The Sheer Gravity of Underestimating Culture as an IT Governance Risk

For those who may think that any form of governance of enterprise IT (GEIT) is better than no IT governance, it is important to consider the fact that poor IT governance is a significant, documented cause of IT failure.^{1, 2, 3, 4} In fact, the consequences of ill-conceived IT governance can be both very costly and very public. A recent case in point is that of the Royal Bank of Scotland (RBS), which was fined US $9.7 million by the UK financial services regulator for poor IT governance.⁵

IT risk, a key GEIT domain, was realized in the RBS case not only by having compromised the bank’s objectives, but also as a real financial cost and as an untold cost to the bank’s reputation, which could have additional financial consequences.⁶ This is ironic given that a major reason for GEIT is the optimization of IT risk as part of the plan to achieve the organization’s objectives. In fact, IT risk management is deemed so important that it currently tops the risk agenda for boards and C-suite leaders globally—given concerns about their ability to transform operations and infrastructure in today’s digital transformation paradigm—in their pursuit of greater competitiveness against digital native organizations.⁷

Determining GEIT’s Critical Success Factors Via the Lens of Its Risk Domain

The volume of academic and business literature identifying the critical success factors (CSFs) for effective risk management is vast. What is remarkable is how similar their findings are, regardless of the industries against which the studies were performed. In these studies, culture is highlighted as one of the top CSFs, if not the top CSF, for effective risk management. For example, an academic study in financial services concluded that the CSFs in figure 1 are key to effective risk management.

Culture is recognized as probably the most important CSF in a risk context, with findings such as:

• Culture affects implementation of enterprise risk management to a very great extent.⁸
• Culture is the highest ranked CSF in both qualitative and quantitative assessments.⁹
• The function and the effectiveness of other CSFs depend on strong organizational culture.¹⁰

The latter finding is astonishing because it suggests that the other CSFs are themselves dependent on culture as a CSF. This, in turn, suggests that if culture fails, then there is hardly any point managing the other CSFs if there is any expectation for risk management to be successful.

Now consider a sample of business literature on this topic (using the academic findings in figure 1 as a basis for comparison). There are similar findings (figure 2). The business community, however, takes culture as a key risk CSF a considerable step further:

• Almost all agree that failures in risk culture were a main cause of the credit crisis of 2008.¹¹

Culture is clearly a crucial consideration, guiding workplace behavior so that it becomes natural for everyone to act in ways that mitigate risk.¹²

While figure 2 is only a small sample of the business view of risk CSFs, that enterprises may not see communication and supporting IT as risk CSFs is unexpected.

The IT governance practitioner might have noticed something interesting about these CSFs: All of the CSFs except one involve people; not things, such as processes and policies, but people. For an IT governance practitioner, this could be problematic.

Even from this small sample of literature, it is apparent that failing to take culture into account, especially from the context of GEIT’s risk domain, is a major cause of GEIT failure.¹³

Culture as a CSF: It Is All About Behavior

The Merriam-Webster Dictionary defines culture as, “… shared attitudes, values, goals, and practices that characterizes an institution or organization.”¹⁴ In short, it is about how the organization behaves and how it does things. While not comprehensive, figure 3 lists four types of negative organizational behaviors with which to be concerned.¹⁵

Many may have experienced any or all of these behaviors when developing their GEIT policies, processes, standards and guidelines. In alignment with figure 3, risk management will certainly be ineffective if people are in denial about risk, could not care less about risk, do not understand why risk is important or continually find ways not to perform the risk control processes that are established to support the new IT governance program.

Given the complexity of institutionalizing change, there are at least four drivers of change that help encourage changes in mind-set and that help address undesirable behavior:¹⁶

• Fostering understanding and conviction to ensure that what is being asked is understood
• Role modeling and ensuring that leaders behave differently
• Developing talent and skills to enable behaving in the new way
• Reinforcing with formal mechanisms where structures, processes and systems support the change

Of these, it was found that role modeling is the greatest driver of successful transformation.¹⁷ In terms of the rest of these, communication, especially regarding progress, was found to be the next most important consideration,¹⁸ raising further questions about why some in the business community (figure 2), do not see communication as a risk CSF.

