High Crimes and misdemeanors of CIO’s

gavelBy Jeffrey Morgan

According to the U.S. Constitution, high crimes and misdemeanors are grounds for impeachment of a president. What are the impeachable offenses for a CIO?

In the healthcare industry, patient-centered care is a priority, and well-managed clinical organizations are eager to achieve that goal. While enterprises in industries such as healthcare receive routine audits and assessments based on widely accepted best practices and standards, the same does not hold true for the information technology industry in many market sectors.

In the IT industry, some organizations and CIOs are enthusiastic about providing excellent customer service, but adoption of standards and frameworks such as ISO/IEC 20000, ITIL, COBIT and CMMI seems to be low, especially in the public sector. I was unable to find credible (and free!) research on adoption rates, so this assertion is based solely on personal experience. Is your IT organization delivering customer-centered services using best practices?

In a competently managed IT service organization, end users are treated as valued customers and their problems and concerns are taken seriously. They are constantly updated about progress on their incident or problem even if there is no news. In poorly managed IT organizations, end users are marginalized and treated as the problem. Aside from losing data, providing poor customer service is one of the worst crimes a CIO can commit.

Perceptions of service quality in organizations

Here is a summary of quality perception that is fairly common in audit findings:

IT’s perception: We are the cat’s meow of IT. We provide great IT services, but our end users are the real problem. They just don’t understand what’s involved in providing IT services. (No records or metrics to support these assertions are extant.)

End user perception: Are you here to outsource our IT? I hope so, because our IT department is the worst thing since the black plague. They are not responsive and the system is always crashing. (The sharpest end users have spreadsheets in which they record the times, dates and results of their pleas for assistance.)

Management perception: We have no idea what the truth is, but we need a resolution.

These represent huge perceptual disconnects. If the IT operation used any best practices for IT service Management (ITSM), these perceptions wouldn’t exist. What do your end users think about the quality of service you provide? Do you routinely survey end users or personally ask them, “How do you rate the quality of services we are delivering?” This almost never happens in many, if not most, IT monopolies. The worst way to learn the truth about your customer service is in an audit document.

Audit virgins

There aren’t many tasks less pleasant than auditing an operation that has never been audited. When the results are documented in a written report with specific examples, the denial is immediate and the pushback strong, and then a barrage of excuses is unleashed.

In many organizations, management has no idea what quality IT services are supposed to look like. IT is not their area of expertise, and they may not be aware that quality standards exist. That’s what they hired you for. Moreover, many IT staffers may not even be aware of quality standards. As for the end users, they are not stupid. They know when a service isn’t being delivered.

Admitting that their operations have flaws can be tough for many managers, because those flaws are a reflection of their management skills. In 12-step substance abuse treatment programs, Step 4 is an evaluation of your flaws, and I wish more IT managers would engage in this type of self-reflection.


IT as the center of the universe

During one recent audit, a single look at the IT support flow chart I was provided told me everything I needed to know about the quality of IT services the organization was delivering. End users and management were represented nowhere on the chart. Moreover, all the feedback management was receiving was filtered through IT. It was an entirely IT-centric model, as if the entire reason for that enterprise’s existence was for the convenience of the IT shop.

The center of your IT universe should be end users and their business requirements. Do end users hold a central position in your service delivery model? Are they treated with respect?

Moving toward best practices

If your organization is not using best practices for ITSM, take a look at the various frameworks and models and find one that makes the most sense for your organization. Start small and work relentlessly toward improvement of customer service.

For those of you who may be too young to remember, here’s a great tutorial on IT customer service by Jimmy Fallon on Saturday Night Live: “Nick Burns, Your Company’s Computer Guy.”

This article was first published on CIO.COM at http://www.cio.com/article/3130808/it-service-management/high-crimes-and-misdemeanors-of-cios.html.

© Copyright Jeffrey Morgan, 2016

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather
Tags : , , ,

What is the biggest threat to internal IT Departments?


By Jeffrey Morgan




What the hell do all these IT people do all day anyway?” That’s a great question often posed by staff members, CEOs, CFOs and line-of-business managers. As a senior IT executive or manager, can you answer that question?

The Problem

I often see IT staffers engaged in ridiculous pursuits that provide no value to an organization — printing business cards, acting as intermediaries for support calls to external vendors, repairing equipment that is under a service contract, and generating reports that should be created by end users. Moreover, I see too many menial, repetitive tasks like patch management being performed by expensive humans rather than by automated systems. Many IT directors either don’t recognize the dysfunction or see it as a way of keeping their overstaffed empires intact.

Even worse, IT staff members often engage in activities for which they are not even remotely qualified, but which they insist on performing because of some misplaced DIY (do it yourself) philosophy. Such activities are often part of what I call a wild-west management style where IT staff members decide for themselves which activities are of value to the organization. I recently had an encounter in which an IT minion told me that TCO (total cost of ownership) information I was requesting as part of an audit was “not going to provide value to the organization.” Huh!

What is important to your organization?

