Once upon a time, business solutions were known as IT solutions,technology was deemed too difficult for business users tounderstand, and the technology staff would tell department headswhat the business users needed to gain more efficiency. Then cameIT governance. Today, as governance matures, insurers find greaterefficiencies and more controls are improving company performanceand allowing business users to tell IT what is needed to make thebusiness purr.

The pendulum had swung too far to the IT side of the house priorto IT governance initiatives, points out Bob Goldberg, CIO ofColorado Farm Bureau Insurance. "IT was implementing projects thebusiness wasn't willing to support," he says. "They were ITinitiatives, not business initiatives."

The control requirements for IT were not as stringent five yearsago as they are today, according to Cynthia Saccocia, research areadirector with TowerGroup's insurance practice. Regulation hasforced the business' hand on some of those controls. "As youstarted to peel back layers of exposure within an organization, thecompany began to uncover exposures in the technology areas," shesays. "Now, governance has forced some things into IT that may nothave been present in the past–better documentation and bettercontrols."

What's New?

As IT governance matures, carriers are putting pockets ofcontrols in place for different segments or requirements, observesSaccocia, pointing to areas that deal with compliance, particularlythe regulations put forth by the Sarbanes-Oxley Act. Governanceareas also are being developed around data standards, Web services,and outsourcing. There even is governance of the relationshipsbetween business and IT, she adds. "There are business disciplinesbrought forward to run IT like a business and to employ thecontrols, architectures, plans, and structures that are necessaryto run what can be a very chaotic business," she says.

Glen Hobbs, director within the performance improvement practicefor PricewaterhouseCoopers, sees governance expanding to definedareas such as portfolio management, demand management, datagovernance, service management, and outsourcing.

"There is a focus on building out those capabilities," he says."It also varies depending on the size and nature of theorganization and where the initiatives are being driven from.Several organizations begin [governance] as a more departmental orline-of-business initiative and grow out from there, depending onthe organization's structure."

Hobbs doesn't classify breakdowns as holistic or formalized. "Ithink it's more organic than that," he says. "There's more focus onaddressing specific pain points; that's the fundamental driver." Hedoesn't see smaller insurance carriers focusing on such breakdowns.Large carriers have more challenges in areas such as data, giventhe way they've grown through acquisitions that add multiplesystems. "What's happening in the industry is there is moreshifting away from product silos to customer-centric issues," hemaintains. "The impact from a data perspective is quitesignificant. You now have data in multiple silos, and that's givenrise to the focus on data governance."

What drives IT governance is the changing nature of thetechnology and the business demands, Saccocia believes. Insurersare moving toward more flexible environments where standards,reusability, and data controls are in place. "That is moving us inthe direction of running things a little bit differently than wehad in the past because you want people to adhere to procedures toget the continuity that's necessary," she says. "You want to put insome controls when you are evaluating new solutions, especiallywhen you want to have reusability of components so you are gettingthe maximum value from the components you have and have moreflexible choices. It does require some discipline. Discipline is[derived] from controls, and the controls are maintained bygovernance."

Premium Growth

Bill Jenkins, CIO of Penn National Insurance, contendsgovernance has become important today because of the economicpressures insurers face. "We're struggling with premium growth likea lot of carriers, and as such, we look to cut expenses," he says."Our budget is dictated by the amount of premium we write. So, ifthe premium growth isn't there, we have to do more with less." ITgovernance ensures the IT department does what the business sidethinks is important for the enterprise to be competitive.

At Penn National, the IT department takes work orders from twosources:the senior executive management team, which decides thestrategic projects that are more than $500,000 in budget, and across-functional team made up of the heads of the business units,such as actuary, underwriting, and claims. The cross-functionalteam looks at planned projects that fall under the $500,000threshold.

Jenkins describes Penn National's project prioritization processas formal and rigid. "We try to promote the business bringing theproject to us rather than the other way around," he says. "We useexternal folks to come in and give presentations to the managementteam on what's going on in the industry from an IT perspective, andthat helps generate ideas for projects and such."

The senior managers at Colorado Farm Bureau get together monthlyand discuss IT-related projects and IT-related resources, explainsGoldberg. "In our model, we hash out the top priorities of thecompany, what we are working on today, what we plan on working onfor the next two months, and we make sure we have alignment," hesays. "That way we don't have the herky-jerky process of projectsstarting and stopping. As you jockey resources, everyone is in thesame room talking about what we are going to do."

Better Control

With some of the big failures, SOX, the expense of technology,and the competitive cost of not succeeding with initiatives,insurers turned toward instituting better control and governancepractices, asserts Rod Travers, senior vice president, Robert E.Nolan Co. He began to see the change toward IT governance as someof the industry's more expensive projects failed to succeed. "Therewere some significant flops back in the late '90s," he says."That's when we began to see the real underpinnings of change."Another factor was SOX regulations that forced the documentation ofpractices and processes that had financial ramifications for thecompany. "These are things IT departments never had to deal withbefore," he says. "They found themselves documenting things andlooking at management practices they never had used before."

