Australian standard published for IT governance

11

paper-plans

news Australia’s peak standards-setting body in late December claimed to have published what it described as “a significant new standard” that would support in successfully governing major information technology projects.

In some sectors in Australia, the governance of major ICT projects is currently in crisis. For example, in June last year, Queensland’s first whole of government comprehensive ICT Audit found that ninety percent of the Queensland Government’s ICT systems were outdated and will require replacement within five years at a total cost of $7.4 billion, as Queensland continues to grapple with the catastrophic outcome of years of “chronic underfunding” into its dilapidated ICT infrastructure.

Similarly, in November 2011, Victoria’s Ombudsman handed down one of the most damning assessments of public sector IT project governance in Australia’s history, noting total cost over-runs of $1.44 billion, extensive delays and a general failure to actually deliver on stated aims in 10 major IT projects carried out by the state over the past half-decade.

In what appears to be an attempt to put some discipline around these types of projects, for some time Standards Australia, the non-government body tasked with setting standards in Australia, has been working on a new standard for IT governance. In late December last year, the organisation finally published the document.

“The standard has been prepared to set out how significant IT projects can benefit through the use of appropriate governance frameworks and principles,” said Bronwyn Evans, Chief Executive Officer, Standards Australia, in a statement (PDF). “As the world we live in continues to change rapidly, organisations need to consider how they can deliver effectively today, while investing in technology for the future.”

Evans said guiding successful projects, driving change within organisations, and achieving desired business outcomes, requires clear engagement between governing bodies and their senior executive. “Organisations undertaking significant IT projects will find this is the ‘go-to’ document when it comes to linking governance and management,” said Evans.

Max Shanahan, Project Editor and Member of Standards Australia Technical Committee, IT-030, said AS/NZS 8016 offered a model of engagement between an organisation’s governing body and management. “It is based on the model outlined in ISO/IEC 38500:2010 Corporate Governance of Information Technology and is designed to raise awareness among boards and executives of their governance responsibilities,” Shanahan said.

Shanahan said the standard was also designed to assist members of governing bodies, who are required to evaluate business cases for major IT-related investment decisions, without having the benefit of a technology background.

Technical Committee IT-030, ICT Governance and Management, was responsible for the development of the standard.

Committee members include representatives from the following organisations: Australian Computer Society; Australian Industry Group; Australian Information Industry Association; Australian Institute of Company Directors; Australian Taxation Office; Consumers Federation of Australia; Council of Small Business Organisations of Australia; Department of Finance; Department of Industry; Department of State Development, Business and Innovation; Governance Institute of Australia; ISACA; ISACA Wellington Chapter; National ICT Australia; New Zealand Computer Society; Project Management Institute; Queensland Government Chief Information Office; The IT Service Management Forum, Australia; Web Science Australia; and Women on Boards.

The actual standard is not available for public viewing. Standards Australia appears to charge between $90 and $172 for access to it, through a commercial organisation known as SAI Global which separated from Standards Australia in 2003. The organisation has placed a number of restrictions around various copies of the document — for example restricting the numbers of copies that can be printed or whether it can be distributed.

opinion/analysis
I am in two minds about this kind of standard. On the one hand, Australian IT project management is in such a disastrous state, in both the public and private sectors, that I would welcome anything that would help stop billion dollar IT disasters such as Queensland Health’s payroll systems upgrade from happening again. Anything.

On the other hand … I can’t help but feel as though the whole way this document was created and is being distributed is a little suspect. If you examine the list of organisations consulted on its development, what becomes apparent is that very few actually do work on IT project management, and some — such as the Queensland Government’s central office of the CIO — have a notably poor track record in this area. What, one might ask, could the Queensland Government possibly contribute at this point to a meaningful discussion of IT project management?

Then too, the way this standard is being distributed feels a little wrong. $90, for an IT project management standard of only 24 pages that can only be used for personal use? $172, if you want to be able to distribute that same document around your organisation? This feels a little strange. Sure, this is a trivial cost for any large organisation, but then 24 pages is a trivial amount of content to address the extremely complex problem of IT project management.

If the document is going to be that small, it should be distributed for free, especially considering Standards Australia’s link with the Federal Government. If it’s going to be larger and more complex, it would be more legitimate for Standards Australia to levy a charge for it.

