Digital transformation and the importance of culture, ethics, and behavior? It sounds familiar? It is – because this is a re-write of an article I originally posted on LinkedIn in 2016. Why do a re-post? Have I nothing new to share? It’s not that. It’s just that this is such an important topic, one that’s gaining increasing attention, and one that organizations continue to struggle with.
I’ve added in new links and made changes to the original post to provide new insights and tips that support the growing need to tackle this topic. And I want to use this post again as a call to action to the owners of best practices – particularly in this instance ISACA, the owners of COBIT – to produce more “how to” guidance and to shift the focus of COBIT from an “audit” instrument to that of an “enablement” instrument.
While I’m delighted that there’s a lot more attention around this people-related topic, there’s still – at least in my opinion – too little effort made in solving the issues. Partly this comes down to fear and not having the right leadership skills to tackle it, partly it’s down to lack of appropriate guidance, and partly it’s because of a lack of effective IT governance.
Why it’s important to address this now
Digital transformation seems to be one of the top trends at the moment – even more so since my first posting. Nobody seems to know what digital transformation is, yet everybody wants it, everybody thinks they are doing it, and many existing supplier products and service seem to be rebranded as “supporting and enabling digital transformation.” So that’s it solved then?
Not so fast!
In response to digital transformation we see many related trends, hypes, buzzwords, and emerging practices gaining prominence, such as customer experience (CX), DevOps, Agile, cybersecurity and resilience, and others.
Common critical success factors for all of these emerging practice areas seems to be culture, behavior, ownership, and leadership – i.e. people-related aspects. (Which is one of the reasons why we developed the ABC of ICT products – with ABC standing for “Attitude, Behavior, Culture” – back in 2006!)
Culture seems to be the popular “container word” the industry seems to be throwing around to cover these people-related aspects. It’s definitely the most common word I hear relating to digital transformation and the most common term I hear around one of the hottest set of practices – DevOps. Here’s an article on this if you’re interested.
Yet the majority of organizations STILL struggle in these areas
And have done for the last umpteen years.
A recent article on CIO.com entitled ‘Digital Transformation – How is your organization adapting’ stated that “43% of CIOs cited resistance to change as the top impediment to a successful digital strategy,” going on to add that “Changing culture is key.”
A recent McKinsey report ‘Culture for a digital age’ confirmed this suggesting: “shortcomings in organizational culture are one of the main barriers to company success in the digital age.” And warning that “executives who wait for organizational cultures to change organically will move too slowly as digital penetration grows.”
A critical point for me in this report was this statement that: “Executives must be proactive in shaping and measuring culture, approaching it with the same rigor and discipline with which they tackle operational transformations.” This means more than the traditional best practice approach of burying your head in the sand and hoping it will change on its own. Which, after sadly observing this for the last umpteen years, I can say isn’t working.
Or another best practice to pro-actively throw it over the wall to middle managers and hang it up as one of their key goals – i.e. implement the new culture. Middle managers, poorly equipped to realize this, then adopt the brilliant strategy of telling their teams “You are now all self-empowered!” so we can blame them when the culture-change initiative fails. Rigor and discipline my foot!
Another recent article on CIO.com “Assessing your organization’s digital transformation maturity” mentions three key pillars for success, with People and Culture being one of them. Process and Governance being another and finally, not to forget (which we generally do), Vision and Strategy.
And finally, to set the scene, and to make the link to COBIT, I want to highlight one of those words in the three pillars: Governance. An article on CIO.com “What is GRC and why do you need it?” describes GRC as being “governance, risk, and compliance.” The article headlines with “GRC can help you align IT activities to business goals, manage risk effectively, and stay on top of compliance.” And unfortunately, the bit of this that is often skipped over is “align activities to business goals” – not “align activities to a set of controls and a tick-in-the-box”!
Where is the IT governance?
IT governance is certainly a topic that doesn’t gain the attention it deserves. In my mini world-wide surveys of 10,000+ people (executed using the rigorous, scientific approach of “Put your hands up if…”), less than 25% put their hands-up to signify that they’ve formal IT governance practices in place!
