Speech Digital Leadership in Today's Economy
Chief Information Officer
Gold Coast –
Good morning and thank you to Gartner for the invitation to speak here today. It's amazing to see how this event has evolved over the years to become more a regional gathering than just Australia centric as it used to be. The fact that technology traverses economies, cultures and many communities is a key factor behind this. Another factor is the quest that chief information officers (CIOs) in this era of digital disruption are always on to learn, grow and continuously drive change for their organisations.
This change is against the backdrop of many industries that now have complete reliance on technology for providing essential services and products. A system outage in an airline, bank, telco or energy company can impact a large number of customers in very short time frame.
Whilst attaining digital reliability has been a crucial need for many years, the impact and consequence of getting this wrong in today's economy can threaten the very viability of an organisation. The matter of digital reliability may well ultimately be the responsibility of the CIO; however, it's the business decisions on investment and risk management that play a foundational role in its success. This unfortunately is something that often goes unnoticed in long-term planning in the face of uncertainty.
At the other end of the reliability spectrum, CIOs are now given the quest to seek, disrupt or protect business models to keep their organisation ahead in the race. This includes unravelling or shaping the possibilities from mobile, social, cloud and communities of online stakeholders. Again the need to understand the environment has always been there, but the new digital economy makes the scope of this imperative, global, faster, and extended to those outside of your own industry.
So with this broad context, a few questions arise. What is the compelling imperative for CIOs and their teams in today's digital economy? How do we address this when the demands have become so broad? What is this really all about? I'd suggest the answer to all these questions is all about being ‘fit-for-purpose’.
Fit-for-purpose is about consciously tailoring the approach to the ‘race’ you have been asked to run. Let's consider the ‘notional CIO’ in a household (and there always is at least one in a household!). As a household CIO, you are responsible for a number of things, including staying ahead of the game. First, the consumables such as paper and ink cartridges, and handling that delicate situation when these run out the night before homework is due. Telling your users that they should not have left homework to the last night only fuels the incident. Second, you have a role in the safeguarding children from inappropriate adult material that is so easily accessible on the Internet. Finally, as the household CIO it is your responsibility to troubleshoot Wi-Fi issues and avoid a household riot.
How does this relate to you as an enterprise CIO? As enterprise CIOs, we have to operate in somewhat similar demands, but naturally within a very different set of parameters. This has to be in context of our organisation's own customers, staff, shareholders and other stakeholders. Whilst some of the solutions may be conceptually similar for the enterprise and the household CIO, there is an order of magnitude difference in the needs and approach when factors such as cost, reliability and security of digital systems are considered. Becoming and remaining fit-for-purpose has to be a conscious effort on a daily basis for today's CIO. It has to be front of mind.
In this context, our fit-for-purpose approach at the Bank means delivering a very large portfolio of projects related to national infrastructure in the financial system, while at the same time maintaining existing services. For this we need to drive policy and innovation imperatives relating to banknotes, banking, markets and payments. We are an institution that represents the public interest, and so sound risk management, value for money, efficiency and effectiveness guided our fit-for-purpose approach. We set our sights on a vision and transformational agenda that inspired the technology team towards excellence and being one of the leading IT teams in the central banking community through a focus across three imperatives.
Three Imperatives to Digital Leadership
So what was the first imperative? Resilience. Resilience is about undivided attention on having a digital environment that is stable and secure to provide not just the required service, but also be strong enough for a journey of change.
Following a focus on resilience, our next imperative? Delivering business change and transformation through a portfolio of projects. You could call this the race of many projects that must reach their goal safely. Given the Bank's role in the financial system, a focus on budget and time of projects is not enough. Quality, reliability and security are also absolute musts.
What more could you want on top of resilience and delivery of a change agenda? Our third imperative: to reimagine. For a commercial organisation this is often about survival as competitors disrupt and establish new business models. For us it is about a need to promote a stable environment and one that allows innovation from global technology leaders to be applied to our practices.
1. Your resilience
Your level of resilience and readiness before a race are givens in this era, and a last minute attention on these is not going to give you the assurance you need for the journey.
For CIOs this relates to the operational maturity demanded by today's businesses. Stability, security and availability are vital before the conversation can turn to the race to implement new products, services and innovative business models. This operational maturity doesn't happen overnight and like a sportsperson, who has to build up speed and endurance through many years of training and strength work, the CIO must lay this groundwork to be match-fit. As Mark Spitz, the nine-time American Olympic swimming champion used to quote from Benjamin Franklin, ‘If you fail to prepare, you’re prepared to fail'.