Services that are valuable to one organization may be of little or no value to another. Establishing what services will provide value to your organization is a critical business activity in which you and your executive leadership team should be fully engaged. These decisions shouldn’t be left to the whims of minions. Unfortunately, this sort of strategic planning occurs in few organizations. If you are working for one of the majority of organizations not following any best practices for IT service delivery, this conversation with your leadership is even more important. There is really no such thing as an IT problem, but management issues abound.

As a manager, one of your primary functions should be to “make resources productive” (as Peter Drucker wrote in The Practice of Management). Are you doing that? Can you instantly produce reports and metrics demonstrating that your IT operation is delivering real business value to your customers? Can you summarize exactly what services and value your IT operation provides? “Serving the needs of my customers” isn’t a good enough answer. Trying to be everything to everyone generally results in being useless to everyone.

The biggest risk to an internal IT operation isn’t external contractors; it is poor customer service. Let’s discuss how to reduce that risk.

Solutions: Start with the basics

Do you know what your staff members are working on? Are they using a clearly defined service catalog, adhering to a service-level agreement (SLA) and using a professional services automation (PSA) system? These are basic governance documents and operational tools that should be in deployed in even the smallest IT operations but they are often absent even in large, well-funded IT organizations. Indeed, smaller organizations with scarce resources would benefit most from these tools.

Instituting just a few of the basics will dramatically improve your IT service operations. Let’s take a look at three best practices you should be using. We can think of them as a poor man’s ITIL (IT Infrastructure Library), but you don’t need a full-blown ITIL implementation to improve the efficiency of your operations. Use common sense, a structured approach and a cycle of continuous improvement. The perfect time to begin is right now!

Service catalog

A service catalog is “an organized and curated collection of any and all business and information-technology-related services that can be performed, by, for or within an enterprise.” (Wikipedia)

The catalog should be developed with your executive leadership so a clear and universal understanding of the services you are providing is available to your customers. Which services are provided internally and which will be performed by external contractors? How much do they cost? When are they available? There is a downside to service catalogs, but this can be managed.

Focus on high-value services that you can realistically support. Strive for quality rather than quantity. Doing a few things well is preferable to doing many things poorly.

Service-level agreement

SLAs are often treated as requirements for external vendors, but why shouldn’t internal service providers be held to the same standards as external ones? CIO provides good discussions here, here and here.

Once you have an SLA in place, it must be enforced. You are the manager, so do your job and start managing.

PSA system

An overarching problem in our industry is that end users often complain that IT is not responsive to their requests for service. Is that really true? Did they really report a problem to IT or did they just go home and tell their cat? Or did they casually mention their problem in the break room? All encounters between IT personnel and end users should be fully documented in a highly automated PSA system that has audit trails and escalation policies.

Lack of a PSA system is my biggest IT pet peeve. There is no excuse for not having such a system, and they are downright cheap compared to the cost of IT labor. In an IT assessment or audit, the lack of an auditable system to manage service requests can bury you — the vulnerable CIO or IT director. The reports and data from such a system can prove what a super manager you are. Or they can demonstrate your total incompetence.

You will incorporate your catalog of services and SLA into your PSA system.

It’s no accident

Providing superb, high-value IT customer service doesn’t happen by accident. By following a few relatively simple steps, and having discussions with your executive team, you can dramatically improve the quality of your operations.

© Copyright Jeffrey Morgan, 2016

This article was first published at http://www.cio.com/article/3126384/leadership-management/what-is-the-biggest-threat-to-internal-it-departments.html on CIO.COM.

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather
Tags : , , , , ,

Managing line-of-business projects

By Jeffrey Morgan




How can you distinguish a green CIO from a seasoned one? That is simple! The newly minted CIO will agree to manage a line-of-business (LOB) project.

A colleague recently related this story to me: “When our hospital’s executive team held a meeting to announce they were pursuing a new EMR (electronic medical records) solution, the CIO immediately stood up and said, ‘We will gladly provide IT support, guidance and leadership, but this is a line-of-business project and an LOB expert should lead the project.’” That’s a savvy CIO! He will still have a job if the project sinks into the cold, dark abyss of failed enterprise initiatives.

Line-of-business projects are shoals no CIO should ever enter unless he or she is an expert in that specific business. Whether you are a hopeless ingénue or a good captain ordered to enter those dangerous waters, you’ll need a really detailed map that you may have to build yourself. That map includes a deep understanding of specific business requirements, workflow, expertise in industry best practices, regulatory compliance and much more. If you scrape your hull against just one hidden iceberg, you might end up going down with the ship.


Assessing business requirements

Do you have trusted staff members qualified to identify and analyze all the business requirements for such a project? I’m not sure what qualifies someone to perform this type of work. I learned it from 15 years of studying composition and music theory that included five years of graduate school. If you analyze and account for every note in hundreds of sonatas and symphonies, complex business processes will seem simple by comparison.

