Idea to retire: Decentralized IT governance

“Decentralization has, not only an administrative value, but also a civic dimension, since it increases the opportunities for citizens to take interest in public affairs; it makes them get accustomed to using freedom. And from the accumulation of these local, active, persnickety freedoms, is born the most efficient counterweight against the claims of the central government, even if it were supported by an impersonal, collective will.” (Alexis de Tocqueville)

The rise of decentralization

The debate over the value of centralized versus decentralized governance is not new. In many ways, decentralization is seen as the evolved response to the problems and excesses of centralized governance. Decentralized governance has been hailed as increasing efficiency and effectiveness of organizational performance, facilitating quicker reaction to problems, and improving service delivery, while also increasing accountability, discouraging corruption and improving cost recovery.¹ As a result of these benefits, there is ample evidence to suggest that the United States government, at the federal, state and local levels, have increasingly adopted decentralization. While centralized authorities exist at each level, implementation of policy is largely decentralized to individual departments.

IT governance focuses on the location of the decision-making and accountability for IT policies. Three primary modes of IT governance are generally recognized: centralized, decentralized, and federal. In centralized governance, the corporate IT function has the authority on all IT matters, while in decentralized governance, the divisions have all the responsibility. Under a federal structure, the corporate IT function shares the governance of the spheres with the divisional IT staff in either strong- or weak-federal forms, depending on the degree of decentralization. In a public sector setting, corporate IT can be viewed as the federal, state or local chief information officer (CIO) while divisional IT can be viewed as the agency or department CIOs.

Centralized governance structures allow greater control over standards and better economies of scale while decentralized allow greater customization of solutions and greatly improved responsiveness to business unit needs. However, business units commonly favor a decentralized model, particularly in cases where the business units themselves operate in a decentralized manner. Movement between various models of IT governance has been historically seen to occur through the evolutionary alignment of technology and structure.

The modern concept of enterprise IT came about in April 1964 with the announcement of the IBM System/360, the first mass-market, business-oriented mainframe computer. Given their physical architecture of mass storage and centralized processing, high maintenance requirements and specialized operator skills, centralization of the IT function and its governance was a natural and logical outcome. While the minicomputers of 1970s were still centralized, the move toward IT decentralization started with the advent of desktop computing in the form of the IBM 5150 Personal Computer in August 1981. The proliferation of desktop computers and growth of local area network technologies over the next decade took IT out from centralized data processing centers and into the business proper. This shift put further pressure towards decentralizing IT governance, as IT become both familiar and financially attainable for business units to acquire IT themselves. Add universal access through the introduction of affordable commercial Internet, and by the mid-1990s the pendulum swing towards decentralization reached its peak.

The decline of decentralization 

Decentralization of the IT function and its governance structures can therefore be seen to be an idea that arose due to the technological architectures and standards of the 1990s. While many of today’s CIOs’ formative years in business or government IT were in that decade, do we still need our slavish adherence to decentralization as a doctrine?

Reviews of recent studies of decentralization in general have found mixed results for its efficacy. Political decentralization and fiscal decentralization have been found to be effective. However, administrative decentralization, which is the pushing policy implementation decisions to lower levels, has had mixed or negative outcomes in areas such as effective public service delivery, size of the public service and overall financial efficiency.² IT governance and management fall into the realm of administrative decentralization.

I recently completed a study with Gregory S. Dawson and Kevin C. Desouza looking at the relationship between state performance and centralization of IT governance.³ Across the 50 states, we saw a wide variety of governance mechanisms and an equally wide level of performance in the IT function. Overall, we found that centralization of IT functions in the state CIO’s office—particularly those related to strategy and IT personnel management—led to higher performing IT functions. Conversely, wholesale decentralization of IT functions to state agencies was related to lower IT performance.

At the federal level, the Defense Information Systems Agency (DISA) of the Department of Defence (DoD) has historically faced intense pressures between centralization to ensure standardization and decentralization to allow service freedom of action. However, in May 2015, DISA released the DoD Enterprise Services Management Framework (DESMF) with the aim of standardizing IT services and operations throughout the military as part of a DoD-wide move towards the Joint Information Environment (JIE). The DESMF announcement came shortly after another one that consolidated functions of several DoD IT offices under a Joint IT Single Service Provider-Pentagon. The promulgation of a document that outlines a department-wide service management approach and a centralized, shared-service provision model would suggest that centralization is in the ascendant in DoD.