The significance of culture as a CSF adds to the matters the practitioner needs to consider in developing and sustaining their enterprise IT governance initiatives, especially with respect to the change management that is clearly every bit as important to successful GEIT as are its five documented domains. While there could be items in the GEIT implementation plan pertaining to competency development (training), fostering understanding (communication) and reinforcement (e.g., deploying supporting technology), there is often nothing in the plan about identifying role models. Leadership role models address one of the greatest drivers of effective risk management (i.e., tone at the top) through a chain of activity as illustrated in figure 4. Quite simply, if leadership does not live the change they are advocating, if they do not set the example, then their IT governance efforts will be ineffective.

With culture clearly so critically important to the success of risk management and, ultimately, GEIT, and with “increasing interest in better understanding the role of culture in IT governance,”¹⁹ it is concerning that only 15 academic research studies looked into the role of culture in IT governance and, of those, only one study explicitly looked into the impact of culture on the risk domain of IT governance.²⁰ There is clearly both a pressing need and an opportunity for more work to be done in this area.

Bringing It All Together

Everything up to this point can be summarized in figure 4. Reading it left to right, the headings of each of the columns provide guidance with respect to the actions required to enable GEIT success.

Reading it right to left is, by contrast, a map of dependencies; GEIT success depends on good IT risk management, with a specific focus on the key CSF of culture. Negative cultural CSF behaviors such as detachment and avoidance need to be addressed by having role models and tools that reinforce desirable behavior. These tools could involve modified staff performance contracts or creating and sustaining an achievers’ program over a number of years, with rewards that target the desired behaviors, specifically those that enable the achievement of the desired business outcomes.

Measuring Progress of Culture Change

Given that culture is deemed critical to GEIT, how will one know if suitable progress is being made in establishing a risk culture and, therefore, that the IT governance imperative is stabilizing? The Financial Stability Board (FSB)—the international body that oversees the operation of the global financial system—proposes some indicators in this respect:²¹

• Tone at the top—The message communicated by top management and the example they set (role models)
• Accountability—Any good governance construct requires that roles, responsibilities and accountabilities are appropriately defined
• Effective communication and challenge—Simple and sustained communication that is collaborative and open to feedback and continuous development
• Financial and non financial incentives—For example, performance contracts (bonuses), days off, paid seminar attendances, gala events recognizing the desired performance and more

For each of these indicators, measures of the effectiveness of culture-based initiatives for GEIT (figure 6) could be defined as shown in figure 5.

Furthermore, the culture of the organization should be baselined, and progress against this cultural baseline should be measured regularly.

In Practice: Culture Is a Significant Risk Factor

The Canadian federal government attempted to implement a new pay system—Phoenix—for public sector employees as a cost-cutting measure. Instead, it will cost the government US $1.6 billion by 2023, significantly exceeding the US $227 million originally budgeted.

The auditor general of Canada found that “the Phoenix fiasco is a result of a cultural problem within a public service fearful of communicating failures to superiors. The government needs to move away from a culture that plays down bad news and avoids responsibility, to one that encourages employee engagement, feedback and collaboration.”²² The auditor general continued; “In order to prevent an incomprehensible failure like Phoenix from happening in the future, the government has to understand which par ts of its culture are causing that type of action.”²³ In other words, to help ensure that significant IT failures do not occur in the future, the government must address its cultural issues.

From this US $1.6 billion IT problem, it is clear that, once again, bad culture played a significant role in the failure of IT. “Subordinates who are afraid to speak out may end up letting the…organization fail with an inferior product or bad decision because they feel the personal risk of voicing a challenge is too great…In the end, such behavior also stifles open and honest communication and breeds insecurities within the organization.”²⁴

If the culture is such that honest and open conversation about an IT project is not positively and publicly encouraged, then the business case, a key GEIT domain, will be compromised. This is because it is at the business-case step that the tough questions about an IT project need to be asked.²⁵ If there is a reluctance to ask them due to the culture of the organization, it could compromise the strength or validity of the entire business case, the project and even the project’s oversight activities.

Now About That Problem for IT Governance Practitioners…

If IT governance can be compromised by poor IT risk management and if IT risk management effectiveness can be compromised by culture, then there is a problem. That is because IT is typically not equipped to handle organizational culture and, even if it were, it does not have direct organizational control over it. Does this mean that IT can only indirectly affect the efficacy of IT risk management and, ultimately, of enterprise IT governance success?

