TAC The Advisory Council Expertise-as-a-Service Has Arrived
Home Services & Products Events & Workshops Results Our Experts About Us FAQ Contact TAC News

Question: We've cut staff so much in the last four years that I'm wondering if I can afford (from a work perspective) to take vacation this summer. What can I do to reduce the chance of something unraveling catastrophically while I'm away?

Our advice: If you haven't yet put control processes in place to assure that you can safely take vacation, you've raised a "red flag" that IT is out of control, which has profound legal implications for publicly traded companies and other organizations with external financial-compliance requirements.

Because of Sarbanes-Oxley, government regulators, specifically the Public Company Accounting Oversight Board, have published regulations that specifically state that IT processes and controls are an underlying foundation for a company's business, financial, and regulatory controls. This statement means that your IT processes, staffing models, and control procedures must be documented and clearly demonstrate that any problems will be identified and corrected before catastrophic consequences can occur. Staff reduction isn't a defensible justification for inadequate control. In fact, failure to take regular vacations is viewed as a risk factor that signals the need for audit review.

Proactive Risk Management
The good news is that you can turn these new external compliance requirements into a performance-improvement opportunity for the IT department. Not only will you mitigate compliance issues, you can proactively create business value and make your department a better place to work. There are three specific steps you need to undertake.

  • Perform a pre-audit assessment of your IT organizational performance using a recognized performance and control framework like that of the Committee of Sponsoring Organizations or the Control Objectives for Information and related Technology, or COBIT. Your assessment should span IT planning, implementation, and support processes. The most important element of your review is assuring that your IT processes regularly generate data that's suitable to assess the effectiveness of your execution, and the ease and timeliness in which you can identify and correct any process breakdowns. Remember--control doesn't mean perfect execution. Control means knowing the state of your operation and being able to correct deviations before there's material damage. Suitable assessment data will make your future conversations with auditors much easier.

  • Use your process documentation and the performance data you've generated to perform a process-by-process IT value assessment. Because IT is an enabling function, it's easy to overdo the cost cutting, as line of business executives often don't understand the IT contribution to the direct value-producing processes of the firm. However, by decomposing IT into processes, it's much easier to link IT process performance to business process value creation. Once business executives understand this linkage, the character of cost reduction conversations improves dramatically.

  • Be realistic. Plan to outsource those IT processes that don't generate sufficient value to justify the staffing levels required to assure adequate performance and control. If you can't afford sufficient internal staffing to provide effective performance and control, selective outsourcing is the only viable option to protect your company and yourself personally. Fortunately, selective outsourcing is a viable option. The major external vendors understand the necessity to provide effective, measurable, and controlled services. Furthermore, with well-documented processes and your own assessment of value, you're in a strong position to negotiate favorable sourcing arrangements. Remember, the best-informed party in a negotiation has the most economic leverage.

    In summary, there isn't a "silver bullet" cure for excessive downsizing, but the need for high-quality IT service has become palpably clear. Use the new external mandates to justify "right-staffing" for effective execution in the future. Basing IT staffing on realistic performance criteria establishes a foundation for creating an effective and rewarding IT organizational environment.

    -- Walt DuLaney


  • What does a CIO have to do to establish a leadership-development program for the IT organization?


  • How do I develop a information-technology plan when the company itself doesn't have a strategic plan?


  • What are the most productive tasks an IT leader can focus on?


  • After three years of downsizing and cost cutting, how do I motivate my management team and build a high-performance organization?


  • As the economy turns around, what IT skills will be most in demand this year?


  • How should we manage change in our IT infrastructure to minimize risk?


  • Several weeks ago, you wrote about when a project-management office makes business sense. What is the appropriate design for a PMO?


  • The economy seems to be picking up. Looking ahead, how do I retain good IT people in the face of an improving IT market while my budget remains under pressure?


  • What IT skills will be most in demand this year?


  • How do I objectively evaluate the readiness of my organization to support emerging business requirements?


  • What cultural and people factors are important to consider when building IT capabilities to support manufacturing factory and retail operations in China?


  • How could the Project Management Institute help us effectively manage real-life IT projects to ensure success?


  • How do we make our communications proactive, rather than only getting to them when there's a crisis?


  • What are the critical success factors to achieve and maintain strategic alignment?


  • How can we develop an enterprise architecture across disparate business units?


  • How can I develop a long-term information-technology plan when my company doesn't have a strategic plan?


  • What attributes and features should we consider when selecting IT asset-management software?


  • As an overworked IT manager, what can I do to reduce my workload while maintaining high availability and good security?


  • We're under management pressure to outsource application development and to cut staff, but I'd rather get more value from our existing staff, who know our business. How can I broaden their skills?


  • As business picks up, what should I do to rebuild my organization, tactical plan, and internal-management processes?


  • We have a strong team that I'd like to make stronger. How do I instill more leadership qualities and skills into my team?


  • What organizational structure would be most effective for information-security governance?


  • How can we achieve effective process ownership within our IT organization?


  • What organizational, people, and process issues should we consider when setting up a telecommuting program?


  • We've cut staff so much in the last four years that I'm wondering if I can afford (from a work perspective) to take vacation this summer. What can I do to reduce the chance of something unraveling catastrophically while I'm away?


  • A few weeks ago, writing about creating a vision statement, you said "seek expert facilitation to reach a vision supported by all." Where can we get this expertise?


  • We know that we could save money by consolidating servers currently scattered across business units. How should we address the political issues around getting the business units to give up their servers?


  • What level of IT spending is appropriate for a midsize to large financial organization?


  • How should we assess our IT organizational structure and processes?


  • How can we retain good IT people in the face of an improving IT job market?


  • How should we determine the appropriate network-support staffing level for a 10,000-node network?


  • What strategies are most successful in a "political" organization?


  • How can one reduce behaviors that are wasteful of IT resources?


  • How can we raise the IT knowledge of non-IT employees?


  • I'd like to establish a management mentoring program within my organization. How should I start?


  • How should we deal with the cultural and skill-set changes needed when moving from mainframe-based applications to client/server and Web-based applications?


  • We're considering setting up our own IT-abuse investigations group. What issues should we consider in making this decision?


  • How should we assess and set priorities for our IT project portfolio?


  • What features should we consider when selecting portfolio-management dashboard software?


  • How do we minimize the negative impact of project cancellations on IT staff morale?


  • After three years in my current CIO position, I still find myself out of the loop when it comes to strategic business decisions. What can I do about this?


  • Many large companies have a project management office responsible for portfolio and program management. When does a PMO make business sense?


  • After the extended economic downturn, we need to create a new vision for the organization. How do we do that?


  • What technical and security issues should we consider when setting up a telecommuting program?


  • How do we change IT from reactive to proactive in a change-resistant corporate culture?


  • How can the CIO shift the IT organization's mindset from service delivery to value creation?


  • What criteria should be included in the due-diligence assessment of IT at an acquisition candidate?


  • How do I establish my credibility with the CEO, chief operating officer, and CFO?


  • How do I motivate my technical staff to cooperate with staff from our offshore outsourcing vendor?




    • ©2002-2010 The Advisory Council Inc. All rights reserved. Privacy Policy & Guidelines | Terms & Conditions