This presentation was given to the monthly forum of the Australian Computer Society's Victorian branch on 4 February 2015. The presentation draws on my official role as the Australian Government CTO and Procurement Coordinator and my professional responsibilities as the chair of the ISO/IEC JTC 1 Sub-Committee 40 - IT Service Management and IT Governance.

In the presentation, I aim to make the case that while the governance of Government ICT has much in common with the non-government sectors, it retains some distinguishing features, which only the brave among us chose to ignore.

I'll begin by reviewing the international standard on IT governance. I'll then describe what I see as the differences, review some of the processes and mechanisms that drive good governance in the public sector and then conclude, in a fit of self indulgence, by touching on what we should be doing as ICT professionals.

The international standard for IT Governance began life as an Australian standard, AS 8015. I was fortunate enough to be one of the co-authors of this standard, along with authors, including your erstwhile Secretary, John Graham. It was an experience emblazoned on my mind. I often say that bureaucracy is the life blood of democracy. That is never more true than in the international standards arena - so democratic that it hurts.

The standard is explained in three words which describe the actions the governing body of an organisation should take to get the ICT results they seek.

Governing bodies should govern IT through three main tasks:

a) Evaluate the current and future use of IT.

b) Direct preparation and implementation of strategies and policies to ensure that use of IT meets business objectives.

c) Monitor conformance to policies, and performance against the strategies.

Authority for specific aspects of IT may be delegated to managers within the organization.

However, accountability for the effective, efficient and acceptable use of IT by an organization remains with the governing body and cannot be delegated.

This diagram explains the standard and the cycle of processes it encompasses. The standard is not about the management of ICT, as important as that is. While management requires making good decisions, governance ensures good decisions can be made. It is about the actions taken by the governing body - which might be a board in a commercial organisation or the senior committee in a government department - the committee historically chaired by the CEOS, the Secretary, and consisting of members drawn from the deputy secretaries and a few key advisers, often including the CIO.

The CIO's role is very important at this level. Although it is sorely tempting to do so, it is not the CIO's role to fix the projector when it breaks down during the CFO's 75 slide presentation on the financials or to ensure that the communications manager's video works. Getting involved in these tasks is a sure way to be seen as the technician not the technology leader, or better, the technology whisperer.

The principles of governance are described on this slide. There are 6, it's just that my favourite slide tool, HaikuDeck, only allows five points per slide, one of its few faults.

Principle 1: Responsibility

Individuals and groups within the organization understand and accept their responsibilities in respect of both supply of, and demand for IT. Those with responsibility for actions also have the authority to perform those actions.

Principle 2: Strategy

The organization's business strategy takes into account the current and future capabilities of IT; the plans for the use of IT satisfy the current and on-going needs of the organization's business strategy.

Principle 3: Acquisition

IT acquisitions are made for valid reasons, on the basis of appropriate and on-going analysis, with clear and transparent decision making. There is appropriate balance between benefits, opportunities, costs, and risks, in both the short term and the long term.

Principle 4: Performance

IT is fit for purpose in supporting the organization, providing the services, levels of service and service quality required to meet current and future business requirements.

Principle 5: Conformance

The use of IT complies with all mandatory legislation and regulations. Policies and practices are clearly defined, implemented and enforced.

Principle 6: Human Behaviour

IT policies, practices and decisions demonstrate respect for Human Behaviour, including the current and evolving needs of all the 'people in the process'.

Government is different. Good government ICT is usually required to be:

Transparent - which I use in the physics sense - in that it isn't actually visible. It shouldn't get in the way of providing services. Ministers don't want to hear that the systems can't take it, even delivered in your best Scotty impersonation.

Responsive - the three fastest bikes around are not Yamaha, Suzuki, and Harley Davidson. They are the media cycle, the political cycle and the technology cycle. Staying in front of all three requires superhuman efforts.

Informative - government has an enormous amount of data, very large quantities of information, a significant quantum of knowledge, and even a bit of wisdom. And when these things are needed, they are needed right now.

Cost-effective - it's your money, isn't it.

Keyed appropriately- which is a cute way of saying secure - protecting against attack, exploitation, ensuring data integrity and privacy.

Efficient - no one visits government for fun. They want to get in, do their business, however reluctantly, and go on their way

While these might seem pretty normal requirements, the process for funding government ICT work is necessarily somewhat complex. Funding cycles require major projects to be worked up well before the FY in which the major funding is provided. Checks and balances require detailed proposals. Risks are assessed at many levels and the process of decision making might go right to the wire. Funding decisions are generally announced publicly in the budget and subject to questioning thereafter by the media and at Senate Estimates.

All this means that a decision to go ahead with a project is so comprehensively examined before and after it is made that the capability sought must be delivered. Unnecessary or nice to have projects just don't get up. So, some of the mechanisms used commercially, like regular business case reviews, stage reviews etc, need to be adjusted because project abandonment is very rarely a workable solution.

All this puts more emphasis on the evaluate/develop/monitor cycle.

Federally, public service projects and activities are subject to both internal audit and external audit via the ANAO - The ANAO's primary client is the Australian Parliament. Its purpose is to provide the Parliament with an independent assessment of selected areas of public administration, and assurance about public sector financial reporting, administration, and accountability. It does this primarily by conducting performance audits, financial statement audits, and assurance reviews. The ANAO does not exercise management functions or have an executive role. These are the responsibility of entity management.

ANAO has recently expanded their information sources about audit activities to include comment from the public - the people who interact with government systems. The public's tolerance for failure is reliably low.

Government ICT managers do their work in the open, generally, and are subject to considerable scrutiny. They need to be supported by good governance and solid engagement with the business.

The objectives of good governance

Most public sector entities receive public funding to achieve outcomes for government through the
delivery of programs and services under their charters. In this context, good governance generally focuses on two key requirements of public sector entities:

*performance—governance arrangements and practices are designed and operate to shape the
entity’s overall results, including the successful delivery of government programs and services

*accountability—governance arrangements and practices are designed and operate to provide
visibility of results, to the entity’s leadership, the government, the Parliament and the community
and conform with applicable legislative and policy requirements as well as public expectations of openness, transparency and integrity.

Good governance considers both performance and accountability within a risk management framework rather than trading one off against the other.

Given all this, what does being a government ICT a professional mean?

I think it requires detailed engagement with the business, a strong understanding of the policy process, a clear ability to manage funding properly and a good eye for the improved user experience.

But also today, the consumerisation of technology, the attractions of BYOD, the availability of cloud computing services that can be sold to the business without the CIO's involvement all mean that as professionals, we need to be able to answer our business colleagues' questions quickly, succinctly and in their language not ours. A failure to do so just isn't going to work.