Once upon a time, business solutions were known as IT solutions, technology was deemed too difficult for business users to understand, and the technology staff would tell department heads what the business users needed to gain more efficiency. Then came IT governance. Today, as governance matures, insurers find greater efficiencies and more controls are improving company performance and allowing business users to tell IT what is needed to make the business purr.
The pendulum had swung too far to the IT side of the house prior to IT governance initiatives, points out Bob Goldberg, CIO of Colorado Farm Bureau Insurance. "IT was implementing projects the business wasn't willing to support," he says. "They were IT initiatives, not business initiatives."
The control requirements for IT were not as stringent five years ago as they are today, according to Cynthia Saccocia, research area director with TowerGroup's insurance practice. Regulation has forced the business' hand on some of those controls. "As you started to peel back layers of exposure within an organization, the company began to uncover exposures in the technology areas," she says. "Now, governance has forced some things into IT that may not have been present in the past--better documentation and better controls."
What's New?
As IT governance matures, carriers are putting pockets of controls in place for different segments or requirements, observes Saccocia, pointing to areas that deal with compliance, particularly the regulations put forth by the Sarbanes-Oxley Act. Governance areas also are being developed around data standards, Web services, and outsourcing. There even is governance of the relationships between business and IT, she adds. "There are business disciplines brought forward to run IT like a business and to employ the controls, architectures, plans, and structures that are necessary to run what can be a very chaotic business," she says.
Glen Hobbs, director within the performance improvement practice for PricewaterhouseCoopers, sees governance expanding to defined areas such as portfolio management, demand management, data governance, service management, and outsourcing.
"There is a focus on building out those capabilities," he says. "It also varies depending on the size and nature of the organization and where the initiatives are being driven from. Several organizations begin [governance] as a more departmental or line-of-business initiative and grow out from there, depending on the organization's structure."
Hobbs doesn't classify breakdowns as holistic or formalized. "I think it's more organic than that," he says. "There's more focus on addressing specific pain points; that's the fundamental driver." He doesn't see smaller insurance carriers focusing on such breakdowns. Large carriers have more challenges in areas such as data, given the way they've grown through acquisitions that add multiple systems. "What's happening in the industry is there is more shifting away from product silos to customer-centric issues," he maintains. "The impact from a data perspective is quite significant. You now have data in multiple silos, and that's given rise to the focus on data governance."
What drives IT governance is the changing nature of the technology and the business demands, Saccocia believes. Insurers are moving toward more flexible environments where standards, reusability, and data controls are in place. "That is moving us in the direction of running things a little bit differently than we had in the past because you want people to adhere to procedures to get the continuity that's necessary," she says. "You want to put in some controls when you are evaluating new solutions, especially when you want to have reusability of components so you are getting the maximum value from the components you have and have more flexible choices. It does require some discipline. Discipline is [derived] from controls, and the controls are maintained by governance."
Premium Growth
Bill Jenkins, CIO of Penn National Insurance, contends governance has become important today because of the economic pressures insurers face. "We're struggling with premium growth like a lot of carriers, and as such, we look to cut expenses," he says. "Our budget is dictated by the amount of premium we write. So, if the premium growth isn't there, we have to do more with less." IT governance ensures the IT department does what the business side thinks is important for the enterprise to be competitive.
At Penn National, the IT department takes work orders from two sources:the senior executive management team, which decides the strategic projects that are more than $500,000 in budget, and a cross-functional team made up of the heads of the business units, such as actuary, underwriting, and claims. The cross-functional team looks at planned projects that fall under the $500,000 threshold.
Jenkins describes Penn National's project prioritization process as formal and rigid. "We try to promote the business bringing the project to us rather than the other way around," he says. "We use external folks to come in and give presentations to the management team on what's going on in the industry from an IT perspective, and that helps generate ideas for projects and such."
The senior managers at Colorado Farm Bureau get together monthly and discuss IT-related projects and IT-related resources, explains Goldberg. "In our model, we hash out the top priorities of the company, what we are working on today, what we plan on working on for the next two months, and we make sure we have alignment," he says. "That way we don't have the herky-jerky process of projects starting and stopping. As you jockey resources, everyone is in the same room talking about what we are going to do."
Better Control
With some of the big failures, SOX, the expense of technology, and the competitive cost of not succeeding with initiatives, insurers turned toward instituting better control and governance practices, asserts Rod Travers, senior vice president, Robert E. Nolan Co. He began to see the change toward IT governance as some of the industry's more expensive projects failed to succeed. "There were some significant flops back in the late '90s," he says. "That's when we began to see the real underpinnings of change." Another factor was SOX regulations that forced the documentation of practices and processes that had financial ramifications for the company. "These are things IT departments never had to deal with before," he says. "They found themselves documenting things and looking at management practices they never had used before."