Then too, the whole concept of setting a “standard” for IT project governance is a little strange. Sure, every major IT project needs a project management office. Sure, there need to be standardised controls put in place to ensure constant vigilance against things going wrong. However, most major IT projects are highly iterative these days and need to move quickly. In this sense, it’s usually the quality and experience of the staff involved in those PMOs rather than the pure standards in place that will govern success, in my view.

Standars Australia got its start back in 1922 setting standards for things involved in the construction and engineering fields which had to be made a certain way — otherwise buildings would collapse. I’m not entirely sure that it’s appropriate to be applying the same process to the tricky field of IT project management.

Perhaps I’m wrong about all of this and am being way too harsh. In any case, it will be interesting to see if the new standard gets any traction over the next few years.

11 COMMENTS

  1. Renai – it is a standard for “Governance of IT enabled projects”, not IT Governance (refer COBIT5 for example). Very different animals.

  2. Hi Renai

    Happy New Year!

    You’re a bit off the mark here, IMHO. And, if you’ll forgive a tongue in cheek comment, I note that Delimiter 2.0 isn’t free and I understand it has less than 28 pages :)

    I think you might need a brief on the standards production process and Australia’s world respected leadership in the area of IT Governance standards. I can get Standards Australia to help if you are interested.

    Cheers

    John

    • hey John,

      happy New Year to you too!

      I’m not sure that I need a briefing … perhaps you could inform me and the Delimiter readership how I’m off the mark?

      As for Delimiter 2.0 … it’s not a standards-setting body for an entire nation, so I don’t have an obligation to the public — I can charge whatever I want.

      Renai

      • First, let me describe, for those who don’t know, how Standards Australia works. I have extracted this information from their brochure (available at: http://www.standards.org.au/OurOrganisation/AboutUs/Documents/Standards_Australia+Australian_Standards_20120816.pdf):

        Who is Standards Australia?

        As Australia’s peak Standards body we facilitate and manage the development and maintenance of Australian Standards and other related solutions including Handbooks, Guides, Technical Specifications and Technical Reports.

        We do this by providing a neutral meeting ground and rigorous framework in which government, industry, consumer, academic, professional, community and employee bodies can discuss and debate issues with the aim of developing Standards solutions. Our processes are based on balance of interest, transparency, openness and consensus.

        Standards Australia is also responsible for ensuring Australia’s viewpoint is heard and considered in the development of International Standards, and their subsequent adoption as Australian Standards. This role is vital in assisting local industry to compete in international markets. We are Australia’s representative at both the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

        Standards Australia is not part of government or a regulator. We are not responsible for enforcing compliance or certification with Australian Standards.

        (from their website) Government Relationships:

        Standards Australia is an independent company, not directly associated with government, although the Commonwealth Government and State governments are listed among our Members.

        However, the important role of Standards in any advanced nation’s technical infrastructure means that a close and co-operative working relationship with government is essential. To ensure this, a Memorandum of Understanding (http://www.innovation.gov.au/industry/TradePolicies/TechnicalBarrierstoTrade/Documents/StandardsAustraliaMOUsigned17May2013.pdf) has existed between Standards Australia and the Commonwealth Government since 1988. The Memorandum recognises Standards Australia as the peak non-government Standards body in Australia.

        This Memorandum details the accord that exists between the two parties in respect to Australian standardisation. Among the principal accords are that no Australian Standard will contravene the World Trade Organization’s requirements that national Standards should not be used as non-tariff barriers to free trade; and agreement that no new Australian Standard will be developed where an acceptable international Standard already exists.

        Standards Australia is a non-profit organisation. Its annual report details its funding and expenses (http://www.standards.org.au/OurOrganisation/AboutUs/Documents/SA-AR2013.pdf). As I understand it, 14% of its funding comes from a government grant and 20% from royalties (sale of standards). If it didn’t charge, I assume it couldn’t do as much work – 228 standards produced and 55 amended in 2012/13, and a lot of additional work (see the annual report).

        How is an Australian Standard created? (copied from Standards Australia)

        Our Standards Development process is based on the key principles of transparency, consensus, broad-based and balanced expert committee representation. This process is regarded as one of the most rigorous in the world and remains the cornerstone of our organisation.

        Before a project to develop a new Australian Standard or revise an existing Australian Standard commences, there needs to be demonstrable evidence that the Standard will deliver a net benefit to the Australian community. Stakeholders also need to demonstrate that there is sufficient industry and stakeholder support for the development of the Standard.

