Most public companies these days are very concerned about meeting the requirements of the Sarbanes Oxley Act of 2002 (SOx). Section 404 of the act mandates that management have effective internal controls and requires external auditors to attest to the effectiveness of the controls.
This, of course, is creating an abundance of antacid moments in boardrooms all over the United States and those fears are being transferred to the IT groups as well because the financial systems and key operating systems that run the businesses are all under the spotlight. As a result, groups are hiring consultants by the bus load to come in and help put appropriate policies and procedures in place.
The problem is, however, that some groups are overlooking the threat of critical information systems that have been created and are maintained outside of the formal IT organization.
Whatever the exact reason, the basic premise is the same -- the business units aren't satisfied with what is being given to them. For example, if manufacturing is under extreme pressure to lower costs while increasing throughput, they may have need for special RFID software. But when they approach the formal IT group and it turns out there are no plans to develop the necessary software, then that may force the business unit to write software outside of IT, for example, or source it from a third party without IT.
In this day and age, there are some very significant issues facing companies that choose to allow Shadow IT groups to exist.
One of the first issues to recognize is poor resource utilization. By having unofficial IT resources scattered through business units, there can't be a cohesive effort to prioritize and schedule work across all of them. That means Bob in accounting may have a four-month backlog on IT related requests for his group, while Sharon in sales may have capacity but be unaware, or for political reasons, be unable to help Bob.
Another issue is lack of proper processes. Sometimes the Shadow IT people have formal IT process training. Many times they do not. As needs popped up, they figured out how to respond through trial and error, turning to friends or leafing through manuals. As a result, proper requirements definition, documentation, testing and change control are lacking. Even IT professionals have been known to let proper processes slip due to pressures from business, let alone when managed by people who may fail to see the value of the processes.
Lack of controls is yet another problem. Proper security and operational controls are crucial now. It's one thing to implement proper controls over formal IT systems and personnel. It's far, far harder to try and retrofit controls over systems that were ill-designed to begin with. It's far better to design quality, security and controls into a system than to try and inspect them in or add the necessary functionality later. Sometimes, it is virtually impossible to do it without a ground-up redesign of the software or system.
And then there's the simple matter of mistakes.
People may have the best intentions in the world when they write a critical application or design a key system. However, simple mistakes can and do happen to everyone. Unless proper design, testing and monitoring processes are in place, the total risks to the organization increase.
To illustrate, I recall a very capable gentleman outside of IT who wrote a reporting application for billing. He thought the SQL command captured all of the billing data. However, since he wasn't a SQL expert and did not methodically test the application, it turned out later that the vital report missed the first and last day of every month.
It is naive to think that an official edict can stop Shadow IT work.
As soon as budgets are cut or resources constrained forcing executives to look at in-house IT alternatives, then the environment is fertile for Shadow IT groups to appear.
To address this, what is needed is a close relationship with the business units. IT must sit down with them and spend the time to learn about their troubles and what direction they want to take the business in. Addressing pain gets you in the door and helping them with strategic direction keeps you there.
The intent is to use this information to develop IT plans, budgets and resourcing strategies necessary to achieve these goals. This alignment is essential for senior management to understand how monies invested in IT relate to the financial performance of the organization. However, don't stop with the planning. Be sure to regularly communicate with the business owners about what is going on, as well as communicating achievements, risks and opportunities to senior management.
The existence of Shadow IT within an organization is symptomatic of a lack of alignment between business units and IT and, possibly, even senior management and IT. Shadow IT is, at best, a shortsighted strategy that may work well for a given business unit, but be detrimental for the organization overall.
It is vital that IT continuously work with the business units and senior management to ensure that the formal IT team is capable of supporting business requirements and that there be clear understanding of the risks associated with bypassing the formal IT organization. While the phrase ''Align IT with business'' may well be almost to the point of overuse and clichi in the management literature realm, the concepts that underlie it are timeless and IT must ensure that alignment exists.