Travers believes governance has been a greater challenge for midsize and smaller organizations more than larger organizations, which he feels developed discipline out of sheer necessity--size and scope of the organization and multiple organizations operating under one umbrella. "The larger organizations, to a great degree, have gone up the maturity curve and instituted much more formal management practices," he says. "The mid-tier and smaller organizations tend to lag behind."
IT governance differs dramatically between large organizations and the mid-tier, according to Saccocia. Mid-tier and smaller insurers don't have the resources to put in controls specific to functions or areas. "It tends to be one person trying to provide some oversight," she says. "There are a lot of moving parts in IT that need to have control, structure, and process in place either to run more effectively or to meet the requirements that have been put in place. It's a difficult job managing the operation. We're all running at 5,000 miles per hour, so we have to figure out a way to get it all done."
Game Plan
The project management office is one way companies are approaching governance, reports Travers. The Project Management Institute has established nine knowledge areas: project scope, communication, risk, budget, schedule, human resources, quality, procurement, and integration. "Those are the bases of a good governance model," he says. "Those organizations that have been involved in project management discipline tend to lean toward that as a governance model, with some additional governance modifiers and a heavy dose of user ownership of projects, results, and funding."
Some IT organizations are more mature, Travers points out. "They have a better track record and management practices in place that are working," he says. "Those tend to be IT organizations that partner with the business side."
There also are IT organizations that are less established or in need of upgrading some of their management practices. "Those organizations might serve as a service provider to the business and put the ownership of projects on the business side," says Travers. "When IT is developing solutions for business, the ownership and involvement from the business side are essential. The degree of that involvement depends on the maturity and capability of the IT organization."
Too much of governance is being run manually, Saccocia believes. She attended a user conference this year, she says, and one of the sessions was on governance controls and documentation. She discovered the execution and sign-off on governance for those insurers participating were done mainly through e-mail. "The automation of IT governance isn't there yet," she notes. "[Carriers] don't view the tools they are using in other parts of the organization the same way as they might to run the IT business."
One such tool that could help is an enterprise content management system. "A vendor could spin what it does as a governance solution, but in fact, it is the simplistic nature of content management--libraries, tagging, electronic signatures--that could be employed to automate the process," says Saccocia. "If a user profile had to be updated every quarter or six months, that automatically would occur if [carriers] used the technology they are putting into the business."
Flexibility Needed
Occasionally, new projects come up at Penn National that business and IT feel the need to discuss in terms of where they might fit in with the other priorities. In some cases, the carrier's project group would recommend the company pull the plug on projects. IT also provides status reports on projects already under way to determine what the benefits look like as the project unfolds. "If costs look like they are going to be much higher than projected, that group has the ability to say we don't want to go further on the project," explains Jenkins.
Penn National gives its IT application managers responsibility for business departments, serving as business relationship managers. "That's their customer," says Jenkins. "They need to make sure the projects and the maintenance for those units are being done based on what the business requires." The carrier also makes certain those business relationship managers are adding input into the business areas' planning processes with the idea the managers will educate the business people on technology availability, how technology can help business' operation, and what the resource limitations are, Jenkins adds.
As a member of the senior management staff, Goldberg points out there are cases in which the committee sees the need for something that hasn't been discussed before but requires immediate attention. "You have to be flexible about such situations," he says. "You have to be nimble to change directions. Here in Colorado, a few years ago, we changed from a no-fault state to a med-pay state. That basically changed overnight. We had to be ready to jump through that hoop, and some other items suffered."
Goldberg sees pluses and minuses in not being a large organization. "With a small organization I feel nimble, but other times, if you have a large project, we will take longer to get that project done because generally we'll have a single developer or two developers working on a project," he says. "Where I'm a little jealous is I don't have that large throng of business analysts, developers, and testers to throw at something to get it done quickly. By the same token, I have a lot more control, and I can get my hands around what we're doing."
"You don't always need to be terribly formal or structured, but you do need a framework to follow," according to Travers. He cites Six Sigma as an example of a methodology in which companies become slaves to the discipline. But while companies may follow every rule and regulation, they may not have seen positive results. The same can be said of IT governance. "You need some touchstones," he suggests. "Perhaps it's enough you establish a strategic plan for structuring IT, depending on the sophistication of the organization." A framework is needed to say a goal has been met, says Travers. "If you haven't succeeded, where did you miss following your own layout as your governance model, and how do you correct it?" he asks.
The Ranking Process
Penn National ranks projects in terms of economic payback, information needed to improve performance, and competition. Those then are weighed against the IT risk.
The cross-functional team prioritizes the projects, which next are assigned to the PMO that allocates the resources and does the plan organizing and reporting. "Alignment is not new," comments Jenkins. "But it's certainly not a given, either. When you are asked to do more with less, you have to pick and choose what's best for the organization."
