I received the results of a study compiled by the “Center of CIO Leadership” and sponsored by IBM.

The survey highlighted some interesting aspects:

  • 91% of the CIOs have a clear understanding on how to improve business through IT.
  • On the other hand, only 67% participate actively on the definition and improvement of corporate strategies.
  • 64% don't know how to build up their team.
  • 69% of the CIOs have difficulties to delegate responsibilities.

While the first number suggests a high level of IT-business alignment, the other numbers doesn't really support this view. Organizations obviously have understood that IT is relevant to the business.

But it looks like the main integration point is the CIO itself, obtaining little support from other parts of the IT organization.

That isn't really surprising in the context of two other topics Kuppinger Cole recently has researched. In our survey on the relationship of IAM and SOA which we have done in spring 2008, we observed that IT organizations are extremely siloed, with only little communication between different silos.

And in the context of GRC and the tight relationship between IT Risk Management on one hand and Enterprise Risk Management on the other, it becomes obvious that we need to rethink the role of the CIO.

To start with the last aspect: Given that GRC is one of the major areas of IT-Business alignment and given that the separation of IT Risk and operational risk is artificial, the role of CIOs has to be redefined. It might consider combining the roles of today's CIO with the one of a CCO (Chief Compliance Officer) or a CRO (Chief Risk Officer). That would be logical, if GRC is understood as the business control layer of IT (and not only Identity and Access Management). Managing risks and reporting about the status of as well IT as operational risks is a core part of that layer. Thus, the CIO as responsible for IT in fact is in charge of dealing with risks and major parts of compliance.

That would, by the way, automatically close the reported gap between IT and business, because in that case there will be even more business alignment of IT than we usually observe today.

Such a change would automatically raise the question of how to organize the IT. The CIO, in that case, would have to define strategies across all of today's siloes to fulfill his tasks. A strong IT strategy department which acts upon the business requests and the needs for business control would be at the core of IT.

This department has to set all rules for IT strategy, and especially guidelines for purchasing IT assets - software, hardware, and services.

The remaining parts of IT have to act as service providers, with defined SLAs. Based on SLAs, the services can be defined. The most important part will be the IT infrastructure, which operates IT. Other parts of the IT, especially the application related ones, can be as well part of the different business departments.

With a CIO in a central role as CIO/CRO/CCO, he would have enough power to control the enforcement of defined strategies and SLAs.

That approach might appear too far away from what we observe in today's IT organizations. In that case, at least a tight cooperation of CIO and CRO/CCO is mandatory. The IT organization itself, in that case, requires a matrix organization, which ensures that people from different siloes start working with each other. Clear guidelines for purchasing are required anyway.

Regardless of the preferred approach: It is time to act upon IT organizations, to support the threats of risk management as well as of IT/business alignment.