Tuesday, November 30, 2010

Regulatory Capture and IT Governance

Industries are regulated by governments so that companies don't compromise the public interest.  Regulatory agencies usually grab headlines because most regulation comes in response to nefarious actions, but it isn't always the case: people in a company may conduct their affairs in what they believe to be a perfectly justifiable manner, only for there to be unintended consequences of what they do to consumers or society.  

In the same way, we have governance within businesses to make sure that management doesn't compromise the interest of investors.  And just as it is with businesses in a regulated industry, management of a well-governed business may have a set of priorities that are perfectly justifiable in management's context, but are orthogonal to investor's interests.

Industrial regulation and business governance are both poorly understood and poorly practiced. Each is also easily compromised. John Kay provided a fantastic example of how easily governance is compromised earlier this month in the FT, describing a phenomenon he referred to as "regulatory capture":

Regulatory capture is the process by which the regulators of an industry come to view it through the eyes of its principal actors, and to equate the public interest with the financial stability of these actors.


Let's think about this in the IT governance context.  We may have good governance instrumentation and a governing body that meets consistently.  But it's still easy for our governance infrastructure to be co-opted by the people it's supposed to be governing.  Mr. Kay explains how:

[T]he most common form of capture is honest and may be characterised as intellectual capture. Every regulatory agency is dependent for information on the businesses it regulates. Many of the people who run regulated companies are agreeable, committed individuals who are properly affronted by any suggestion that their activities do not serve the public good. ... It requires a considerable effort of imagination to visualise that any industry might be organised very differently from the way that industry is organised now. So even the regulator with the best intentions comes to see issues in much the same way as the corporate officers he deals with every day.


In IT governance, management provides and frames governance data.  Overtly or covertly it imposes structural limitations on the presentation of that data.  People in governance roles are all too often lulled into a sense of complacency because integrity of the messenger - management in this case - isn't in doubt.

Yet one of the most critical expectations we have of people in governance roles is that they have a broader picture than management of what should be happening, and how it should be taking place.  Perhaps management doesn't want to look bad, or they're not comfortable delivering bad news.  And all too often, management can do no better than to play the cards they're dealt (e.g., people, scope, technology or something else).  Whatever the underlying situation, we need a governing body that doesn't look at the cards in hand, but at the cards they can get out of the deck.  There's no mechanical process that enables this; it all comes down to having the right governors.

Which leads to Mr. Kay's next point, where he provides some important insight into the characteristics of a good regulator that are very much applicable to somebody in an IT governance role:

You require both an abrasive personality and considerable intellectual curiosity to do the job in any other way.


IT governance requires activist investors: people who will ask challenging and uncomfortable questions, reframe the data provided by management, and propose completely different solutions. This is a specific behavioral expectation, and a high one at that.  But, as Mr. Kay points out:

[T]hese are not the qualities often sought, or found, in regulators.


Sadly, this is all too true for IT governance as well.  

The value of governance is realized by its professional detachment. Whether you're recruiting a board for an IT investment or evaluating the people you have in one today, think very hard about their ability to act independently.