Those that do, often say that IT governance is translated as GRC with the main focus being on risk and control/compliance. Although I totally agree that this is critical in today’s environment it is only half of the governance equation. With governance being about performance and conformance.
The performance side of governance
The performance, or value, side of governance is gaining increasing attention though. But it’s not being translated into appropriate guidance and effort, and once again it’s something we struggle with – see this post from 2017.
Performance is the bit about “align IT activities to business goals”! But don’t worry, this isn’t just an IT issue. Recent MIT Sloan management review research revealed “only one-quarter of managers surveyed could list three of their company’s five strategic priorities.” And, even worse, one-third of the leaders… could not list even one! Who says we need any governance!?
But again, the “What is GRC and why do you need it?” article went on to add that effective GRC “will not be effective unless the organization's executive leadership really supports cultural change.”
Once again, those executive leaders are put in the limelight. Fortunately, those executive leaders don’t read CIO-related articles or attend our IT service management (ITSM) conferences. So, they’re probably blissfully unaware of this, and when the gooey culture stuff hits the proverbial fan they can fire some of the IT middle managers for not having “installed” the right culture. Am I being too cynical here?
Which is why I make my call to ISACA and COBIT. COBIT being the IT governance framework aimed at executives, and most closely aligned to current ITSM best practice such as ITIL. COBIT provides ITSM organizations with a stepping stone towards “the business.” Digital transformation requires a culture change from both business and IT people. COBIT is therefore a framework that’s applicable to both worlds.
COBIT for IT governance
COBIT, in my humble opinion, is an ideal framework for driving the governance of enterprise IT and solving many of the performance, conformance, and risk issues that the majority of organizations are struggling with.
The good news is that COBIT has a key enabler called “Culture, Ethics and Behavior” which can help address the people-related issues mentioned above. Sadly however, this enabler isn’t seen as sufficiently critical at the moment (at the time of my initial post in 2016) to warrant its further development.
I’m hoping that this article will provide ISACA with room for thought and persuade them to re-prioritize this enabler.
What does COBIT say about this enabler?
“Culture, ethics and behavior of individuals and of the enterprise are very often underestimated as a success factor in governance and management activities.” Having looked at the newly added links to industry articles above, I think we can confirm it still is.
I can certainly confirm this if we look at the consistent ABC issues chosen by hundreds of organizations, year in year out in our workshops.
COBIT goes on to add “Behavior is also a key enabler of good governance and management of the enterprise. It is set at the top—leading by example—and is therefore an important interaction between governance and management.”
Two top-scoring ABC cards chosen in IT transformation programs (in which a focus is to change behavior by adopting frameworks such as is COBIT and ITIL) are No management commitment and Don’t do as I do, do as I say.
The COBIT enabler also talks about Good Practices. I have described these below, with some of my observations. These observations for me are a clear indicator of the need for this good practice to be expanded with some additional guidance, whitepapers, and cases in the next COBIT update.
Communication throughout the enterprise of desired behaviors and the underlying corporate values.
- My observation: Communication is a key issue (See the CIO article – from 2015 mentioned in my original post). Here is a recent digital transformation article still showing a clear need to improve our business focused behaviors and communication (see Scene 3 in the story).
- My observation: I see more and more organizations adopting new values such as “Customer and Service focused” and “Collaboration” (see article: values to create values). However, these remain more often than not “posters on the wall” and “well (or NOT) intentioned memos” and are NOT translated into the desired behaviors that demonstrate these values.
- My observation: Many organizations send their staff on training, e.g. COBIT, ITIL, and DevOps, to HOPEFULLY change behavior and support the new values. However, this is not explicitly translated into the training content (off-the shelf certificates) and not facilitated in the transfer of theory into practice in the workplace. (See article: most training is a waste). A recent article we published for DASA on the 8-Field Model, a model which also features in an AXELOS whitepaper, will help focus on the transfer knowledge to the workplace.
Awareness of desired behavior, strengthened by the example behavior exercised by senior management.