Penn National also assigns a senior sponsor from the business to oversee the particular project. If it's an underwriting project, there is a senior sponsor from the underwriting discipline, generally the chief underwriting officer, indicates Jenkins. The project manager reports directly to the senior business sponsor. "I act as a surrogate to that," says Jenkins. "The PMO reports to the CIO, so it's my responsibility to see the projects get done."
Travers also notes the proliferation of project management organizations in the industry. "The characteristics of a PMO really can be adapted and applied quite readily into an IT governance model," he says.
Maintenance and Such
IT always is the champion of security and infrastructure projects, claims Goldberg. Colorado Farm Bureau does not have a security officer in its organization. "It pretty much falls on my head and my infrastructure manager's head to keep an eye out for those items," he says.
Maintenance issues that come up need to be addressed quickly, continues Goldberg. "If you have a systems problem, it has to be addressed right away," he says. "There isn't time for it to go into the formal process." When carriers' have limited resources, they face problems such as having the same person who has developed a particular functionality that's no longer working being the same person who is supposed to be working on a new initiative. "We haven't taken it to the point where we have maintenance developers and systems developers," says Goldberg. "In our monthly planning, we allocate a certain number of preset hours to maintenance. We know historically how much we spent, and we allocate that number of hours. When we go into our steering process, it makes it more realistic to determine how many hours we have for new development."
Penn National's cross-functional team looks at maintenance and security projects, as well. "When I have to take resources to do infrastructure-type projects, I want those folks to understand that," asserts Jenkins. He explains to the team there is a universe of people in IT, and out of this universe, a certain percentage is needed to keep the lights on. The team then can carve what's left to do the strategic projects. "We start off with saying what's available, and if they feel the business case is such, we go upstairs to see whether we can get budget buy-in," he says.
Keeping on Track
It is easy for chaos to set in with the IT department, Travers believes. Rather than follow a formal process, a business user will call his friend in IT to get a fix done. The IT person feels obligated to do it, and it throws off some other project. "Can you imagine that happening 10 to 20 times a day?" asks Travers. "Even the small companies need some protocol to operate. There has to be something people can turn to and say this is what we're doing and why."
The whole point of a governance model is to make sure people are doing the things they are supposed to be doing and spending on things they are supposed to be spending on, remarks Travers.
The business side appreciates how much goes into maintenance and how IT manages time, in Goldberg's view. "In the IT shop, you always have the issue of a user tapping one of your resources on the shoulder and saying, 'Can you help me out with this?' and a day and a half later, that resource still is helping that person," he says. "We've put structure around that. Our resources know the first words out of their mouths are, 'Have you talked to so and so?' We push them into that formal process. I think some folks are a little unhappy about going through the process, but it's really to manage those resources. Otherwise the month is finished, and youhaven't got anything completed."
Inevitable Despite SOX
Any time a company is dealing with limited resources, Jenkins feels it has to prioritize the work it is going to do. "Even before Sarbanes-Oxley, governance was a big issue," he says. "But what has happened is more and more regulation has taken away from the resources. The discretionary piece of your pie dwindles down because you have to do Sarbanes-Oxley-type work."
With a company the size of Colorado Farm Bureau, IT is highly involved with the running of the business, according to Goldberg. "It's a matter of necessity," he says. "All the departments do the most with the people they have available. We don't have extra underwriters to help manage underwriting projects. There is a heavy reliance for the IT analysts to be involved in solving the issues of the company."
IT sits with the rest of the management staff so it is part of the decision process, explains Goldberg. Things have shifted back and forth, though. Five years ago, Colorado Farm Bureau was attempting to have more reliance on the end-user departments managing the systems around those areas. But as the complexity of the systems has increased, the carrier pushed that responsibility closer to IT. "We still like to have a nice balance of end-user participants because without it you're not going to be successful," he says.
Business Understands IT
The industry is better off today, Travers contends, because technology is in the hands of business people and they find themselves doing some of the work. "You can tweak a business process yourself without waiting on IT as long as you follow the right change control methods," he says. This has allowed business to become more aware of what IT has to go through, what IT has at its disposal, and what IT's responsibilities are.
One key is to understand there are no IT projects; there are business automation projects. "The black-box days where you had a monolithic IT department in the next building and never the two shall meet are going away," he claims.
While those days are disappearing, they haven't vanished completely. "There still are a few companies that just have an incredible separation between IT and business," Travers says. "It's hard to believe, but it is culturally woven in that change doesn't come easy for those organizations."
Goldberg predicts more senior management involvement in the affairs of IT will remain a constant because of scarce resources and the amount of automation the insurance organization can use. "There always is so much more pent-up demand on where we can go," he says. Today, while business is the driving factor, there still is work to be done. "The business side needs to take full advantage of the technology that is available," Goldberg concludes.
