King III requires a new level of involvement from business executives in Information Technology (IT) decisions. This is a good thing, but King doesn’t explicitly define what these decisions must be about, other than to say that executives must mandate their IT department to do IT ‘stuff’ – just what that ‘stuff’ is remains ambiguous.

But there’s help for executives in the form of a Harvard Business Review article written by Jeanne W Ross and Peter Weill entitled: ‘Six IT decisions your IT people shouldn’t make’.

The first decision is one that we are asked often: ‘How much should we spend on IT?’ At the heart of this question is an underlying concern that the company is spending too much or too little on IT, and if we can just get the funding right, all the other IT issues will resolve themselves. Although this is a business decision, not an IT one, the problem is that many executives feel unqualified to answer the question, so they look to industry benchmarks to get an independent yardstick for their IT spend. A small pause for  thought will show you that this thinking is flawed: Firstly spend on IT depends on the industry in which you operate; Secondly even the best benchmarks – and there are few – will give you a range of historical IT spend for the industry. At the bottom of the range are those companies spending just enough on IT to stay in their chosen business, while at the top of the range may be those companies who use IT aggressively to gain competitive advantage; Thirdly, benchmarks are notoriously vague – some compare IT spend with revenue, others with operating costs; and finally, who says that companies are spending their IT funds effectively?

So the real decision to be made by non-IT executives is: ’What is the role that IT plays in our organisation?’ and only then can you establish a company-wide level of funding that will enable IT to fulfil that objective. Successful companies match their IT spend to their strategies, not to industry benchmarks.

The second question that executives should not leave to IT is: ‘What business processes should we fund?’ Recently we spoke at a conference entitled: ‘Do more with less.’ Sadly this is another misinformed strategy for IT. Provided IT is moderately efficient, then they can only ‘do less with less.’ So the trick for executives is to decide what business activities they need  IT to support or develop, and then to fund IT fully in this. The difficulty lies in deciding what business activities they want to stop IT funding for – this is a business and often, political decision. Don’t let IT decide for you.

The third question is to do with how IT supports the business: Which IT capabilities should be company-wide and which should be local? The downside of company-wide IT systems is that they must necessarily be standardised and relatively inflexible. So the question that executives need to answer is: ‘What business units / processes need to be agile and flexible?’ There is a cost to non-standard IT, both in terms of loss of synergy and support costs, so this decision should again be taken by business executives. Under constant  pressure to limit IT costs, your CIO will want to standardise and centralise everything. So make a considered decision on what business activities will be allowed to operate outside the frame, and then mandate IT to support these activities.

The fourth question seems to be a sine qua non: ‘How good should our IT services really be?’ The executive who believes that IT services should universally be the best, is missing the point that being the best costs money – lots of it. There is a logarithmic increase in IT costs the closer to perfection you try to get. So sub-second response times in a slow-moving business may be costing you much more than it’s worth. Executives need to decide what their business priorities are: Do they need near-perfect reliability, the quickest response time, or water-tight security, or lowest business risk? Each priority costs money and  each often contradicts others  in IT terms.  Again, because the CIO gets it in the neck for less than perfect service, he or she will try for perfection  - with the attendant cost implications.

The fifth question that shouldn’t be left to IT is: ‘What security and privacy risks will we accept?’ Again we have a trade-off: Great security and privacy is possible, but enormously inconvenient to the average business person, not to mention your customers and suppliers. We know of one system that was designed with three levels of security, including fingerprint access to systems, and time-outs after inactivity, but it was essentially unusable by the operators and deeply annoying to customers just trying to get a query answered. The system was scrapped after the company had spent some R80 million, and a new, more useable but less secure system was developed from scratch. However there is a balance between risk and convenience, and this is a business decision, not an IT one.

Finally, Ross and Weill, suggest that the decision as to ‘Who gets the blame when an IT initiative fails?’ should be in the business domain. It’s a sad fact that a significant number of IT projects fail outright or in part. It’s also a common refrain that the business value of any system is never realised. If you want to apportion blame, then you should know that about 30% of the problem is IT’s and 70% lies in the business. So savvy executives assign a business person to be accountable for every It project, and they monitor progress on an on-going basis. And when the blame-game starts, they know to look to the business first.

Very few of these six decisions should be taken without IT input though. If you have the right CIO, then he or she will have valuable contributions  to your decision making. But they’re your decisions.

There are many other decisions that should be taken by business executives, but these six will establish the roles that IT should play in the organisation, and will go a long way to ensuring your company’s compliance with the IT requirements for King III.