        Our policy is to base the development of Australian Standards on current International Standards, avoiding unnecessary duplication and allowing us to apply the requirements of the World Trade Organisation Agreement on Technical Barriers to Trade.

        We continually review, refine and improve our project management processes, skills and operational capabilities to ensure the effective delivery of Standards and to maximise the valuable time of our expert Committee Members.

        Why a governance standard?

        The value of governance in IT is explained in this Standards Australia publication (http://www.standards.org.au/Documents/SA-Value-in-Governance-in-IT.pdf), produced last year.

        What does Australia know about this?

        The first international IT governance standard (ISO/IEC 38500 – described here in an ISACA article http://www.isaca.org/Knowledge-Center/Documents/COBIT-Focus-ISO-38500-Why-Another-Standard.pdf) was fast tracked, largely unchanged, from an Australian standard AS8015, published in 2005.

        ANAO’s better practice guide on public sector asset management references the use of ISO/IEC 38500 (http://www.anao.gov.au/bpg_assets2010/HTML/4_2_Standards_and_Code_of_Practice.html).

        A broader, international, IT governance capability has grown out of this work. In November 2013, the international ICT standards body (JTC1 – http://www.iso.org/iso/jtc1_home.html) created a new subcommittee, SC40 – IT Service Management and IT Governance (http://www.iso.org/iso/home/standards_development/list_of_iso_technical_committees/iso_technical_committee.htm?commid=5013818). Australia was selected to provide the Secretariat and Chair of this body (see disclaimer below).

        My summary: Renai, I think you have been too harsh.The process for producing Australian Standards is rigorous and well regarded internationally. It is funded from royalties on standards, investments and, to a lesser extent, by government. IT Governance standards are useful and Australia’s work in this area is internationally significant.

        [Disclaimer: As part of my work, I chair the Standards Australia Strategic Advisory Committee on JTC1 (http://www.standards.org.au/Documents/JTC%201%20SAC%20schematic%20overview%20-%20updated%2008102013.pdf). In that capacity, I have led the Australian delegation to the last three JTC1 annual plenary meetings. In my personal professional capacity, encouraged by my then employer (Defence), I was a co-author of AS8015. In that same capacity, encouraged by my current employer (Finance), I was appointed the inaugural chair of SC40 in November 2013. Separately, as part of my standard employment agreement, Finance funds my membership of ISACA.]

  3. What ever the contents are it would be reasonable to assert that there will be a flood of such offerings onto the market for addressing “governance” on the back of the significant amount of failures. We saw this over a decade ago with corporate governance post HIH/enron etc which then dropped down into IT governance and the very heavy methodologies such as prince 2/MSP which have been instituted by government on the back of historic failures.

    Point being, process compliance and tick box approaches typically proliferate after a period of major failure. Management can say they have done something to remedy the issues so such failures wont occur again.

    Trouble is it doesn’t. the culture of burying bad news etc etc. remains… Its all good that’s what they all want to here.

    But the consultants and managers they can say they have taken all reasonable measures to put in place best practice governance. etc etc.

    for us that have been around we are going around again for another cycle.

    • It’s probably worth mentioning that these new frameworks and Project Management methodologies* have enabled the executive levels to engage in the even bigger and more disastrous project failures that Renai so often decries.

      Simple, rigid structures are no way of building complex systems.

      * Prince 2 & ITIL, the current re-org darling , methodologies bought in at huge retraining and implementation cost from the UK where they had already run projects to massive failure and costs. See the UK DHS IT upgrade for a perfect case study in how to screw up a major IT project.

  4. Renai,

    I’m going to endorse and amplify John Sheridan’s comments.

    Sadly, your opinion as expressed suggests that you are poorly informed. Bluntly, you don’t know what you are talking about!

    Standards take many forms. Some are highly prescriptive – the classic illustration being the standards for screw threads. Others are very intentionally designed as advisory documents – conveying best practice without prescribing structures and processes that might not suit the situation. as 8015, its successor, ISO 38500 and, now, AS 8016, are all advisory standards. Further, these standards are designed for use and attention of people who are not well served by the numerous methodologies that exist today – the top executive and the board of directors.

