<< Back to article Print this page Loading page, please wait...

The Dollar Dialogues

What a fictitious CIO would say to his hypothetical financial counterpart.

Scott Berinato (CIO)
07 December, 2004 13:06

Wherein an imaginary dialogue between a CIO and a CFO identifies, analyzes and suggests strategies to resolve the long-standing divide between money and technology

In the lobby of LargeCo's corporate headquarters

CIO Harold Peeples: Hello. I'm Harold Peeples, CIO of LargeCo Pty Ltd.

CFO Ben Courtanes: And I'm Ben Courtanes, LargeCo's CFO. We should probably begin by telling the readers that we're not real.

CIO: That's right. We're a literary device being used to illustrate how a CIO and a CFO can have a frank conversation about their differences and biases. Sadly, real CIOs and CFOs don't always do this.

CFO: Yes. There's a communication gap between my office and yours. Some people have even called our disconnect a credibility gap. And when it comes to your department, I can see why they'd say that.

CIO: Are you saying IT's not credible?

CFO: Save it for the dialogue, Harold. Oh, that's right, our conversation will loosely follow a method called Socratic dialogue.

CIO: We won't bore everyone reading this with the rules of Socratic dialogue, since we break most of them anyway, but the idea is to let each person elucidate his own point of view, based on his experiences, so that together they can arrive at some common ground.

CFO: And while we're imaginary, the business cases we cite are not. Senior editor Scott Berinato interviewed a number of CIOs and CFOs in order to identify the issues that divide them. Is that everything, Harold?

CIO: Yes, Ben, that's basically it. We hope our discussion here gets CIOs and CFOs talking out there, in the real world.

Page Break

On IT Project Failure

CFO Ben Courtanes: The first thing I'd like to talk about, Harold, is IT project failure.

CIO Harold Peeples: Well, that's a gloomy way to begin, Ben, but, OK, go ahead.

CFO: Numbers don't lie, Harold.

CIO: Spoken like a CFO, Ben.

CFO: Be that as it may, the Standish Group's numbers have shown that IT projects fail a lot, and that the bigger the project, the more likely that'll be the case. This has been true for decades. Can you blame me for being sceptical about IT?

CIO: It really depends on how you define "fail", doesn't it? I mean, just because a project misses a few deliverables, or has to be changed after it's deployed, that doesn't necessarily make it a failure. Maybe it's just less than perfect.

CFO: I'm not looking for perfection. But what you call less than perfect, the Standish Group calls challenged. Those projects end up with fewer features than you promised, they cost more than you said they would, and they take longer than you expected. That puts me in a bad position. If we pull the plug, we've wasted millions. If we don't, we risk wasting more.

CIO: That's a Hobson's Choice, Ben. I don't think we've been in that position here.

CFO: We're in that position right now with the wireless project. Your proposal promised all sorts of ROI for adopting a wireless network. You said we could save on networking costs and get more productivity because our workers could access the network from anywhere. But it hasn't worked out, has it?

CIO: OK, there've been issues. But by doing that project now, we're leapfrogging to next-generation technology. And we'll save money at the same time.

CFO: We will? When? After we've spent twice what we planned?

After the project started, you told me there was a problem because our buildings had steel in them. It interfered with the signals. So I come in one morning and we're tearing down walls. To date, that has cost an extra half-million. The whole thing's been going that way. Your support costs turned out to be twice what you said they'd be because you had to fix a security hole in the wireless protocol.

Even if this thing does save us money down the road, all these extra up-front costs have to be figured into the ROI. You can't just tack them on and pretend they don't affect us. When you say a few deliverables will be missed, I hear someone changing the business case on the fly. When support costs go up, I have to take money out of someone else's pocket. When you find a security hole, I see the risk profile changing completely.

CIO: But, Ben, this is the nature of software projects and, frankly, it's an inherent feature of any big challenge. What about when we take on a big merger? Remember when we acquired UpandComing Ltd? That started out as a happy story about synergies and complementary product lines. But after it was finalized, we started hearing about cultural differences, branding conflicts. That project didn't come off exactly as you hoped it would, either.

CFO: Point taken, Harold. Then again, we actively attempted to minimize the risk from the beginning. We created detailed risk models. We evaluated operating costs. We estimated market shares, workforce overlap.

CIO: Software projects are different. They pose hard-to-measure risks and sometimes offer hard-to-measure returns. We're dealing with an imperfect science here.

CFO: Imperfect yes, but also largely predictable. Lister and DeMarco's book on software risk, Waltzing with Bears, boils it down to the same five major risks for every project. They even built risk curves for them.

CIO: I know. I read it.

CFO: I'm not asking you to make IT projects fail-safe, Harold. That would be as foolish as you asking me to always keep the stock going up. What I'm asking for is a lot more discipline, especially up front. To measure risk. To consider all the forces that might affect a project, not just the ones from within your own silo. Think of it this way: Replace the word project with the word product. Would an automaker tolerate one recall for every three cars it made? What if half of Arnott's chocolate chip cookies crumbled before you could eat them, and another quarter didn't have any chips?

