Copyright 2004 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.

IT Governance and Corporate Governance at ING

By A.H.G. Rinnooy Kan

uch has been written during recent months and years about the growing importance of strong governance in todays volatile and challenging business world. This has had particular resonance following the accounting and related scandals at diverse organisations such as Enron, WorldCom, Global Crossing and Ahold. This article is intended to demonstrate how the global financial services group ING is rising to these challenges and, in particular, how the organisation has managed its IT governance responsibilities.

IT governance is a subset, a very important subset, of governance as a whole. ING cannot afford to apply to its IT governance anything less than the commitment it applies to overall governance, according to the company. Like all global financial services organisations, ING is totally dependent on information technology, not just to support and enhance its business, but increasingly to enable it. Todays global financial markets have IT as their lifeblood. The organisation is reliant upon it 24/7/365 days a year. Without IT, there would be no business.

About ING Group

ING Group is a global financial services institution of Dutch origin offering banking, insurance and asset management to 60 million private, corporate and institutional clients worldwide. ING is a multiproduct, multidistribution company, approaching the customer through his/her channel of choice. The company comprises a broad spectrum of prominent businesses that increasingly serve their clients under the ING brand. ING employs more than 115,000 people, and 70 percent of its stock is held outside the Netherlands. In todays financial markets the group has a current market capitalisation of some 23 billion and total assets of more than 700 billion (Note: as of March 2003). Its asset management business has approximately 450 billion of assets under management. ING is a large and diverse business that has grown significantly in recent years through a combination of autonomous growth and targeted acquisitions. The organisations corporate governance and transparency have been improving continuously since ING was created in 1991. This year, INGs governance will make a big step forward, as it moves away from a typically Dutch governance structure toward a structure that is better adapted to the needs of an international company that has 70 percent of its shares held by non-Dutch investors. ING claims to have full commitment to corporate governance and, as an integral part of achieving its governance objectives, also has full commitment to governance of its IT investments and operations.

IT Road Map
As part of its annual planning exercise, ING produces an IT Road Map. This is designed to set out the current high-level issues concerning its use of IT. It also outlines the organisations current priorities for IT investment and addresses the way in which it will continue to ensure that IT is properly aligned with the needs of the business. The highlights include: The need to continue the existing focus on e-business and leverage further the success so far achieved. The emphasis in this area is very firmly on further benefits realisation. The need to ensure that technology properly provides solutions to current business challenges including: Increasing customer centricity Optimising distribution channels Improving operational efficiency and driving down operational costs Improving organisational agility Ensuring operational resiliencebusiness continuity and security Increasing information intensity and availability Optimising cost structures (through, for example, Straightthrough Processing) Maintaining a close watch on new technologies such as ubiquitous computing, location sensing, grid computing and web services Identifying key trends and issues from the IT dashboard exercise (to be discussed later) This information allows for the definition of the organisations IT agenda and priorities which include: Sourcing Business architecture alignment Rationalisation, consolidation and standardisation Improved information and metrics Security IT governance Yes, IT governance is one of INGs key focus areas.

Governance: Corporate and IT

There are many definitions of corporate and IT governance, all expressing the concept that running a business must be a well-organised activity carried out by professional people who accept full responsibility and accountability for their actions. In other words, a well-governed company is not gambling with other peoples money, whether it be in a new acquisition or an investment in technology.

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 2, 2004

Addressing IT Governance at ING

The IT Governance Institutes Board Briefing on IT Governance (now in its second edition) encourages boards of directors to seek answers to questions such as: How does IT add value to the business? How often do IT projects fail to deliver what they promised? Does the board have a clear view on how much the enterprise invests in IT compared to its competitors? The board of directors at ING does ask these questions, and it is a responsibility of the members of that board to ensure that the mechanisms are in place to provide answers. Sometimes, as with all organisations, the answers may make uncomfortable reading, but at least by asking the questions and finding out the answers ING is in a position to do something about identified problems and issues. Ignorance is only very short-term bliss! So what is INGs IT governance structure?

IT Governance Structure at ING

The ING IT governance structure was recently profiled in a Gartner report, Effective Governance by Design, and the model is shown in figure 1. Within ING, a global IT governance structure has been Figure 1IT Governance Model
Executive Board

IT Policy Board
Information Security Steering Committee IT Leadership Council
Strategic Infrastructure Committee

IT Standards Committee

IT Architecture Committee

executive centres (ING-speak for divisions) and the director of the Corporate IT (CIT) staff department. There is also an IT leadership council, consisting primarily of business CIOs who advise the policy board. In addition, to demonstrate the seriousness that ING applies to information security, there is a separate information security steering committee that also reports directly to the IT policy board. The IT leadership council has three subgroups dealing with IT standards, IT architecture and IT infrastructure. ING has particular challenges in many of these areas because of the plethora of inherited legacy systems around the world. ING was created out of a merger and has grown significantly through acquisitions. During the last decade of the previous century, business units, whether a forebear company or an acquired company, had a large degree of autonomy. This has had major advantages for the continuation of business as usual, but it has made it difficult to generate IT-related economies of scale and to leverage synergies and standards among the group. This strategy was abandoned in 2000 when ING rounded out its US position with two major acquisitions. Since then, the integration of systems and infrastructure has been a priority. A key feature of INGs governance structure is the existence of corporate IT, one of INGs group staff departments responsible for policy preparation, the provision of IT advice to the businesses and monitoring the IT activity within the entire organisation. This latter activity is carried out by a small subgroup within CITthe IT performance and investment management team. In addition, there are application forums within the executive centres (divisions) to provide a mechanism for standardising functional application areas (e.g., CRM) across the businesses. The approach is to bring the demand (from the business) and supply (from IT) together to determine the optimum method to move forward.