If the preparations for operational maturity go unmet, then you can very soon see the many headlines on outages, breaches and customer complaints. In the digital economy such matters become headlines well before the next day's newspapers are even printed! In the modern digital economy these resilience issues don't just stop at customer complaints, they go on to impact the very financial returns that shareholders expect from an organisation.
How does a CIO provide insight and oversight to get these fundamentals right? The journey starts with understanding the organisation's risk appetite statement. If this does not capture the digital business and its needs, then it's well worth taking the time to articulate one. What is the risk appetite for technology related incidents? How many incidents are acceptable to the business? What duration of outage can be tolerated? What is the desired refresh cycle for key software and hardware assets? How do the answers to these questions differ for a cyber-security matter? These are fundamental questions that must be asked and agreed to at the outset. Our role as CIOs is to bring insights to the table that allow the Board and Executive to balance cost and risk to the appropriate level.
This risk baseline then sets the tone for the culture, processes and rules that govern the approach to resilience before the race. The CIO then must turn attention to oversight of the technology capability to ensure that resilience is built into solutions and services at the outset, and ongoing health checks continuously prove its effectiveness to the stakeholders. It's about being match-fit in the fundamentals.
To hone our resilience in the Bank, we have an agreed risk profile that is appropriate to the platforms we provide to support the economy. This is underpinned by a tiering of systems in terms of availability, recoverability and continuity thresholds. These are reviewed annually so that they remain current and relevant. All this is built into a culture and framework of processes and metrics to measure ongoing effectiveness. This is integrated into a bank wide business approach to sound governance, control and operations.
The fitness regime for technology resilience begins with architectural planning to ensure the design blueprint for applications and infrastructure is fit-for-purpose at the outset. Embracing standards such as Information Technology Infrastructure Library (ITIL) and others from the International Organisation for Standardisation (ISO), and seeking accreditations against them, allows us to ensure we don't reinvent the wheel of process maturity. Effective process discipline is the heart that constantly needs to serve the many players for endurance and sustainability in the race ahead.
‘What gets measured gets managed’ is an old mantra, and one that plays a key role in guiding our resilience. At the Bank we place great importance on having the right metrics in place to measure risk, progress and make appropriate business decisions. For example, we track and correlate the volume of change we make in our production systems against a range of dimensions that can be used to guide the appropriate level of change to take on. A 25 per cent increase in the number of changes in the production environment over the last few years may seem a lot. However correlated against metrics that measure the health of the operating environment in aspects such as stability and capacity, gives us a level of confidence on the ability to drive the right volume of change within context of our risk appetite. What does your environment look like in change and stability metrics? Are you tracking your fitness level against the terrain of changes?
Another dimension of operational resilience is the service quality being experienced by key stakeholders. Poor service quality faced by users or customers can be a lead indicator to future incidents. Graph 1 depicts tracking of Net Promoter Score (NPS) for our internal service desk. For us, each rise and dip can be correlated to an action we took or to which we had to respond. For example, the dip in December 2014 was due to a response to cyber threats. This was where we had a dip in internal customer service because of new email blocking rules we put in place for webmail attachments. As the speed of analysing and releasing emails increased, and users adjusted to the new norm in safety, the NPS improved.
In this era cyber security is an inherent dimension of operational resilience. It's something that can stop you in the race and needs more attention than ever before. Your risk appetite statement has to recognise the risks arising from this and the extent to which they are acceptable. It can be tempting to use the many industry surveys to depict the risks and threats in your own environment. This is not often wise. Knowing the heartbeat of your own environment and how it prevents, detects, and responds is a far healthier option in the race towards cyber resilience. We place a lot of importance in this so that appropriate defences can be established as the threats change. For example, almost 70 per cent of the emails we receive are malicious in nature, and making sure we analyse and understand the risks in these is critical. Further, our external perimeter like most other organisations, is faced with a barrage of scans and probes; in fact we have one probe every two seconds. Metrics such as this serve to understand the risks to our environment so that pragmatic cost-effective mitigating controls can be established.