Learning a new business process is a lot like learning a new piece of music: You immerse yourself in it for days, weeks, months — whatever it takes. You examine the processes from every perspective, map out the requirements and isolate the difficulties. Switch views between the micro and the macro constantly. You should always be thinking about what the end product will ultimately look like from the beginning of the project.

I’ve seen programmers, engineers, business types, clinicians, sociologists and others do it well. I have been less than impressed with IT staff performing these tasks, but maybe I am jaded from 20 years of salvaging or condemning failed enterprise projects. Often, those projects were unsuccessful because they were approached from an IT perspective rather than from a line of business point of view. In many of those projects, end user concerns were marginalized and invalidated in favor of some nebulous IT agenda. In the finales, the end users always got their revenge.

Beware of dragons

dragon-1571287_1280There’s another reason why a CIO might volunteer to manage an LOB project — empire building. This is another characteristic that distinguishes the seasoned CIO from the guppy. Successful CIOs drive in their lane. They follow my Nana’s sage advice: “Mind your own beeswax.”

I don’t understand what drives some IT executives to get involved in “improving” business processes in another department or division, and these attentions are often unwelcome in the enterprise. Time and again, these activities are driven by the CIO’s failure to manage his or her own operations well. “Nothing to see here folks, look over there.” If you have time to worry about other people’s jobs and activities, you either don’t have enough to do or you’re doing it poorly.

Should you still have aspirations for building an empire, do some research by binge-watching a few seasons of Game of Thrones. If you have the required analytical skills, and the project turns out to be a success, you may be knighted for your excellent work. However, when things go wrong, aspiring kings and emperors are poisoned, lose their heads or end up uttering “Et tu, Brute?” as they are ushered into a premature retirement. That unassuming line of business executive you stepped on might have a few dragons at her disposal.

Empire building is bad for business and bad for everyone in the organization. It creates conflicts and resentments and it can lead to massive project failures.

The root cause of enterprise project failure

Why do enterprise and line-of-business projects so often fail? Although it has been written about for 2,500 years by everyone from Aeschylus to Tom Wolfe, the answer isn’t taught in business school. We all learned about the root cause of project failure in high school English class but most of us seem to have forgotten those important lessons. Or perhaps we have never bothered to apply metaphors learned so long ago to our careers.

At the root of it, projects fail because of hubris. The hubris I have seen over the years from CIOs, CEOs and CFOs who were overseeing failed projects has always been incredible to behold. Overconfident and underprepared, they set sail without a compass, a map or enough provisions for the journey. They left port trying to catch a whale with a crew that only knew how to catch minnows. They cast off without knowing where they were going, and they are always astonished when they end up lost at sea. The next time you are asked to manage an LOB project, don’t make the same mistakes.

This was first published on CIO.COM at


Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather
Tags : , , , , ,

The ACA and the death of medical privacy


By Jeffrey Morgan

I never sign medical release forms anymore. That’s because I read them. These forms tend to be lengthy documents which ultimately state that your medical records can be shared with just about everyone on the planet.

Don’t believe me? Here’s the first paragraph of a 2,000-word explanation of how PHI (protected health information) can be used by a nationally recognized pediatric provider:

Quality Improvement Activities: Information may be shared to improve the quality or cost of care. For example, your PHI may be reviewed by XXX XXX or outside agencies to evaluate and improve the quality of care and services we provide.

Outside agencies? Are you kidding me? Who would you sign that release?

Three can keep a secret if two of them are dead

Maybe I’m just an old-fashioned Luddite, but I prefer to be treated by a doctor rather than a corporation. A private practitioner who has a personal relationship with me is much more likely to take steps to ensure my privacy. Once those records are on a corporate network, my chances of privacy are considerably diminished. If my records are accessible to a RHIO (regional health information organization), the probability that I have medical privacy is near zero.

The problem isn’t necessarily one of policy or procedure; it’s more human behavior. Clerks and bureaucrats at Giga Health Services or the RHIO don’t know me and aren’t likely to care if my records are released to someone who shouldn’t see them. Their pockets are too deep for me to sue, and chances are that I wouldn’t ever even know whether my information was inappropriately or illegally disclosed.

Opt-out programs are a privacy abomination

In the cases where I have refused to sign releases, I was at least presented with the option to opt in based on informed consent. Opt-out programs are far more insidious, and I know of at least one DSRIP (delivery system reform and incentive payment) program in New York that is using opt out as the basis for its privacy policy. The most vulnerable behavioral health clients, some of whom are paranoid or unable to understand the impenetrable legal jargon, will receive letters in the mail with an opt-out form to sign and return. If they don’t return the form, they have automatically agreed to the release of their medical information. Does that constitute informed consent? Will they understand it? Will they even open the letter?

Providers, CIOs, mental health directors, public health directors, and consumers should all be campaigning against the erosion of privacy that results from extensive sharing of health information. Instead, they are drinking the Kool-Aid and rolling over.

The Affordable Care Act has exacerbated the problem considerably, and I read all too much from healthcare IT industry pundits about the need for increased sharing of information and more “visibility.” This is all rationalized by dubious claims about saving lives and “improving outcomes.”

