Focusing on financial performance alone is not enough to ensure sustainable results in IT. There is a need for a framework for the corporation to meet its obligation to recognized goals in an organized way with regard to a wide range of stakeholders. The CPR Governance Framework might be the answer.
By: Dave Pultorak in conjunction with the Enterprise Computing Institute
After years of stable development, corporate governance is receiving significant attention. Historically, there was a strong emphasis on finance, so much so that governance was virtually synonymous with the measuring, monitoring, and reporting of the financial condition of the enterprise.
But that has changed. About a decade ago it became clear that focusing on financial performance alone was not enough to ensure sustainable results. This fact was highlighted by Robert S. Kaplan and David P. Norton and summarized in their research. Kaplan and Norton recommended a "balanced scorecard" of governance dimensions, including business process, customer fulfillment, and learning and growth, in addition to financial performance. The balanced scorecard dramatically extended the factors to be considered in corporate governance.
In the nine years since Kaplan and Norton first published their research, the number of authorities, pieces of legislation, and industry regulations and standards that corporations must comply with has increased dramatically. And many corporations have stumbled even as they worked towards a balanced scorecard of results because the way they conducted themselves "turned off" rather than "turned on" relevant stakeholders.
And while business fundamentals remain the same, the landscape on which business is played out has changed drastically since 1996, when business use of the Internet was still in its infancy. Today, enterprises are thoroughly networked entities operating in massively networked marketplaces. A corporation's customers, competition, and colleagues are all deeply interconnected. The result of a networked marketplace is an increase in both the frequency and variability of demands on the business, including opportunities and threats.
An example may help illustrate: imagine yourself as a medieval ruler presiding over a backward country with no good road system interconnecting its villages. You take the bold stroke of building roads interconnecting the villages. As a result of your actions, vendors now have a realistic opportunity to sell their wares in not just one market, but several markets. And highwaymen now have a realistic opportunity of robbing people on more than just one road. The end result is that by networking the villages with a system of roads, you have increased both the frequency and variability of opportunities and threats. This is precisely what has happened with our economy with the "Internet highway." This situation creates a requirement for corporate directors to broaden the foundation of corporate governance, and the need for a framework for the corporation to meet its obligation to recognized goals in an organized way with regard to a wide range of stakeholders.
The CPR Governance Framework, first put forward by IT management consultant David Pultorak in a 2003 Bettermanagement.com webcast of the same name, is such a framework. The CPR governance framework divides governance into three dimensions: conformance, performance, and rapport.
Conformance is about ensuring compliance. It is establishing and managing the control objectives. Conformance activities consist of documenting what you plan to do, doing it, and accumulating evidence that you are doing it. The goal of conformance is compliance with relevant authorities. The instrument for measuring conformance results is the audit. All business must conform to relevant:
- Regulatory authorities, such as the IRS and the FDA
- Legal requirements, such as the Sarbanes-Oxley Act
- Industry-specific rules, such as HIPAA
- Market expectations of customers and professional associations, such as hotel ratings
- Professional codes of behavior and ethics.
Some of these conformance areas are mandatory. Others are optional theoretically but necessary for business purposes—for example, while there is no legal requirement for a hotel to maintain a three-to-five-star rating, customers will avoid hotels without such ratings. And while there is no legal requirement for members of an industry association to abide by its code of ethics, compliance with such codes makes good business sense.
Performance is about ensuring efficiency and effectiveness. It is doing the right things, right. The goal of performance is efficiency and effectiveness. Performance is about ensuring the predictable, sustainable creation of customer value and company profit. The instrument for measuring performance results is the assessment review. All businesses must measure, monitor, and report on relevant performance indicators, including financial measures, product capabilities, employee productivity, internal business process, customer fulfillment, learning and growth, and agility. These areas extend further the balanced scorecard idea of governing beyond financial performance indicators as a means to sustainable results.
Rapport is about ensuring that the business relates to relevant stakeholders in a consistent and responsible way. Rapport covers social values and standards, providing transparent performance statistics, demonstrating integrity, and balancing the interests of stakeholders. It is about ensuring how you do things (the means) "turns on" and does not "turn off" relevant stakeholders. The goal of rapport is good relations with relevant stakeholders. The instrument for measuring rapport results is the survey.
Governance requires action. It suggests behaviors to guide relationships between and among corporations and their constituent parts. While governance can sometimes be viewed as formal rules and procedures, there are things you can do tomorrow to shape your board's view of IT governance:
- Suggest a discussion on governance be placed on the board agenda to gain concurrence on your board’s thinking on the matter.
- Have the wider definition of governance broadcast throughout the corporation.
- Propose that the wider definition of governance filter out to key customers and suppliers.
- Ask company management to discuss vital business drivers with IT management to further business and IT alignment.
- Invite IT management to report on the effectiveness of service-level agreements already in place within the corporation.
- Seek support from the National Association of Corporate Directors (NACD) for white papers and training on governance in the large, and IT governance in particular.
In the long run, governance is strongly oriented towards sustainability: ensuring that the corporation is successful today and positioned for tomorrow. Corporate governance, including IT governance, is simultaneously the scout and sentry on the frontier of company growth.
The Enterprise Computing Institute helps IT professionals solve problems and simplify the management of IT through consulting and training based on the best-selling Enterprise Computing Institute book series.