For some, a focus on operational maturity and resilience may seem boring, basic and business as usual. But in the digital economy your brand reputation and very existence may well depend on getting this right. We take this very seriously and actively test our effectiveness in resilience. A biannual exercise for business and technology continuity in running the Bank from our second data centre, quarterly rotations of systems across the dual sites, and at any point in time being able to switch processing of critical systems from one site to another. For example this proved its worth during the Lindt Café Siege in 2014 which took place a few metres from the Bank's building. Within minutes of the incident we switched our platforms to operate out of our second data centre. The next day the Bank's business operations all took place out of the second site whilst Martin Place was cordoned off to the public.
Given we have dealt with resilience and are now fit to run, let's move onto the race itself.
2. The race
What does the race mean to you as CIOs? In a nutshell it's about delivering business change and transformation through a portfolio of projects. Each of these projects has their own goal, whether it is risk, compliance, service, revenue, efficiency, or innovation. The race is about achieving these in a timely manner and being able to deal with the terrain of difficulties and uncertainties that may be encountered along the way.
First in dealing with this challenge, we need the right tracking mechanisms in place to make us aware of progress and make potential adjustments from hurdles we may face. We all know about the basics of steering committees, project status reports and project management offices. A key part that often gets missed is identifying the critical programs for the organisation and making sure they are not lost in the sea of projects. How do you identify the critical ones and what attention should you given them?
We have a concept. It is called the Enterprise Master Schedule. This frames the top 20 projects in the Bank that are of significant strategic importance, including their key milestones and other dimensions of fitness. Regular reporting then tracks their progress to the appropriate governance forums where a holistic approach guides discussions on strategic outcomes.
In this complex world, though, a focus on the big strategic projects may not be enough. Very often a smaller project can trip over a larger one, especially when inter-dependencies are misunderstood. A portfolio approach to milestones and schedule is critical, including rigour in managing the change schedule for the production environment. What are the critical aspects in all of this for the CIO? It is all about closely tracking technology related milestones in the portfolio.
Graph 2 shows our picture of IT milestones in the portfolio, which provides visibility on the success of these. However, looking in the rear-view mirror for project health needs to be supplemented with a forward projected view. This is where we have a rolling three-month window of future technology milestones. These are reviewed and questioned to ascertain their fitness level. Without this forward visibility and ability to adjust the delivery in an unpredictable world, many teams may stray from the track and fail to finish the race.
Tracking time and budget for projects is not enough in this era where businesses are completely dependent upon digital platforms for serving their customers. Quality is a critical factor in making sure the ongoing supportability of systems is sound for your business. A poorly designed system can become an Achilles heel for future races. So as a sponsor or CIO how do you pick up quality issues at the outset? We have established a series of quality certifications in the project lifecycle, which are conducted by independent internal teams. The results of these certifications are reported not just to the project steering committees, but also to other Bank governance forums that oversee risk and progress of strategic outcomes. The checkpoints in the project lifecycle assess the alignment to architecture, security and operational standards. Quality improvements may be raised against a project. But it's no good getting independent advice, if this is ignored and filed away. We track the extent to which each quality improvement is accepted and applied in the project.
Graph 3 shows that just over 80 per cent of the advice is adopted by projects in the initiate, design and deliver phases to maintain a healthy future. On occasions, though, valid reasons exist to defer adoption to a future release of the project.
In spite of a robotic future on the horizon, people are still needed in the digital economy! Each of you knows that leadership in developing people capability is vital in the technology function. The war for talent could not be more important. Even if your operations are outsourced, the question to ask yourself is if you have the ‘A team’ serving you? For us at the Bank, being predominately an in-house team, we cannot run our race without strong people skills. The competency of our staff determines the success in the race and encouraging, motivating and developing them to acquire new skills is of paramount importance.
Graph 4 is a snapshot of the way we track progress in this area. A key component of this has been a Leadership Development Program (LDP) for technologists that focuses on leadership in oneself, the team, the customers, and change management. Related to this is our partnership with domestic and global academic institutions, which allows research and insights to be applied in formulating the Bank's digital strategies. Such approaches have allowed us to strengthen the team when it comes to people and technical leadership in our race.
What is critical to success in the race? It's all about being aware and having the tactics to deal with unexpected hurdles in the terrain of delivery. If you are able to do this on top of having resilience, then this takes us to the third imperative: renewal.