    You suggest that the standard might not be competent because the organisations involved are not known for working in IT project management. Well mate, I have long experience in IT project management and I have had significant involvement in development of AS 8016 – and I am far from the only one. This is clearly a case where you need to get your facts straight, Renai!

    You make a comment about PMO’s, suggesting that establishing a PMO might be a central part of the guidance in the standard. Where did you get that idea? AS 8016 makes no reference at all to project management offices. And with due respect to all the people who work hard in PMOs, even the best PMO is powerless when key players in project success, such as business executives, fail to follow the principles laid down in ISO 38500 and expanded in AS 8016.

    You also damn people by their association. Queensland Health may well have delivered one of the most significant IT project failure lessons of all time- but that doesn’t mean that everybody who works for the Queensland Government is incompetent!

    As for the price – are you really complaining that SA did not give you a free copy so that you could deliver an informed and balanced review? As you say, the price is a drop in the ocean compared to the money wasted on failed IT and a pittance compared to the money organisations waste trying to fix the governance failures with yet more methodologies.

    And history might be worth bringing into perspective here. The first work on AS 8016 began more than ten years ago, in 2003. This is certainly not another “leap on the bandwagon” of creating another tick-the-box methodology in the wake of project failures. Indeed, one of the things the people who delivered AS 8016 took into account was the fact that tick-the-box methodologies did not prevent failure. Who could forget the Customs CIO in 2005 telling the AIIA how Customs had the best IT governance (based on tick the box methods) in the Australian government, at the same time as ports around the nation ground to a halt because the new imports management system did not work! The breakthrough insight coming from the committee responsible for all these standards is that behaviour of the organisation and its leaders and managers is critical, and that’s why these standards are all structured to explain principles for good governance and good behaviour.

    As for gaining traction – even the Australian Institute of Company Directors now informs its members about governance of IT as described in ISO 38500. Good quality, insightful journalism is another channel by which experimentation, if not outright adoption, could be encouraged.

    Disclaimer: Like John Sheridan, I have been involved in the development of AS 8015, ISO 38500 and AS 8016 for more than ten years. I have a high degree of personal investment in these standards, and I scratch out a living explaining them to anybody who will listen. So far, people have listened in London, Frankfurt, Amsterdam, Brussels, Singapore, Dubai, Johannesburg and many other cities, as well as all Australian capitals. These are GREAT Australian contributions to the world, and they deserve informed support.

    Rant over. I look forward to a return to your usual high standard of Journalism, Renai.

  5. H all
    As the editor for the standard, I thought I should add my two bobs worth. First I hope people do read the standard despite the fact that they will have to pay for it. I also hope they come back with ways to improve it rather than criticising it unread.

    In regard to the comments “few actually do work on IT project management” I have had almost a 50 year career starting as a programmer then managers in the 60 and 70s, an auditor in the 80 and 90s and now in semi-retirement with involvement in several audit committees. The others who contributed have background in project management or governance and are current practitioners. All contributing their time for free.

    From my perspective, particularly as an auditor, I have seen the best and worst of projects and have come to the conclusion that we need to encourage the right people to be involved in decision making at the right time and for board and senior executive to take responsibility for ensuring success. The standard is principle based to try to avoid a focus on rigid methodologies. Feedback on whether we are success would be appreciated.

    I understand the cynicism of some of the responses because I have seen the results of failure and poor governance (and in the 70s experienced the disenchantment of being involved with a failed project). I have also seen the benefits of good experienced project managers and methodologies like prince 2 (and ran a project office for a while), but I have also seen problems that occur when methodologies are poorly or rigidly applied. I am also a fan of agile methodologies, particularly to engage business, when applied properly, but they can’t overcome the problems of poor decision making at senior levels. .

    As I have said please read and see if you can use it to get the message to the right people within organizations.

    Regards
    Max

  6. Hi everyone,

    thanks for your comments on this issue — particularly those involved in the standard. Your comments are very much appreciated.

    If I could frame the discussion a little, I think what we have here is two very divergent views.

    Those on the inside of the development process appear to see the production of this standard as another step in a path involving many years of work, with many highly informed stakeholders, and see the actual document as useful and an important part of Australian IT project management frameworks — a positive step forward towards a better understanding of this field for everyone, with better formalised structures.