CIO: Actually, Ben, we've been trying to address your concerns on two levels. One, we've established a project management office to balance our project portfolio. We're starting to use some basic risk analysis. And two, we've adopted some agile development techniques to improve code quality and production efficiency.

CFO: That's a great start. But it's only the beginning. We need even more discipline and empirical analysis. Because all it takes is one troubled project to screw things up royally. When I got the update on your wireless project, tell you the truth, I started thinking about Nike's inventory mess. And that hospital in Boston that had its network go down for four days. I read about that in that magazine you're always dropping on my desk. What's it called? CIO? Story by some guy named Berinato? When these things go bad, you start talking about the vagaries of software. Me, I've got to account for it. Literally.

CIO: OK, Ben. I hear you.

Page Break

On Continuous Upgrades

CIO Harold Peeples: Let me ask you, Ben - and I hope I'm not sounding snippy - but can a CFO really appreciate something when its value can't be expressed in dollars and cents?

CFO Ben Courtanes: Sure we can. For example, intellectual property. Biotech companies spend years and billions of dollars before they even have a product. How do you measure the value of that R&D? It's pretty much priceless. And morale. I don't know how to measure its value, but I know we have to invest in it.

CIO: Let me ask you this then: Is it possible that there's value in the continuous upgrade of our IT? Can you see the value in making sure our technology is as good as our competitors'?

CFO: No, I can't. And I'll tell you why. Low morale leads to lower productivity. Running low on our store of intellectual property can jeopardize future revenue. How much? Not sure. But I'm sure it'll happen. On the other hand, I can't see any cost from extending the life cycle of our IT systems. If anything, it probably increases ROI by reducing capital expenditures without really hurting operations.

CIO: You're wrong, Ben. There are returns from continuously upgrading IT systems - some we can measure, some we can't, both real. Let me tell you about the US Coast Guard.

CFO: Go on.

CIO: The US Coast Guard exemplifies what happens when you try to extend technology life cycles. Many of its boats are 30, 40, even 60 years old. In the late 90s, it finally was forced to start an upgrade process called project Deepwater. Replacing boats and aircraft, it turned out, would cost $US20 billion and take 30 years.

CFO: I'm impressed. In a horrified way.

CIO: Obviously, they didn't have $US20 billion.

CFO: Pity.

CIO: At least they couldn't get it all at once. So while they've started to upgrade some boats, they need to maintain a lot of others until there's money available to replace them. Now, you'll love this part. I'm going to use numbers.

CFO: Go for it.

CIO: A 30-year-old, 41-foot (12.5 metres) Coast Guard patrol boat costs $US2162 per hour of operation. The new boat the Coast Guard wants would cost about $US600 per hour. They could save on the order of 75 percent, $US1500 per hour of operation, if they had newer boats.

CFO: So if one boat works a 40-hour week, that's about $US3 million a year savings per boat.

CIO: Pretty quick, Ben. Not to mention a new boat could handle new missions, like homeland security, that the old boats weren't designed for. Just like the wireless project: leapfrog technology and save money at the same time.

CFO: I hope they don't have to tear down walls and patch security holes too.

CIO: I'll ignore that. Point being, the money the Coast Guard saved by spending almost nothing on capital investment over the years is being lost to maintenance on old boats it can't afford to replace.

CFO: You're saying that if you commit more capital year-over-year to maintain a smooth level of investment, you get a portfolio of better equipment that's less expensive to maintain. And you end up spending less than what you would ostensibly save by avoiding investment. I get that. But boats fall apart, Harold. And we're talking about stuff that's 10, 30, 40 years old. Servers, switches, that stuff doesn't rust or sink, and it seems like you guys want to upgrade it every half-hour or so.

CIO: In one sense, you're right. IT equipment doesn't deteriorate the way boats do. But IT systems are social; they live in a community of systems that interact.

CFO: I don't normally think of them like that, Harold, but I won't argue. What's your point?

CIO: This: If those other systems in the community improve and get upgraded - and ours don't - our systems become less capable of interacting with them. And if those other systems in the community are getting upgraded every half-hour or so, like you said, then, yes, we have to keep up.

CFO: Why?

CIO: Because IT systems deteriorate socially. So the company trying to save money by extending life cycles to the max ends up having difficulty with business transactions because the systems don't interact well with the newer, better, different systems all around them. Maybe the older systems don't support the right document format. Or maybe that old network gets a reputation for being less secure. Customers and investors lose confidence. The stock starts to sink like a, like a leaky Coast Guard boat.

CFO: OK, Harold, I get it. But why aren't those document formats standard? Why aren't there regulations demanding people-secure systems to a certain baseline? In every other part of the business we've decided there's no competitive advantage to being on the kind of hamster wheel IT keeps us on. Nicholas Carr in that book, Does IT Matter? says the competitive advantage of IT innovation is gone; it's a myth. If he's right - and I think he is - we should stop chasing something that isn't really there.