3. Your renewal
At some point in the race, the demands to reimagine and renew your approach will become a reality. In the digital economy this is a necessity and not a ‘nice to have’. CIOs must examine the why, where and when to innovate. With technology and the possibilities ever changing, not having a focus on innovation presents a free kick to your competitors. However, innovation in this era will bring both opportunities and threats, and it's vital you can tell the difference and be able to deal with them.
What is innovation or renewal about for a CIO? There are two aspects to this, an internal one and an external one.
The internal aspect is about how you renew your approach in the way you plan, build and run systems. This could be in the techniques you use, the technology that's chosen, or in fact the way you organise your people capability. What are examples of this? One example may well be the way you change your software delivery approach in the world of data, mobile, cloud and changing customer needs. The traditional ways of software development may well lack the speed or nimbleness that are demanded in today's digital economy. Another example is how you leverage innovation from the many technology firms that have renewed their approach to infrastructure, whether that's in appliances, processing, networks or storage solutions. Infrastructure innovation in these areas can drive radical change in today's operating environments that was unheard of a few years ago. Are you aware of the recent developments in this area? Have you dismissed this as a fad? Or worst still, do your staff or outsourced providers see this as a threat to their future? These are fundamental questions to ask.
The external aspect is how you find a solution for your customers or stakeholders in a way that satisfies unmet needs through new services or products. This could extend out to the way you disrupt competitors, or in fact those outside of your industry through technology that changes the economics of your business. What are the most obvious and recent examples of this? Think Airbnb, which owns no hotels and yet has become a leader in accommodation, or Uber, which has disrupted the taxi industry and yet was never a player in the transportation sector. What's really interesting in these examples is that these companies weren't even in adjacent industries trying to enter the market; they came completely from the outside. What is at the heart of these innovations? A technology solution that links buyers to sellers in an ecosystem of transactions. A simple concept, which goes back to the days of brokers and middlemen, and yet in the digital economy this has transformed complete industries in a few years. The question to ask is, ‘Are you as a CIO involved in renewal of your organisations approach?’ If not, why not?
How do we renew ourselves in the Bank? Well the first thing in any renewal or innovation focus is to ask your self, why? Why should you renew and in which areas? For us, being a public institution and a central bank, the ‘why’ is about resilience, reputation and risk management. Seeking innovation that enhances our standing in these areas in a more effective and efficient manner is essential to us. One way we do this from a technology perspective is ‘codefests’ or ‘hackathons’. This involves idea generation, an eight-hour coding challenge, demonstrations to prove concepts, a business-judging panel, and winners and ideas being sponsored to the production world. Last year the winning entry implemented a capability for simultaneously communicating trade confirmations to counterparties. This year we saw banking and productivity innovations.
More recently we also extended our renewal approach to a targeted innovation competition. Programmers were set the quest to develop a compelling demonstration of Blockchain concepts. The aim was to go beyond just a discussion of the theoretical uses and actually have some working solutions to debate and discuss. What came out of this? We saw some amazing proof of concepts that helped us to reimagine the possibilities for the broader business sector that we operate in.
Renewal and innovation, though, cannot be done alone. This is where we regularly collaborate and interact with peer central banks across North America, Europe and Asia. This includes a fortnightly security intelligence discussion with a select number of central banks, a biannual gathering of the CIOs of east Asian central banks, and ad hoc bilateral discussions when required on a global basis.
Our renewal strategy at the Bank is multifaceted. Central bank interactions are supplemented with engagements with commercial banks, technology firms, academic institutions and those in other industry sectors. These allow us to continuously challenge ourselves to improve.
What is your renewal all about? I would hope this starts with the ‘why’. Renewal or reimagining your approach keeps you ahead in the game. Your techniques for dealing with threats, disruption and opportunities become a case of survival in today's changing world and not just a ‘nice to have’.
In closing, leadership in the digital economy demands a starting point of operational resilience. But as the race to deliver business change starts, deploying the right tracking mechanisms become vital so that you can respond to the terrain around you. Reimagining and renewal requires undivided attention when so many business models arise quickly. For each of us, the challenge is to be fit-for-purpose in our own journey of digital transformation.
In our case, fit-for-purpose is primarily about serving the economy and the public in a way that is supported by trust, resilience and value for money.
Thank you for listening, I hope you have an enjoyable conference and good luck in your race!