We’re all team players

In county and municipal government, it is often the case that consumers getting public or mental health treatment may also be involved with other departments, including social services, law enforcement, the court system and probation.

“We’re all on the same team, we’re all county employees. Why not show us what’s in those records?” asks the sheriff. The correct response from health officials should be “Get a subpoena, prepare to show cause, and we’ll see you in court buddy!” Unfortunately, a common response is “Sure, let’s have a look. We’re all team players here.”

I know what you’re thinking. “Those people might be criminals! They wouldn’t do that with my records.” Yes they will. Even worse, you might be saying “I have nothing to hide. I don’t care who sees the information.” Not everyone would feel the same way, and many public figures have refused to release their medical records and even their academic records.

Once we begin to get cavalier about disclosure of PHI and other personal information, we are way past the slippery slope stage. We’re already rolling down the mountain in an avalanche. Redisclosure is governed by federal and state law and the problem isn’t restricted to local government entities. State and federal law enforcement and intelligence officials are likely to be granted access to PHI and all sorts of other personal information as well, without any of the legal protections that should be in place.

What’s the role of IT in protecting privacy?

CIOs should be playing a greater role in protecting privacy, but very few IT professionals have had any training on the subject. How many IT people do you know who are familiar with 42 CFR Part 2?

There are so many questions. What happens when IT directors receive subpoenas to provide protected information? Would they fight, or comply? Would they have any idea of how to respond? And what if your SaaS vendor gets the subpoena, circumventing professionals who will know how to respond? Is that addressed in your contract? Extensive training in privacy should be part of the tool set of every IT professional, but this is not currently the case.

So, next time you go to the hospital, read the release and privacy policy before you sign it. Let’s all opt out together!

This article was first published on CIO.COM at:


© Copyright Jeffrey Morgan, 2016


Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather
Tags : , , ,

The high price of complaining

Take a breath

By Jeffrey Morgan

“Private Stooper, front and center! Assume the front leaning rest position.” That’s army talk for get ready to do pushups. It’s a bitterly cold January morning at Fort Leonard Wood and every drill sergeant is here. Even the first sergeant and a couple of lieutenants showed up, which never happens. There are 200 recruits standing in formation freezing our butts off and the vapor rising from the ground has created an eerie, surreal atmosphere. What on earth is happening?

“Private Stooper,” the drill sergeant shouted in his North Carolina drawl, “I spoke with the Colonel yesterday afternoon. It seems your mama called him. Start beating your face!” That’s army talk for start doing pushups. “Knock ‘em out till I get tired. It seems you don’t like the conditions here in Charlie Company. You don’t appreciate the gourmet food and you don’t like the luxurious accommodations we provide.” Stooper is weeping like a baby and still doing pushups, occasionally shouting “Yes Sergeant.” At one point, there were about 6 NCO’s standing over him screaming. The hazing seemed to go on for hours. We all felt sorry for the guy, even though he was a pretty big screwup.

What’s the message?

The message was clear – don’t complain or your life will get a whole lot worse. In many public sector IT audits I have done, I have found that the IT Director and staff used the same tactics as my drill sergeants. If end users complained about the horrendous customer service provided by the IT Department, the IT staff would punish and humiliate the culprits in order to train the rest of the staff not to complain. It’s a common practice and not only in the public sector. Is this happening in your organization? If it is, how would you know? Everyone is afraid to be Private Stooper.

IT and Customer Service Best Practices

Many of the IT Departments I encounter aren’t using any best practices for Information Technology Governance and aren’t concerned with customer service. They are an internal service organization, don’t face the public, and don’t feel any pressure to achieve acceptable industry standards for performance. They get a paycheck whether or not they actually solve problems. The root cause of this problem is lack of executive oversight and non-tech executives frequently have no idea of where to begin or what to do. They are stumbling in the dark.

Here are a couple of DIY steps for approaching customer service problems with IT.

  1. Draft and adopt a service level agreement.
  2. Acquire a Professional Services Automation System and use it according to industry best practices.
  3. Establish a Tech oversight committee, chaired by an assertive advocate for better IT services. Don’t let the IT Director hijack this role.
  4. Write a strategic plan (or hire a consultant to do an audit and strategic plan). If followed, this sort of plan will quickly pay for itself and can save you hundreds of thousands of dollars a year. But, only if you follow it and make the hard decisions.

Your IT Department, and all your public sector departments should be trying to provide customer service that is on par with Amazon. How well is that working out for you?

I’m sure you are wondering what happened to Private Stooper. He loved basic training so much that he went through it a second time. Feel free to send me an e-mail and share your army stories or your concerns about customer service in your organization and don’t let you users or customers get treated like Private Stooper.

This article was first published on Careers in Government at: https://www.careersingovernment.com/tools/gov-talk/about-gov/high-price-complaining/

© Copyright Jeffrey Morgan, 2016


Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather
Tags : ,

Just get a woman to do it!

Just get a woman to do it!

