Excerpt from The Levers of Embedded IT

Walk into any organization these days and you can find technology that is being used, purchased, or pursued that is not in policy.  Shadow IT is a trend that has only been growing since the advent of the cloud and internet.  More and more the business feels it can go on its own and acquire its choice system, with our without IT.

This trend is not losing momentum.  The reason is not because there are more avenues for acquiring technology outside of IT.  The reason is because IT itself is giving the business good reason to go elsewhere.  As one senior IT leader said to me, “Shadow IT develops when the customer does not feel served.”  It is that simple.  Shadow IT is about finding alternatives, not about creating a competing IT organization.  The business has no interest in specializing in IT.

Inevitably, shadow IT happens in organizations, and when it does, governance becomes the lever to control the outbreak.  IT leaders will lean on governance as the one last line of defense.  The leaders will appeal to the governance policies and ask for executive leadership to enforce the policy.  And what happens most times?  IT loses anyway.

Let’s face it.  No one likes to be governed, most especially, the business.  IT leaders that use governance as a defense tool lose governance altogether, because people don’t preferred to be controlled, they prefer to be served.

That is why CIOs need to use governance as an embedding tool, not as a policy enforcement club.

I recently had the opportunity to work with a CIO who did just that.  This CIO recognized that there were many systems that were appealing to the business that were being presented by cloud vendors.  Time and time again the CIO and his organization would be called into meetings only to learn that the business was interested in acquiring a cloud service.  That IT organization found themselves on the defense quickly.

You would think from the description that the organization did not have governance.  However, it did.  There were governance policies in place.  They just weren’t respected.  A policy that is not enforced is not a policy.  This CIO realized that.  He also realized that leaning on a policy was not the answer.  He knew that strategy trumps policy.  The business will usually move forward and around policies that stand in their way.  This is how IT becomes seen as an obstacle.

The CIO saw the trend early enough.  He addressed it by addressing the governance structure.  He created a plan to involve the business.  He began campaigning to the top C-level leaders to make some changes.  It was an easy sell, especially to those wanting collaboration.  It also was a way to include the business in the decision making.

The smart thing about his plan was that he changed the governance committees to be business service committees.  He themed them around business services through automation.  He included all the typical things including standardization, procurement, etc.  However, it was now structured as a collaborative group.  The business did not see the governance as a group of IT people that met just to figure out what to say no to or how to slow down progress.  They saw governance as an opportunity to plan strategic advancement through IT.

This lever of Convergence is available to most CIOs.  In fact, it is one that should be advanced no matter what state the relationship with the business is.  The business wants to talk strategy.  They want to advance.  They want technology to help them.  Framing best practices services like governance as a business enablement activity is a win right from the start.  Even though the reverse happens, the business embeds into IT, it still brings the units together.  After all, Embedded IT is not about structure, it is about essentialness.

Although the advantages are evident, there are some cons to this lever.  First, the business may begin to use governance activities as their strategic planning activity.  This is not optimal, as governance practices are still necessary.  There must be a component of control maintained.  The discussion cannot be all vision.

Second, in the toughest situations, since the business has a more prominent seat at the governance table, it can feel that it has the authority to slam through a decision that is more than an exception and would have adverse effects.  This is no different than shadow IT situations, but the business is no longer out of policy in this scenario, and removes a “last line of defense” opportunity through governance.  CIOs should be wary of this dynamic.

The CIO who employs this lever should ensure they have a direct line to the CEO.  There may be a time when the inclusive committee approach does not stop a decision that could have very negative effects on the organization.  The CIO in that case would require recourse to another control to stop the decision.  This can be an informal line to the CEO, or an overall executive committee.