This matter is not unique to IT risk management or any other type of risk management for that matter. That is because IT risk management is a subset of enterprise risk management (ERM), the umbrella organization for which the board and management (particularly the chief executive officer [CEO]) are responsible. Risk culture is, therefore, potentially more of an ERM challenge than just an IT risk challenge, so perhaps the issue of culture change should simply fall under ERM.

Then, under ERM, are the cultural responsibilities of affecting IT risk management eliminated for IT? Not necessarily; IT risk management faces multidisciplinary challenges in the digital era. Cyber IT risk, for example, has significant elements of people risk embedded within it. It is, therefore, important to realize that risk management is no longer merely a mechanical process of identify, assess, respond and monitor. That is because effective risk management starts with people. The FSB points out that risk effectiveness begins with culture and tone at the top; the whole role modeling imperative.

The response to the problem is that while the ERM program could be the umbrella for developing a risk culture, there seems to be a stronger call for people skills in individual risk areas than previously imagined, at least if functional risk management efficacy is the objective.

Since risk management is everyone’s responsibility, it becomes everyone’s responsibility to be a successful risk role model.

Conclusion

It is already known that various catastrophic IT failures have created a case for IT governance. Examples include Ford (which spent US $400 million on a purchasing system only to abandon it) and the US Federal Bureau of Investigation (which spent US $170 million to develop a virtual case file, which was then scrapped), not to mention failures in the public sector such as Ontario’s Integrated Justice Project and the Canadian Blood Services’ ERP rollout.²⁶

Merely having a GEIT program is by no means a silver bullet for IT risk. Understand that IT governance can fail, like when governance structures are created without user engagement²⁷ or when the overall governance effort is simply not good enough. For example, Scotland’s National Health Service (NHS) NHS 24 found a combination of poor governance, underestimating risk and an inadequate business case to be the reasons for delays in deploying a new IT system,²⁸ again exemplifying how only having some IT governance in place (the previous are all GEIT domains) can be as bad as having no IT governance at all.

With all this said, it seems somewhat at odds with the gravity of the reality just explored that there is relatively little mention of culture in the Certified in the Governance of Enterprise IT (CGEIT) Review Manual. There are so many failures of IT—at scale and attributed to poor IT governance—that enterprise IT governance practitioners need to begin asking critical questions about what else the discipline of GEIT may need to be more effective. Actively integrating culture as part of GEIT is a clear imperative for enterprise IT governance success.

Corporate culture is the primary driver of effective enterprise IT governance. If culture is addressed merely as change management, as something that might be done on the side, or is seen as soft and something that will just automatically adjust, then a growing mountain of evidence suggests that these organizations should prepare for big problems ahead.²⁹