By Jeffrey Morgan

Have you ever sat in a meeting and asked yourself, “How in hell did this guy get an executive job? He must have pictures of board members doing it with goats! What a maroon!” Me too. Way too many times. Over the course of the last 30 years, I have come to one conclusion – if you want a job done right, get a woman to do it!

Let me qualify this just a tad. I have worked with numerous amazing executives and managers, both male and female. However, there are far too many overconfident, swaggering peacocks blundering around the business world. They slap too many backs at the golf course and the Lion’s Club while devoting minimal time and thought to their business operations. It’s the same whether we’re talking public or private sector.

The engineering sometimes amazes me. How can a walnut-sized processor operate an ego the size of Antarctica? I am certain you know the person I am talking about.  The probability that any individual is good at his or her job is only about twenty percent, but many managers and executives are successful at faking it for years or even decades.

Women are less entitled

In general, I have found women to be easier to work with. They don’t have the baggage and sense of entitlement that men often bring to the job. They have had to work harder and are more interested in details. They’re cautious and thoughtful.

Women are more likely to have knowledge, skills and abilities because they had to work their way up whereas men have often been dropped right into management positions out of university because they have “management skills”, a dubious concept.

In my opinion, management isn’t really a primary skill – but it’s a great secondary one. Working for a “big-picture guy” is always a challenge. Working for a thoughtful woman is a more rewarding experience – that’s how I found my wife!

Even in middle management and supervisory ranks, male conceit is an impediment to projects that involve systemic changes. Men get their backs up right away and start presenting obstacles. Every idea or suggestion is taken as a personal attack. “I was wrong” is an admission few men are able to make, especially among executives and senior managers. I don’t know if this male quality is a genetic or a social construct, but it is real.

Poisoning your enemy

While it has been said that poison is a woman’s weapon, I’ve certainly been poisoned and stabbed in the back much more often by men. They’re so used to getting their way that they don’t know how to compromise through debate and discussion. Women are more likely to contemplate and reflect rather than declare war, or even worse, the type of secret guerilla warfare operation in which men often engage. Women negotiate and men dig a trench.

Golf Course Promotions

Men have a sense of privilege. They think their career is supposed to go a certain way because they belong to the right clubs and golf with the right people even if they have absolutely no neural activity. Women simply work hard.

Through a genetic accident, I lack both the “Sports” and “Joiner” genes, so I am naturally skeptical of such activities, especially Golf. The Golf Course seems to be where most of the really bad business decisions are made and where the truly incompetent often get their promotions.

I suspect many CXO’s make software purchasing decisions somewhere between the first and nineteenth holes. “Joe says TBQ makes the best ERP. Make it happen and don’t bother me with the details. Let me know when it’s done – you can text me at the golf course!” Maybe this explains why $40 Million implementation cost overruns are so prevalent.

Women approach complex business problems with open meetings where they solicit a variety of viewpoints and try to understand the entire scope of the situation. They will agonize over details while a man in the same position will often make a snap decision without a second thought. That kind of hubris always frightens me.

This may all seem like a sweeping generalization, but that is what I do for a living. Next time you want a job done right; just get a woman to do it! If you want to pick a fight over what I’ve said, feel free to e-mail me or take a look at my blog on Information Technology Governance.

© Copyright Jeffrey Morgan, 2016


Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather
Tags : , , ,

How to survive an IT Management Audit

sunflower_frozenBy Jeffrey Morgan

This is a test. Which of the following are common occurrences during IT Management Audits?

1.      Staff members quit.

2.      Staff members break down in tears in front of the consultants.

3.      Staff members fly into a screaming rage at the consultants.

4.      Staff members lie to the consultants.

5.      Staff members refuse to cooperate.

6.      All of the above.

If you selected item 6, you get a gold star! There is no reason for any of these behaviors but they occur all too often, especially in organizations in which audits are not routine events. The consultants are there to identify problems and help improve operations. They wouldn’t have been hired if everything was peachy keen, but Information Technology management and staff members rarely see it from this perspective. Identifying the problem is the first step to recovery. All Information Technology organizations should be managed as if an audit is imminent. How would you fare if auditors walked in the door tomorrow morning?

Why are you being audited?

There are many reasons for conducting audits, but following are the four I encounter most often.

Regulatory compliance audits

In market sectors such as Financial, Behavioral Health, Medical, and Pharmaceutical, periodic audits are the norm and the guidelines are clear. In any given year, a Behavioral Health clinic in NY State, for instance may be required to undergo 4 separate audits including Medicaid, HIPAA, OMH (Office of Mental Health), and OASAS (Office of Alcohol and Substance Abuse Services). In many of these cases, the auditors show up unannounced or on very short notice.

Compliance audits aren’t technically management audits, but the scores on such audits are certainly a direct reflection of management’s performance. Would your policies, practices, procedures, and documentation measure up to the scrutiny to which a Behavioral Health clinic is subjected?

Performance audits or ‘What’s wrong with our IT operation?’