- My observation: There’s a need for improved leadership behaviors, with an important role of middle managers being able to manage the organizational change aspects associated with digital transformation.
- My observation: Many of the other observations I’ve made require leadership skills as opposed to management skills. Training programs – such as COBIT, ITIL, and DevOps – at the moment do not equip managers with these leadership skills. Although this is changing. The ITIL practitioner has now incorporated OCM (organizational change management) as a core capability. Here’s a recent DevOps-related article on the DASA site about the demands for new leadership skills. But although there’s a shift in the offer of this type of training, uptake does not reflect the urgency.
Incentives to encourage and deterrents to enforce desired behavior. There is a clear link between individual behavior and the HR reward scheme that an enterprise puts in place.
- My observation: Managers are not properly enabled to apply concepts such as “organizational behavior management” and effective “consequence management” (this is more than just blame and punishment!). Further, this in NOT just an HR reward issue. This is a management and leadership issue to reinforce appropriate behaviors.
- My observation: A recent online discussion with Steve Plante and Robert den Broeder resulted in an interesting LinkedIn post from Robert on effective ways to shape desired behaviors. Few managers are aware of such techniques.
Rules and norms, which provide more guidance on desired organizational behavior. This links very clearly to the principles and policies that an enterprise puts in place.
- My observation: We are very good at putting rules in place, e.g. ITIL-type process flows and procedures. However, the framework very often becomes the goal, not how the framework enables corporate values or desired behavior, nor how it relates to stakeholder needs and value creation.
- My observation: Very often we make agreements but confronting each other on agreements, giving feedback and ownership are rarely embedded in behavior and “the way we do things.” One of the key takeaways in our business simulation workshops is “an agreement is an agreement.”
People, skills, and competence
Another key COBIT enabler related to the people aspects is the People, Skills, and Competence enabler. This certainly helps toward addressing the IT Talent problem (mentioned in my original post, referring to an article from 2013!!) and mentioned more recently in the Gartner CIO Agenda (2017). Which reported: “...of the top barriers to successfully showing the value of IT, talent is the number one issue,” citing “...worryingly, these are the same issues that CIOs cited four years earlier in the exact same study.”
This enabler stresses the need for “Goals for skills and competencies relates to education and qualification levels.” Good Practices refer to defining the need for objective skill requirements for each role played by the various stakeholders.
My observations here are that: We see a growing emphasis on skills frameworks such as SFIA, ECF, and the AXELOS career development initiative. And we see vast amounts still being spent on education and certification in frameworks such as ITIL and COBIT. However, we see a poor focus on the facilitated transfer of learning to the workplace and translating theory into practice. The ITIL Practitioner publication (to which I contributed) is a good example of an initiative aimed at translating theory into practice. But, as an industry, we generally have a poor focus on learning-transfer activities and controls which I think this enabler could focus on. And a poor focus on demonstrating the value from training investments. We still focus too much on the education, theory, and qualification levels (certificates) and not enough on developing talent and practical skills. This was the subject of another of my posts: “Certification, yeah, cause that’ll solve everything.”
My conclusion is that the two enablers are critical for the success of digital transformation, and that the current business and IT relationship, and governance issues, are persistent and pervasive. And have been for many years, resting on cultural, behavioral, and leadership deficiencies.
Guidance is needed to address these issues. ISACA, in my mind, would do well to further develop guidance relating to these enablers. ITSM organizations would do well to use COBIT as a stepping stone towards the required executive leadership such that both effective governance and the necessary effort and commitment can be given to address these long standing cultural barriers.
Why should the business care? COBIT also has the “goals cascade” an instrument that we (in IT) can use in dialogue with the business to mutually agree the performance and value needs of the business to “align activities to business goals.” After all, surely that’s what we are both trying to achieve. Right?
If you agree with me, and recognize the need to change the way we deal with these long-standing culture challenges, then please contact ISACA to stress the importance of these enablers.
Will you do that?... Another top-scoring ABC card chosen globally is “Not my responsibility.” :-)