ethical fiasco for Princeton, which suspended an admissions official over the incident.

"This was a case of senior management -- or at least business management -- not being involved in the design of the system and not thinking through, with IT, the privacy and security issues," Ross said.

6. Who should get the blame if an IT initiative fails?

This is perhaps the most important of all six critical IT decisions, Ross said. "Now, of course, the logical scapegoat has been and tends to be IT," she said.

Several years ago, when Patrick Zilvitis became CIO at Gillette, senior management told him that they wanted a PeopleSoft enterprise software system deployed company-wide. Such a deployment would have been difficult at best given the high degree of autonomy that Gillette's business units enjoy, but Zilvitis knew it would have been disastrous without a senior business sponsor. Because he was still in a honeymoon phase as CIO, Zilvitis was able to hold out until one vice president agreed that there was such a critical need for those applications that the VP would shoulder the responsibility. Ultimately, that VP realized that no one from IT would have been able to clear the business hurdles involved in the deployment.

The pain experienced by several companies in dealing with these six questions is a valuable lesson to the next generation of IT and business managers, Ross said.

"None of these decisions could be made without IT input, of course," she said. "IT needs to be there to explain the options, to explain what the technology can and can't, to highlight the costs.

"So IT plays a very important role in all of this, but if business managers don't make these decisions, it really doesn't matter what IT does. Nothing good will come of it."