Often, members of the IT management and staff think they are doing a spectacular job but the customers and executive management disagree vehemently. In the worst cases, end users are preparing their pitchforks and torches in case the audit doesn’t bring about some positive performance outcomes. These audits are tough; the IT staff is defensive and they all assume that the consultants are there to fire them. Sometimes, the hostility reaches levels that make me feel like Patrick Swayze’s character, Dalton in the 1989 movie Road House. I have been accused of cherry-picking information, interrogation, and cross examination and I have been screamed at in front of a large audience. The truth is, I am simply researching a complex problem and I will work diligently to provide answers to the people who are paying me to do so.

During these audits, employees sometimes resign even before the final report is released. This is unfortunate because poor performance is a reflection of management rather than staff. At other times, excellent employees leave because they have had their fill of ineffective management. Frustrations become bitter tears dripping on the conference room table, even from managers.

New management

Sometimes, incoming executives want an X-Ray of organizational performance and requesting an audit is an intelligent professional move. They want a clear distinction between the previous management’s practices and their own and they use the final report to establish a program of organizational change.

IT is too expensive

Occasionally, IT audits are conducted because executive management considers the IT operation too expensive. They want an independent audit and a strategic plan that shows all the viable options.

4 tips for a lower stress audit

If the auditors are coming next week, there probably isn’t much you can do to improve the outcome, but there is plenty you can do to make the process more comfortable for everyone involved.

Answer binary questions with binary answers

When questions requiring a Yes or No answer are met with lengthy explanations, it is a clear indication of a problem. When I ask if you have documentation of your daily security log validation, just say yes or no! If you don’t have the required documentation, no amount of explanation is going the help. Also, I am not really interested that you are going to begin implementing your security program next month. Good for you, but I only care about what your actual practices are at the time I ask.

Don’t lie, embellish, or bury information

I always walk into audits and assessments taking a neutral, objective stance and I appreciate clients who don’t try to pre-program me. I will selectively ask for evidence or documentation for every statement you make and false statements will certainly damage your credibility. When subjects provide evasive or ambiguous answers, my inner Columbo puts on his trench coat. Equivocation and rationalization drive me to keep searching until I get the answer. Just tell the truth.

Instruct your staff to cooperate politely

I recall one compliance audit where a staff member served up every document request with a plate full of anger and hostility. The odd thing about it was that all her ducks were in a row, which is pretty unusual. So, why the anger? Don’t unleash it on the consultants.

I remember several engagements where the IT staff tried to tell me that their IP addressing schemes and Visio diagrams were secret. Huh? As soon as I retrieved my jaw from the floor, I went over their heads and arranged for delivery of the requested information. These events created suspicion and hostility that weren’t required.

In two organizations I contracted with, staff members claimed their Security Policies were secret! How does that work? These sorts of behaviors are indicators of significant departmental and organizational problems.

Prepare documentation in advance

All documentation including policies, procedures, infrastructure documentation, logs, hardware and software inventories, PSA system reports, etc. should be readily available for the consultants. They will ask to see it. I generally ask for all this information before I go on site for the first time and I am always appalled by the number of organizations that have none of the documents that are generally accepted to be components of a solid Information Technology Governance program. Sometimes these data dumps include reams of irrelevant information in the hope that I won’t find the smoking gun.

Auditing for organizational culture

I include a frank assessment of departmental and organizational culture in my reports and it is sometimes less than flattering. Delivering this information to executives and managers generally creates a tense silence while they try to chew and swallow that particularly tough piece of meat. They rarely argue because they know it’s true, but few have dared to state the obvious out loud. A realistic and objective assessment of company culture is required to address the root causes of problems. Bad management, inefficiency, malfeasance and incompetence have often been enabled for years before an audit is finally initiated. Interdepartmental politics, turf wars, jealousy, meddling and backstabbing all contribute to the problems at hand and managers throughout the organization are responsible.

In many cases, executives and managers have worked in large, bureaucratic organizations for their entire careers and they can’t see the signs of broken company culture. They think bad behavior and dysfunction are the norm.

The final report

If the final report is not a testimonial of glowing praise for your IT operation, I urge you to sit back and reflect carefully before lashing out. The report is a mixture of data, facts, and input from your coworkers and end users. I always base part of my conclusions on both formal and informal interviews with end users and managers from every department in an organization. What ends up in the report is a reflection of what your colleagues really think about your operation. My career started with a four-year stint in army intelligence and I actually do cross examine and interrogate. The natural inclination of some IT Directors is to argue and pick apart every statement and conclusion in the report, but this is definitely the wrong approach.

A nearby local government entity with which I am familiar recently received a failing audit from a state regulatory agency. It wasn’t a first-time fail and the endemic problems have been simmering for decades. Several executives from this entity made statements to the press that the audit “was a gotcha audit. It’s all about paperwork and there is nothing real here. We’re providing excellent services.” Talk about denial! I believe they will come to regret those statements since the infractions were extremely serious and they will likely have to return millions of dollars to Medicaid. They may call a missing signature “a gotcha,” but Medicaid calls it fraud. Their culture is so broken that they really need a turnaround expert and complete replacement of the management, but they haven’t reached rock bottom yet, apparently.