Endnotes

¹ McCue, A.; “Poor IT Governance Key to Project Failures,” ZDNet, 29 March 2007, http://www.zdnet.com/article/poor-it-governance-key-to-project-failures/
² MarketWorks, “Lack of IT Governance Is Putting Business Value at Risk,” ITWeb, 23 July 2017, http://www.itweb.co.za/content/O2rQGqA5xnzqd1ea
³ IT-Online, “The Cost of Poor IT Governance,” 23 September 2015, http://it-online.co.za/2015/09/23/the-cost-of-poor-it-governance/
⁴ Asgarkhani, M.; A. Cater-Steel; M. Toleman; M. Ally; “Failed IT Projects: Is Poor IT Governance to Blame?” 28^th Australasian Conference on Information Systems (ACIS 2017), 4-6 December 2017, http://eprints.usq.edu.au/33692/
⁵ Tung, L.; “Bank Fined $9.7m Over Poor IT Governance,” ITNews, 5 August 2010, http://www.itnews.com.au/news/bank-fined-97m-over-poor-it-governance-223608
⁶ Allen, K.; “How Much Can a PR Crisis Cost You?” PR Daily, 28 August 2017, http://www.prdaily.com/how-much-can-a-pr-crisis-cost-you/
⁷ Protiviti, “Digital Readiness Dominates Top Risk Concerns for Business in 2019, Protiviti-NC State Survey Finds,” 2018, http://www.prnewswire.com/news-releases/digital-readiness-dominates-top-risk-concerns-for-business-in-2019-protiviti-nc-state-survey-finds-300760417.html
⁸ Makunyi, A. R. J.; A Survey of Critical Success Factors of Enterprise Risk Management Among Commercial Banks in Kenya, School of Business, University of Nairobi, Kenya, October 2013
⁹ Manab, N. A.; S. N. Othman; I. Kassim; “Enterprise-Wide Risk Management Best Practices: The Critical Success Factors,” International Journal of Sustainable Development, May 2012, http://www.researchgate.net/publication/256018860_Enterprise-Wide_Risk_Management_Best_Practices_The_Critical_Success_Factors
¹⁰ Ibid.
¹¹ Brodeur, A.; K. Buehler; M. Patsalos-Fox; M. Pergler; A Board Perspective on Enterprise Risk Management, McKinsey & Co, USA, February 2010, http://www.mckinsey.com/~/media/mckinsey/dotcom/client_service/risk/working%20papers/18_a_board_perspective_on_enterprise_risk_management.ashx
¹² Akmeemana, C.; G. Pearce; “Tech-Based Cybersecurity Can’t Stop ‘People Risk,’” American Banker, 22 July 2016, http://www.americanbanker.com/opinion/tech-based-cybersecurity-cant-stop-people-risk
¹³ Frelinger, B.; “Why IT Governance Implementation Efforts Fail,” ISACA, http://h04.v6pu.com/Groups/Professional-English/cobit-implementation/GroupDocuments/Why%20ITG%20Implementations%20Fail.pdf
¹⁴ Merriam-Webster Dictionary, “culture,” http://www.merriam-webster.com/dictionary/culture
¹⁵ Op cit Brodeur
¹⁶ McKinsey & Company, McKinsey on Organization, November 2016, http://www.mckinsey.com/~/media/McKinsey/Business%20Functions/Organization/Our%20Insights/McKinsey%20on%20Organization/McKinsey-on-Organization-Culture-and-Change.ashx
¹⁷ Ibid.
¹⁸ Ibid.
¹⁹ Aasi, P.; L. Rusu; D. Vieru; “The Role of Culture in IT Governance Five Focus Areas: A Literature Review,” International Journal of IT/Business Alignment and Governance (IJITBAG), vol. 8, iss. 2, June 2017, http://www.researchgate.net/publication/319412331_The_Role_of_Culture_in
_IT_Governance_Five_Focus_Areas_A_Literature_Review
²⁰ Ibid.
²¹ Financial Stability Board, Guidance on Supervisory Interaction With Financial Institutions on Risk Culture: A Framework for Assessing Risk Culture, 7 April 2014, http://www.fsb.org/wp-content/uploads/140407.pdf
²² Zilio, M.; “Phoenix Pay System Problems on Track to Cost Government $2.2-Billion: Report,” The Globe and Mail, 31 July 2018, http://www.theglobeandmail.com/politics/article-phoenix-pay-system-problems-on-track-to-cost-government-22-billion/
²³ Zilio, M.; “Phoenix Pay System an ‘Incomprehensible Failure,’ Auditor-General Says,” The Globe and Mail, 29 May 2018, http://www.theglobeandmail.com/politics/article-phoenix-pay-system-an-incomprehensible-failure-auditor-general-says/
²⁴ Efron, L.; “Do You Have a Culture of Fear? Three Questions to Ask,” Forbes, 25 September 2017, http://www.forbes.com/sites/louisefron/2017/09/25/do-you-have-a-culture-of-fear-three-questions-to-ask/#48e9edf71435
²⁵ Pearce, G.; “Closing the Gap Between Innovation Intent and Reality,” NACD Directorship, September/October 2018, http://www.nacdonline.org/insights/magazine/article.cfm?ItemNumber=61339
²⁶ Himmelsbach, V.; “Use These Famous IT Failures to Drive a Governance Agenda,” expertIP, 3 April 2013, http://blog.allstream.com/use-these-famous-it-failures-to-drive-a-governance-agenda/
²⁷ Krigsman, M.; “Information Silos and IT Governance Failure,” ZDNet, 14 January 2010, http://www.zdnet.com/article/information-silos-and-it-governance-failure/
²⁸ UKAuthority, “NHS 24 Acknowledges IT Governance Failures,” 5 February 2016, http://www.ukauthority.com/articles/nhs-24-acknowledges-it-governance-failures/
²⁹ Gleeson, B.; “Leading Change: Six Reasons Change Management Strategies Fail,” Forbes, 7 December 2016, http://www.forbes.com/sites/brentgleeson/2016/12/07/leading-change-6-reasons-change-management-strategies-fail/#1df14a525d9e