Travers believes governance has been a greater challenge formidsize and smaller organizations more than larger organizations,which he feels developed discipline out of sheer necessity–size andscope of the organization and multiple organizations operatingunder one umbrella. "The larger organizations, to a great degree,have gone up the maturity curve and instituted much more formalmanagement practices," he says. "The mid-tier and smallerorganizations tend to lag behind."

IT governance differs dramatically between large organizationsand the mid-tier, according to Saccocia. Mid-tier and smallerinsurers don't have the resources to put in controls specific tofunctions or areas. "It tends to be one person trying to providesome oversight," she says. "There are a lot of moving parts in ITthat need to have control, structure, and process in place eitherto run more effectively or to meet the requirements that have beenput in place. It's a difficult job managing the operation. We'reall running at 5,000 miles per hour, so we have to figure out a wayto get it all done."

Game Plan

The project management office is one way companies areapproaching governance, reports Travers. The Project ManagementInstitute has established nine knowledge areas: project scope,communication, risk, budget, schedule, human resources, quality,procurement, and integration. "Those are the bases of a goodgovernance model," he says. "Those organizations that have beeninvolved in project management discipline tend to lean toward thatas a governance model, with some additional governance modifiersand a heavy dose of user ownership of projects, results, andfunding."

Some IT organizations are more mature, Travers points out. "Theyhave a better track record and management practices in place thatare working," he says. "Those tend to be IT organizations thatpartner with the business side."

There also are IT organizations that are less established or inneed of upgrading some of their management practices. "Thoseorganizations might serve as a service provider to the business andput the ownership of projects on the business side," says Travers."When IT is developing solutions for business, the ownership andinvolvement from the business side are essential. The degree ofthat involvement depends on the maturity and capability of the ITorganization."

Too much of governance is being run manually, Saccocia believes.She attended a user conference this year, she says, and one of thesessions was on governance controls and documentation. Shediscovered the execution and sign-off on governance for thoseinsurers participating were done mainly through e-mail. "Theautomation of IT governance isn't there yet," she notes."[Carriers] don't view the tools they are using in other parts ofthe organization the same way as they might to run the ITbusiness."

One such tool that could help is an enterprise contentmanagement system. "A vendor could spin what it does as agovernance solution, but in fact, it is the simplistic nature ofcontent management–libraries, tagging, electronic signatures–thatcould be employed to automate the process," says Saccocia. "If auser profile had to be updated every quarter or six months, thatautomatically would occur if [carriers] used the technology theyare putting into the business."

Flexibility Needed

Occasionally, new projects come up at Penn National thatbusiness and IT feel the need to discuss in terms of where theymight fit in with the other priorities. In some cases, thecarrier's project group would recommend the company pull the plugon projects. IT also provides status reports on projects alreadyunder way to determine what the benefits look like as the projectunfolds. "If costs look like they are going to be much higher thanprojected, that group has the ability to say we don't want to gofurther on the project," explains Jenkins.

Penn National gives its IT application managers responsibilityfor business departments, serving as business relationshipmanagers. "That's their customer," says Jenkins. "They need to makesure the projects and the maintenance for those units are beingdone based on what the business requires." The carrier also makescertain those business relationship managers are adding input intothe business areas' planning processes with the idea the managerswill educate the business people on technology availability, howtechnology can help business' operation, and what the resourcelimitations are, Jenkins adds.

As a member of the senior management staff, Goldberg points outthere are cases in which the committee sees the need for somethingthat hasn't been discussed before but requires immediate attention."You have to be flexible about such situations," he says. "You haveto be nimble to change directions. Here in Colorado, a few yearsago, we changed from a no-fault state to a med-pay state. Thatbasically changed overnight. We had to be ready to jump throughthat hoop, and some other items suffered."

Goldberg sees pluses and minuses in not being a largeorganization. "With a small organization I feel nimble, but othertimes, if you have a large project, we will take longer to get thatproject done because generally we'll have a single developer or twodevelopers working on a project," he says. "Where I'm a littlejealous is I don't have that large throng of business analysts,developers, and testers to throw at something to get it donequickly. By the same token, I have a lot more control, and I canget my hands around what we're doing."

"You don't always need to be terribly formal or structured, butyou do need a framework to follow," according to Travers. He citesSix Sigma as an example of a methodology in which companies becomeslaves to the discipline. But while companies may follow every ruleand regulation, they may not have seen positive results. The samecan be said of IT governance. "You need some touchstones," hesuggests. "Perhaps it's enough you establish a strategic plan forstructuring IT, depending on the sophistication of theorganization." A framework is needed to say a goal has been met,says Travers. "If you haven't succeeded, where did you missfollowing your own layout as your governance model, and how do youcorrect it?" he asks.

The Ranking Process

Penn National ranks projects in terms of economic payback,information needed to improve performance, and competition. Thosethen are weighed against the IT risk.

The cross-functional team prioritizes the projects, which nextare assigned to the PMO that allocates the resources and does theplan organizing and reporting. "Alignment is not new," commentsJenkins. "But it's certainly not a given, either. When you areasked to do more with less, you have to pick and choose what's bestfor the organization."