CIO: You know I disagree with Carr, Ben. Maybe CIOs haven't done a good enough job demonstrating IT's competitive value, but if you want to test Carr's hypothesis, it's easy enough.

CFO: How?

CIO: If IT is just a commodity, then we can buy it like we buy paper clips. Lowest cost. And when our competitors start to beat us with new systems that our own systems can't even interact with, and we lose market share, and the stock falls, you can tell the board how much we saved by not upgrading.

CFO: That's a little overstated, don't you think?

CIO: Maybe a little, but the point is, you don't want to risk it, do you? You know the value of making sure our IT is competitive even if you can't express it as a number. So, Ben? Want to try buying lowest cost IT?

CFO: Maybe not right now.

Page Break

On IT Security

CIO Harold Peeples: Remember the CRM system we implemented, Ben?

CFO Ben Courtanes: How could I forget? The personal data of 2000 customers was posted on the Internet.

CIO: Exactly. And I took the hit for it. But I still don't think I deserved it.

CFO: Didn't deserve it, Harold? How was a huge hole in our CRM not your fault?

CIO: The hole was there because I was told to go live by the beginning of the holiday season. Well, suppose I had come to you in August and said, sorry, Ben, but we have to do some more security work. That's going to add four months and $4 million to the schedule. And even then I can't guarantee it'll be completely secure.

CFO: What would I say? I'd say, why wasn't this in the original plan? I'd say, here we go again! Just like the steel in the buildings.

CIO: Then I'd say, it wasn't in the plan because our CEO had already made up his mind what the deadline had to be. You know what happened, Ben. He had lunch with a consultant who had just helped Rival Pty Ltd do a huge CRM implementation, so he decided we had to have that system and we had to have it yesterday.

CFO: Look on the bright side, Harold. At least he doesn't think IT's a commodity.

CIO: No, he thinks it's a light switch. All we have to do is turn it on. And if I suggest that getting a CRM system up and running might be a little more difficult than the consultants and the white papers make it sound, I'm the bad guy. I'm preventing us from staying competitive.

CFO: But this is security. This is our brand, our reputation. You have to be the leader. You have to be the guy who tells us that the project's not ready, even if it means we miss the holiday season. Saying someone made you do it just doesn't cut it, Harold. Where does this buck stop?

CIO: You can only rain on a parade so many times before your bosses get tired of having you around, Ben.

CFO: So your job security comes before the good of the company? You can't believe that.

CIO: No, of course not. But I could name a half-dozen CIOs who did lie down on the tracks. And you know what? They're looking for work right now. It's hard to tell everybody we need extra time, and it's hard to tell you we need extra money. This isn't just my problem, Ben; this is the state of IT security. It's not too good. So I end up looking ineffective, even if putting the brakes on a project is the smartest thing I could do.

CFO: What you just described to me is an unquantified risk profile. Put some numbers behind it and I'll buy everything you're saying.

CIO: It's not that easy, Ben. We're talking about massively complex programs operating in massively complex computing environments. I'm not convinced risk analysis applies.

CFO: See, this is my biggest problem with IT. It's all black magic. When the going gets tough, IT says it's too special to have the rules of business apply. IT is not special. Nothing could be more appropriate to risk management than software security. Even if the curve shows huge, unacceptable risks in getting a project done before the holidays, that's information I could have used. It's information I would have loved to have had before 2000 credit card numbers were exposed.

CIO: Come on, you don't really believe a few charts and graphs would have stopped us from trying to finish the project by the holidays? The big guy would have said get it running and secure it as we go.

CFO: Maybe. Maybe probably. But at least we'd know the relationship between the dollars we spend on security and what we might get from them. That's what risk analysis does. That way we work out cost-benefit and decide - based on the data - how much time and how much money is absolutely necessary to spend.

CIO: What I'm hearing, Ben, is that you're asking me to become a junior CFO for IT. If I'm hiring a bunch of risk managers, spending all my time and budget trying to get these numbers to justify my existence, how am I supposed to focus on the projects that'll help LargeCo make money? No offence, but I don't want your job.

CFO: None taken. I'm not asking you to become a CFO, and I'm not trying to take away your decision-making authority. Risk management isn't designed to make decisions for you, Harold; it's designed to inform the decisions that we're counting on you to make.

CIO: Are you willing to approve extra funds to allow me to hire some risk analysts?

CFO: If that's the only way to do it, absolutely.

Page Break

Conclusion

CFO Ben Courtanes: I think we made some progress today, Harold.

CIO Harold Peeples: I think so too, Ben. We're not going to agree on everything, but we've certainly found some common ground to build on.

CFO: Yes. As cost centres go, IT's not so bad. You should see what marketing wants from me.

CIO: A cost centre, Ben? I thought we were beyond that.

CFO: Well, Harold, no offence, but IT's not exactly producing revenue, is it? In fact, this is as good a time as any to tell you we're planning to cut your budget by 27 percent.

CIO: What?

CFO: Just kidding, Harold. I'll approve a budget line item for risk analysis inside IT, and you can teach me about buffer overflow.

CIO: Buffer overflow is so cool, Ben. You're going to love it.