    Those on the outside tend to see this kind of thing as a bit disjointed from the real world. If these kinds of standards have been being developed for so long in Australia, and if the standards distribution process is working, one might ask, then why are we seeing such a complete and abject failure — an accelerating failure — of public sector IT project management? It’s not hard to be cynical about this process when it doesn’t seem to be generating results.

    Remember, we’re not talking about a few one-off IT projects failing within the Queensland and Victorian governments. The past several years of audits have made it clear that what we’re seeing in those states is a systemic and comprehensive failure of the states’ fundamental ability to deliver IT project and services. If you doubt this, I recommend you read these two articles:

    http://delimiter.com.au/2011/11/23/vic-government-it-in-flames-1-4-billion-over-budget-all-projects-late-or-failed/

    http://delimiter.com.au/2013/06/07/systemic-business-risk-90-of-qld-govts-ict-needs-to-be-replaced-total-cost-7-4-billion/

    I am sure the truth is somewhere in the middle: The standard, and prior standards in this area, are likely helpful, and helping to make a positive impact. However, it is probably also true that these types of standards are not being as widely distributed as their authors would perhaps like, and even when they are, they’re likely not being implemented, or perhaps even understood, well enough to stop the acceleration of IT project failures in Australia’s public sector.

    My personal view of this situation remains the same. I see this standards production effort as useful and productive. But I don’t see it as particularly effective in the current climate. This kind of thing seems to me to be a little bit like trying to slap a bandaid on a critical wound. It’s still first aid, but it’s not the kind of high-profile, high-effort, emergency response which our problems in this area need.

    One final thing: In terms of the access fee for the document, I’m sorry, but I’m not going to pay that. In fact, the truth is that I can’t pay it. Not because I can’t afford it. Delimiter certainly has a budget for acquiring these kinds of documents. But if you read SAI Global’s terms of access, even for the most expensive version, it’s very clear that any use I might make of the document as a journalist — publishing it, writing about it in detail, analysing it etc — would likely breach the copyright inherent in this very highly protected document. This is some strong legal protection here, aimed at monetising this document as highly as possible.

    I would like those criticising my article to bear this in mind. Standards Australia issued a media release on this issue, and I merely rewrote that media release and commented on it a little. Because that’s all I could do.

    If Standards Australia would like to see further discussion of this standard on Delimiter, then I would encourage it to open the kimono a little. Because as it stands, despite the strong degree of public interest inherent in discussing this issue, my hands are more or less tied.

    Cheers,

    Renai

  7. Great discussion from all points of view … thanks! Clearly these sort of standards are necessary and plug a gap in the body of good practice guidance for executives and IT practitioners.

    ‘Necessary, but not sufficient’ is the issue really isn’t it? Somehow we need to work harder at lessening the gulf that exists between theoretical notions of good practice and the reality of day-to-day operational activity at the coal face in many organizations. As Mark commented though, “behaviour of the organisation and its leaders and managers is critical, and that’s why these standards are all structured to explain principles for good governance and good behaviour.”

    Pragmatic guidance that sets an acceptable standard for executive expectations and behavior is a necessary starting point for improving the situation.

    Whether the commercial distribution model works is another question I guess … its a two-edged-sword. Charging for the content provides a way to recover promotion costs and control distribution, but also creates a bottleneck vs. more open models (Wikipedia?). The proof of this pudding will be in the eating … let’s see how awareness and adoption is going in a year’s time huh? I suspect a more open approach will be more effective, but it will all depend on the degree to which demand can be created which overcomes the ‘friction’ of having to go through a procurement process to acquire the material. What is the marketing/social media strategy here? ;-)

    There is so much digital content around that it doesn’t take much friction for worthy material to lie neglected at the bottom of the pile … sigh!

  8. Renai, the divergence you talk about is the gap in execution.

    While the standards have been published, they are adopted to varying degrees by some. Many of us know from experience that many standards, in practice, are partially or poorly adopted or not adopted at all.

    No doubt, standards can be useful, when “appropriately” applied and adopted. Although perhaps not a panacea to the extent that some see them.

    For large complex programs/projects, just like a large complex organisation, you cant read a manual to drive it successfully. Sound judgement, good execution, and a range of management and leadership skills count for plenty.

    But that manual or standard may assist to keep everyone informed (and reminded) of some of the basic principles involved.

    In my view:
    Do standards have a role? Yes. Are they the saviour? No. But then nothing will be. The problem is too complex to have a single remedy.

    Mark

Comments are closed.