In recovery

The correct response to a failing audit is to contemplate the report carefully and develop a proactive remediation plan immediately. Humility may save your job, but you can’t step off onto the recovery road until you admit you have a problem.

Ask for help. Operations that have been dysfunctional for years can’t be turned around overnight. Organizational culture may inhibit a turnaround and objective, external assistance may be required.

Listen to what your colleagues and objective auditors had to say and take it seriously. Don’t go swimmin’ in denial.

If you would like to discuss an audit for your organization’s IT operation, e-mail me at jmorgan@e-volvellc.com.


This article was first published on CIO.COM at: http://www.cio.com/article/3082124/leadership-management/surviving-a-management-audit.html

© Copyright Jeffrey Morgan, 2016

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather
Tags : , , , , ,

Fire your annual performance review!

birdieThe Ultimate Manager

By Jeffrey Morgan

My English Shepherd, Birdie is the ultimate manager. Now that lawn and garden season has finally arrived, he is always barking at the crack of dawn. “Up and Adam! Time to get working in the garden. Hop to it!” As soon as we are hard at work, Birdie digs a hole so he can snooze in the shade while we work up a sweat. That could be you! Birdie knows that each season brings different projects on which we have to focus. Our activities change quarterly and our short-term goals and objectives must change with them.

Are your employees and managers coming to work every day with a fire in their belly to produce results? Do they have a daily action plan to propel them to achieve ambitious goals by the end of the quarter?

If Birdie was a manager in your organization, he would insist that you abolish your ineffective Annual Performance Reviews and switch to Quarterly Goals and Objectives, also known as OKRs (Objectives and Key Results). I worked for a Fortune 500 company while I was in graduate school and the company was using them to drive productivity and achieve results as part of their Total Quality Management (TQM) program. They are an incredibly effective management tool!

“Jeffrey,” you say, “Hold the phone! That’s crazy talk! I don’t have time to meet quarterly with all my managers to establish goals and objectives.” Frankly, you don’t have time not to. Consider it a small investment of time that will reap huge rewards for your county or municipal organization.

Annual Performance Reviews in Many Government Organizations

Maybe your organization is different, but from what I have seen during 23 years in state and local government consulting, annual performance reviews are treated as a nuisance that everyone tolerates. No one has any idea what their goals were from their last performance review. In some organizations, almost everyone gets a gold star every year. Even the poorest performers get stellar reviews and you have no case at all if their employment eventually needs to be terminated. After the review, the document is buried in a folder and remains there until next year.

In 1982, W.E. Deming called for the eradication of the Annual Performance Review in his book, Out of the Crisis. In his words, “the annual performance review sneaked in and became popular because it does not require anyone to face the problems of people.” He goes on to say, “A leader, instead of being a judge, will be a colleague, counseling and leading his people on a day-to-day basis, learning from them and with them.” Here we are, 34 years later and many government organizations are still using ineffective 1950’s management practices.

Driving Performance

If you want to drive performance, you should have three sets of Goals and Objectives:

  1. Organizational Goals and Objectives
  2. Department Goals and Objectives
  3. Individual Goals and Objectives

There are numerous Internet resources and tools available for assistance with developing OKR’s. According to Emily Bonnie from Wrike (@Emily_TeamWrike), OKR’s must be “Ambitious, Measurable, Public, Graded, and at least sixty percent of goals should be “bottom up.”” I have previously written about the need for bottom-up and inside-out management of software projects here.

Follow Birdie’s advice: Fire your Annual Performance Review and adopt a more effective management tool that will drive your team to productivity.

If you would like to discuss performance in your organization, please e-mail me at jmorgan@e-volvellc.com. Let’s talk!

This article first appeared on Careers in Government at https://www.careersingovernment.com/tools/gov-talk/career-advice/on-the-job/fire-annual-performance-review/


Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather
Tags : , , , ,

We’ve just always done it this way!

By Jeffrey Morgan


Paper, Like Comets

Pink sheet, Blue Sheets, One Sheet, Two Sheets. No, it is not Dr. Seuss. It is your dysfunctional business forms, practices and processes. The forms are often launched by employees who have done the same job for the last 40 years and last cracked a smile when Jimmy Carter was President. Paper drifts around the universe of your office like comets through the solar system and no one knows what purpose it serves. Boxes must be checked and initials applied. It absolutely must be done and every box must be checked, you see.

 No Delegates

Sometimes the forms contain sensitive information like social security numbers and there is no privacy or security policy in existence. The document is stuffed in an inter-office envelope and launched to the next planet for more signatures and boxes to be checked. If someone goes on a two week cruise, the form sits on their desk until they return and get through the backlog of paper because only one person has the authority to sign. There are no delegates. Then the massively important piece of paper goes in a file where it remains undisturbed for decades.


We’ve just always done it this way. If I’m lucky, that statement will be followed up by my favorite punch line: I’ve been doing this since you were wearing diapers. I don’t need you to come in here and tell me how to do it.