Penn National also assigns a senior sponsor from the business tooversee the particular project. If it's an underwriting project,there is a senior sponsor from the underwriting discipline,generally the chief underwriting officer, indicates Jenkins. Theproject manager reports directly to the senior business sponsor. "Iact as a surrogate to that," says Jenkins. "The PMO reports to theCIO, so it's my responsibility to see the projects get done."

Travers also notes the proliferation of project managementorganizations in the industry. "The characteristics of a PMO reallycan be adapted and applied quite readily into an IT governancemodel," he says.

Maintenance and Such

IT always is the champion of security and infrastructureprojects, claims Goldberg. Colorado Farm Bureau does not have asecurity officer in its organization. "It pretty much falls on myhead and my infrastructure manager's head to keep an eye out forthose items," he says.

Maintenance issues that come up need to be addressed quickly,continues Goldberg. "If you have a systems problem, it has to beaddressed right away," he says. "There isn't time for it to go intothe formal process." When carriers' have limited resources, theyface problems such as having the same person who has developed aparticular functionality that's no longer working being the sameperson who is supposed to be working on a new initiative. "Wehaven't taken it to the point where we have maintenance developersand systems developers," says Goldberg. "In our monthly planning,we allocate a certain number of preset hours to maintenance. Weknow historically how much we spent, and we allocate that number ofhours. When we go into our steering process, it makes it morerealistic to determine how many hours we have for newdevelopment."

Penn National's cross-functional team looks at maintenance andsecurity projects, as well. "When I have to take resources to doinfrastructure-type projects, I want those folks to understandthat," asserts Jenkins. He explains to the team there is a universeof people in IT, and out of this universe, a certain percentage isneeded to keep the lights on. The team then can carve what's leftto do the strategic projects. "We start off with saying what'savailable, and if they feel the business case is such, we goupstairs to see whether we can get budget buy-in," he says.

Keeping on Track

It is easy for chaos to set in with the IT department, Traversbelieves. Rather than follow a formal process, a business user willcall his friend in IT to get a fix done. The IT person feelsobligated to do it, and it throws off some other project. "Can youimagine that happening 10 to 20 times a day?" asks Travers. "Eventhe small companies need some protocol to operate. There has to besomething people can turn to and say this is what we're doing andwhy."

The whole point of a governance model is to make sure people aredoing the things they are supposed to be doing and spending onthings they are supposed to be spending on, remarks Travers.

The business side appreciates how much goes into maintenance andhow IT manages time, in Goldberg's view. "In the IT shop, youalways have the issue of a user tapping one of your resources onthe shoulder and saying, 'Can you help me out with this?' and a dayand a half later, that resource still is helping that person," hesays. "We've put structure around that. Our resources know thefirst words out of their mouths are, 'Have you talked to so andso?' We push them into that formal process. I think some folks area little unhappy about going through the process, but it's reallyto manage those resources. Otherwise the month is finished, andyouhaven't got anything completed."

Inevitable Despite SOX

Any time a company is dealing with limited resources, Jenkinsfeels it has to prioritize the work it is going to do. "Even beforeSarbanes-Oxley, governance was a big issue," he says. "But what hashappened is more and more regulation has taken away from theresources. The discretionary piece of your pie dwindles downbecause you have to do Sarbanes-Oxley-type work."

With a company the size of Colorado Farm Bureau, IT is highlyinvolved with the running of the business, according to Goldberg."It's a matter of necessity," he says. "All the departments do themost with the people they have available. We don't have extraunderwriters to help manage underwriting projects. There is a heavyreliance for the IT analysts to be involved in solving the issuesof the company."

IT sits with the rest of the management staff so it is part ofthe decision process, explains Goldberg. Things have shifted backand forth, though. Five years ago, Colorado Farm Bureau wasattempting to have more reliance on the end-user departmentsmanaging the systems around those areas. But as the complexity ofthe systems has increased, the carrier pushed that responsibilitycloser to IT. "We still like to have a nice balance of end-userparticipants because without it you're not going to be successful,"he says.

Business Understands IT

The industry is better off today, Travers contends, becausetechnology is in the hands of business people and they findthemselves doing some of the work. "You can tweak a businessprocess yourself without waiting on IT as long as you follow theright change control methods," he says. This has allowed businessto become more aware of what IT has to go through, what IT has atits disposal, and what IT's responsibilities are.

One key is to understand there are no IT projects; there arebusiness automation projects. "The black-box days where you had amonolithic IT department in the next building and never the twoshall meet are going away," he claims.

While those days are disappearing, they haven't vanishedcompletely. "There still are a few companies that just have anincredible separation between IT and business," Travers says. "It'shard to believe, but it is culturally woven in that change doesn'tcome easy for those organizations."

Goldberg predicts more senior management involvement in theaffairs of IT will remain a constant because of scarce resourcesand the amount of automation the insurance organization can use."There always is so much more pent-up demand on where we can go,"he says. Today, while business is the driving factor, there stillis work to be done. "The business side needs to take full advantageof the technology that is available," Goldberg concludes.