As seen in these state and federal level examples, the alternative to the taken-for-granted assumption that weak-federal or decentralized IT governance is superior is a return to a more strong-federal or centralized IT governance model. Two critical factors enable this opportunity and make it the ideal time to do so. First, the IT governance structures are in place to support a more centralized model. Second, technological advances have provided tools and techniques that lead to greater centralization.IT governance within the U.S. federal government has developed extensively over the last twenty years (and has been matched by similar developments at the state and local levels), setting the stage for a return to more centralized IT governance. The Clinger-Cohen Act was passed by Congress in February 1996 with the direction for agencies to establish clear and demonstrable accountability for IT management through the appointment of agency CIOs. The E-Government Act was enacted in December 2002, mandating the creation of both the position of Federal CIO and the CIO Council, the latter including the Federal CIO and all agency CIOs. In February 2009 a Presidential Executive Order established the position of U.S. Chief Technology Officer (CTO).

Most recently, the Federal IT Acquisition Reform Act (FITARA) was enacted in December 2014, reforming a number of issues with the management and oversight of federal IT. While it did not mandate any new IT governance structures, one of its key provisions is to increase the responsibility, accountability and authority of the CIO in federal agencies by providing them with budget authority over IT programs, which have historically been outside of their control. The CIO Council has also been reinvigorated by requiring it to define common standards and practices for commodity IT resources. So since the high-water mark of decentralization in the mid-1990s, CIOs have been increasingly both made responsible for and empowered to provide strategic leadership and effective management of the IT function.

In addition to structural advances, technology has moved on to both require and enable centralization. Fifty years of exponentially increasing processing speed, mass storage capacity and bandwidth availability paired with exponentially decreasing costs of the same have brought us full-circle by enabling public and private cloud computing. We are currently seeing a move in government computing first to data center centralization enabled by server virtualization and high-capacity bandwidth, followed by movement to managed services of those data centers augmented by cloud, and finally to hybrid or full cloud solutions. With all the “as-a-service” models enabled by cloud computing available, we are conceptually back to mass storage and centralized processing of the IBM System/360 era and, therefore, ripe for structural alignment towards more centralized IT governance and management models.

The February 2011 Federal Cloud Computing Strategy starts this conversation, but couches it language that would be non-threatening to agencies.⁴ Terms such as “centralized,” “standardized,” and “consolidated” are found throughout the document, but direction to centralize is implicit, noting that agency readiness will be subject to having a supportive change management culture. Stable, long-term governance is discussed, with the requirement for individuals and committees to have explicitly-defined roles, non-overlapping responsibilities, and a clear decision-making hierarchy. Various functions in executing the strategy can be seen in the allocation of decision rights and responsibilities: cloud computing standards to the National Institute of Standards and Technology (NIST); government wide cloud-computing procurement vehicle development to the General Service Administration (GSA); leadership of government-wide adoption to the Federal CIO Council; and overall prioritization and coordination to the Office of Management and Budget (OMB).

The same technologies that CIOs are developing, implementing and managing to improve the flow of information for government and citizens in general are also enabling their own capabilities to direct, coordinate and collaborate across large organizations. Whereas IT implementation was previously focused on IT infrastructure, citizen-facing applications and back-office support, increasingly IT projects are also addressing needs for collaboration, communication and decision making for both the agency and IT. With this increased flow of information comes the ability to better coordinate and hence centralize governance.

The pendulum has long-since swung away from decentralization and back to centralization, but we have been slow to recognize it and adapt. A decentralized approach is unsuited to a future IT environment characterized by continual reduction of on-premises systems, near limitless bandwidth, and the majority of government systems migrated to the cloud. In order to recognize benefits including standardization, efficiencies of scale and scope, and lower coordination costs, we must act now to structurally align our IT governance to the new realities of cloud-based centralization. We must acknowledge that centralized IT governance is the superior model and that decentralization is an idea that needs to die.

¹See IT Governance Institute. 2003. Board Briefing on IT Governance, 2nd Edition.

²Stacey White, 2011. Government Decentralization in the 21st Century: A Literature Review. Center for Strategic & International Studies.

³Denford, JS, Dawson, GS and Desouza, KC, 2015. An Argument for Centralization of IT Governance in the Public Sector. 48th Hawaii International Conference on System Sciences.

⁴Kundra, Vivek, 2011. Federal Cloud Computing Strategy. Office of Management and Budget.