Is my assessment harsh? Maybe. Is it true? Probably. Be honest. Does this sound like operations your organization?

We don’t take partial payments!

My father was in the bar and restaurant business. By the time I graduated from high school, I had done every job in those establishments. When I was tending bar, my father taught me to always take the money. If someone slapped a $20 on the bar, I rang up the tab and gave him change right away and provided it in denominations that provided a convenient opportunity for a tip. This is smart business, right? Take the money.

On several occasions, I have seen utility customers standing at a window (ironically labelled Customer Service) trying to pay their utility bill. They scrounged all their change from the crack in the sofa and from under their car seat and came in to pay their bill but they’re $1.49 short. We don’t take partial payments. You have to come back when you have the full amount. You don’t take partial payments because your system either can’t handle it or because your staff isn’t trained on the new feature that does allow partial payments.

You’ll Have to Come Back Another Day

Here’s another example I recently encountered. Standing in front of me at the reception desk in a government facility is a gentleman with his daughter.

I’m here for my daughter’s appointment.

You’re not in the system. We have no record of an appointment for today.

But, here is the stamped appointment card you gave me on our last visit.

You’re not in the system. You’re not on the calendar. You’ll have to make another appointment and come back.

But, I took the day off of work to bring my daughter to this appointment. It may be months before I can get another day off of work.

You’re not on the calendar. You’ll have to come back. Next Person Please!

If any of these examples describe your business operations,  you have several issues to address. You need to work on your business processes as well as customer service. Poor customer service and inefficient business processes cost money. You can fix them and save money by doing so and you can read about it here. Improving quality of service lowers costs.

If you would like to discuss your business processes and ways to automate and improve them in your organization, feel free to send me an e-mail at jmorgan@e-volvellc.com. You can read more about business processes and other Information Technology issues on IT Governance for Executives.

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather
Tags : , ,

6 Must Have Qualities for an IT Director

By Jeffrey Morgan

Buyer’s Remorse

There’s nothing worse than that gut wrenching feeling of buyer’s remorse. You have been anxiously awaiting the arrival of your expensive, shiny new gadget and have high expectations. You open the box and find that it is beautifully wrapped. You unpack it, plug it in, and . . .

Nothing.  It’s a dud!

If you bought it from Amazon, you can just send it back for a refund. If it’s your IT Director, there’s no return shipping label enclosed.

Hiring is always a risk, but there are several qualities you can look for to improve your probability of success. Your new, amazing IT Director will have the following six qualities:

Fluency in the Language of Business

There is no such thing as an IT project; there are only business projects. In the interview, your potential IT Director should want to discuss Executive Goals and Objectives, Return on Investment, Total Cost of Ownership, Vendor Management, Service Level Agreements and Key Performance Indicators rather than speaking in technical jargon. He or she must possess expert knowledge of the business processes that drive your organization in addition to having a solid understanding of the required underlying technology. You can contract outstanding technical skills, but someone with the vision to make it all work together for the good of the business is a rare gem.

Passionate about Customer Service and Productivity

There is no longer a place in the industry for IT operations that don’t deliver outstanding, high value customer service. Your new IT Director must know how to make that a reality with leadership, service level agreements, metrics and measurable goals. Look for a history of customer facing experience. Making angry customers happy is a more important skill for an IT Director than writing brilliant code in a locked office.

Obsessed with Quality

Improving quality of services always lowers costs and your new IT Director understands this. He or she will strive to perfect the delivery of services across your organization and understands a continuous cycle of improvement.

Collaborates Rather Than Dictates

Your new IT Director should be listening 90% of the time and talking very little. County & Municipal organizations are complex operations that may have 2 dozen or more independent Line of Business operations, each with its own regulatory compliance issues and special requirements. In order to provide effective solutions, your new IT must be able to hear what his or her customers are saying and translate that information into solutions that meet the customers’ business criteria. Your departments, business processes and requirements will drive your IT Director.

Technology Neutral

Your new IT Director must be open to achieving business goals and objectives by exploring all available solutions, processes and technologies rather than throwing the same tired and ineffective products at every new business problem.

Love’s Industry Standards, Policies, and Procedures

Industry Standards and organizational policies and procedures are fascinating and glamorous; or so your new IT Director should think. There are numerous, proven standards, methodologies, and best practices available and your new IT Director will take advantage of this huge body of knowledge. There is no need to reinvent the wheel. He or she should be comfortable discussing standards like ANSI/TIA/EIA-568, ISO27001, HIPAA, ITIL, and others. Failure to understand and follow proven standards and methodologies is expensive. Your new Director should also be ready to collaborate with your HR and Legal Teams to ensure that appropriate policies and procedures are in place.

If your IT Director has the appropriate combination of all these skills, you are all set for a productive relationship in the years to come.

This was first published on Carreers in Government at:

Municipal IT Director: 6 Must Have Qualities

Copyright © Jeffrey Morgan 2016

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather
Tags : , ,