Decision-Making: No More "Us vs. Them"

By Courtney Macavinta

The end of 2006 marked what seemed like a minor reprieve for companies on the compliance front -- especially when it came to financial and accounting reform rules detailed in Sarbanes-Oxley (SOX). For starters, small businesses got an extension on their compliance deadline. Then the Security Exchange Commission proposed new "guidance" to purportedly streamline the auditing requirements detailed in the legislation. Yet in 2007, companies are still expected to grapple with not only SOX, but a flood of expected proposed legislation to better protect consumers' personal information and prevent identity theft.

In her report, IT and Compliance: 10 Big Predictions for 2007, Cass Brewer, editorial and research director for the IT Compliance Institute, predicted that while SOX would loosen up, "companies would continue to be required to defend their list of high-risk controls." On top of that she notes that companies need to be aware of recent amendments to the U.S. Federal Rules for Civil Procedure (FRCP). On Dec. 1, 2006, FRCP amendments went into effect pertaining to electronic records and their discovery in litigation -- in particular the amendments reinforce that email should be archived and easily retrievable if needed for legal discovery. In addition, Brewer says federal regulators will likely push for a tougher consumer privacy law and internally CIOs will be focused on increasing internal security and compliance for mobile devices, instant messaging (IM), blogs, and corporate wikis.

"Compliance itself will become increasingly integrated with the larger picture of corporate governance and risk management," Brewer writes. "This understanding should benefit the process-integration effort and serve to elevate compliance accountability to the board and executive level, where active and interested sponsorship must ultimately support successful implementations."

Though regulations -- and how to fully comply with them -- are not always clear cut, what is obvious is that when it comes to risk management issues there can no longer be a disconnect between business and IT strategic- and risk- management processes. The CIO needs to be on the same page as other C-level executives -- and vice versa -- and not just when it comes to compliance but overall business strategy, as well. In its report, Predicts 2007: CIOs and IT Making Discomfort Zone, Gartner, Inc. projects that by 2009, 40% of strategic decisions will be made by people with blended business and IT expertise -- and by 2012, the percentage will rise to 60%.

To lead better decision-making efforts when it comes to risk management -- and other enterprise-wide strategies -- experts say CIOs can build the necessary relationships to move their organization away from an "us vs. them" mentality by:

Tactic No. 1: Build relationships
When it comes to risk management or business strategy, IT leaders must not only understand the "big picture" of where their organization is going, but also understand how to make business unit-level and functional-level decisions, Gartner notes. And this requires CIOs to fine-tune their relationship-building skills and to break down communication barriers. "When we talk to CIOs, one of the first things we focus on is how much time do they spend on building relationships versus the supply side," says Ellen Kitzis, Gartner vice president of research and one of the co-authors of the Predicts 2007 report. "CIOs inevitably have to work with every part of the organization. You put the organization at risk if you don't have a vehicle for shaping it and all you can do is respond. You need to be able to influence what people want and how they'll get value out of technology, and have the ability to shape and inform expectations of the business."

Tactic No. 2: Identify business needs -- early
Whether a business need revolves around compliance or bolstering the bottom line by rolling out new services, in 2007, Gartner says that "IT leaders must adopt a systematic approach to identifying, prioritizing and satisfying persistent and emerging business needs." Working with their counterparts throughout the organization, CIOs need to "get in front of the innovation process" to identify how IT can help reshape business models or processes and to facilitate change management. "A lot of organizations are moving to change things quickly -- and they need the expertise to make those transitions," Kitzis says. "As we're able to reduce the percentage of spend associated with infrastructure and increase the spend on business initiatives, the requirements for business and IT organizations to jointly engage in project development, execution and success becomes increasingly important."

Tactic No. 3: Be ready for change
Complying with regulations like SOX was so painstaking for many organizations because their processes and systems weren't nimble enough to change easily (or inexpensively). Gartner recommends that in 2007 CIOs "make the overdue investment in organizational change competence; it must be institutionalized." Gartner advises CIOs to capitalize on their relationships with other business and functional leaders to develop new processes for making enterprise-wide changes and to identify "choke points."

At the end of the day, leading change initiatives requires creating efficient decision-making processes that allow business units to work together to prioritize and take action. "Organizations are shifting from siloed businesses to enterprise-wide processes," Kitzis says. "It's going to require a lot of people to get out of their comfort zone."

Courtney Macavinta is a Silicon Valley-based business and technology writer. Her articles have appeared in CNET News.com, Business 2.0, Red Herring, Wired News, and The Washington Post. She also is managing editor of  The Online Family (TheOnlineFamily.net).