EC Europe

EC Asia/Pacific

EC Americas

Who Is Responsible for What?

Application Forums AF Regional Infrastructure Group Regional Infrastructure Group Regional Infrastructure Group

This graphic shows INGs IT ownership model, which recognises the different needs and the different characteristics of INGs diverse businesses and provides examples of the responsibilities at each level (figure 2). Figure 2Who Is Responsible for What?

implemented that meshes with its overall corporate governance structure. In this authors view, this consistency is essential to success. Indeed, the recent reports from the MIT Sloan School Centre for Information Systems Research also strongly recommend that IT governance structures integrate with the overall governance model. This helps ensure the strategic alignment of IT with the businessanother important objective of IT governance. This structure is meant not only to improve the quality of the IT function but also to speed up decision-making. Within the board of directors, this author is responsible for IT policy. The policy is set by the IT policy board, which this author chairs. Two additional main board directors also sit on this committee, thus ensuring proper interest and accountability for IT at the board level. The IT policy board consists also of the OPS/IT portfolio keepers of the three

OWNERSHIP MODEL Examples of Responsibility Customers

Customer Data/Relationship Functional Requirements

Differentiating
BU
Differentiating Business Applications

Decentralised

MC
Standard Business Applications

Shared Services Data Centres CRM Strategy GIS Infrastructure Sourcing Strategy Group-wide Architecture IT Policies and Standards (e.g., Security, Group Data Standards, etc.)

EC

Commodity

Enterprise & Infrastructure Applications (HR, Finance, E-mail, Desktop, etc.)

GROUP
Infrastructure (Network, Data Centres, etc.)

Shared

IT Assets

Organisation

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 2, 2004

The IT Governance Institute emphasises that you cannot manage what you cannot measure. ING fully endorses this adage. INGs IT governance structure, particularly its accountability to the businesses and to the board of directors, would not be able to function effectively without the provision of regular reliable metrics and benchmarks to help measure value, performance and industry comparability. This is where the IT value and performance team come in, together with the annual IT dashboard exercise.

percent of its total banking business costs. The left pie graph of figure 3 shows INGs total IT costs by IT activity. The pie to the right shows IT costs by cost categoryhardware, software, labour, telecoms and outsourcing. ING employs more than 15,000 people around the world in IT-related jobs; this represents about 13 percent of its total workforce. Figure 3ING Group 2003 IT Cost ( 2438m)
248m (10%) 663m (27%) 90m (4%) 401m (16%)

How the IT Dashboard Helps ING

The IT dashboard process, which is carried out at the same time as INGs annual medium-term business planning exercise, provides the information necessary to: Enable ING, over time, to develop and compare the most appropriate metrics on IT spend, performance and value Help identify positive and negative trends and thus enable best practices to be shared and, where appropriate, managerial actions to be taken Enable direct comparison with specifically commissioned, peer group information Enable direct comparison of metrics among different business units Assist senior business and IT management to exercise their governance responsibilities over IT investments

1209m (50%) 1775m (73%) 490m (20%)

Operations and Maintenance Development and Enhancement

Staff Cost Hardware Cost Software Cost Outsourcing Cost Telecom Cost

IT Metrics
The metrics that are collected and analysed include the obvious yardsticks: IT costs by category and by activity IT staff numbers and costs analysed by activity Full-time vs. contract IT staff Outsourcing ratios Workstation costs IT intensity (IT costs as a percentage of total operating costs) IT related operational risk incidents (number and value) IT security incidents (number and value) ING has paid special attention to develop metrics to followup IT projects and has come to view IT projects as IT-enabled business investments. The corollary is that ING approaches these projects as an asset manager would analyse an investment proposal. For example, ING wants to know projections in terms of time until completion, budget and functionality. Before providing an approval, ING also demands financial transparency and risk/return metrics. This information, together with other metrics collected, including its own solutions delivery performance, results in a risk/return rating of INGs IT investment portfolio and its ability to actively manage the portfolio on the basis of the capability maturity model (CMM). The data are collected from INGs own businesses and from a selection of peer group companies to enable ING to make cross-industry comparisons.

Given the amount of money and number of people involved, this author believes that ING is right to stress the need for excellent governance structures and processes. How else to ensure that the right things are being done with the organisations resources and, as far as possible, the organisation is getting defined value from these investments?

How the IT Dashboard Helped ING with IT Governance

The metrics collected through the dashboard process are merely a means to an end. The results obtained from the analysis help to formulate the right questions and enable ING to focus on specific issues. The kind of questions and issues that ING has identified include: Why future IT expenditure predictions are out of line, in some cases, with the majority of competitors. (Further analysis will enable ING to decide whether this is a positive or negative thing.) The financial transparency of many IT investments is not as clearly defined as it should be; therefore, ING is not always clear on the returns expected from the investment being made. Anomalies have been identified in the IT investment portfolio in terms of risk vs. return. This requires further drill-down to ascertain the true and complete picture. This has led to a board-led requirement to reexamine existing IT investment portfolios. In common with many of its peers, ING is not as good at successful project delivery performance it should be. There has been a clear correlation between project delivery success and higher CMM levels. Therefore, the board has taken action to require all business units to attain a defined higher level within a specified and challenging time frame. Through the IT investment risk assessment methodology that is embedded into the dashboard process, ING now has a far clearer and more complete picture of where its major areas of

INGs IT Cost in 2003

In 2003, ING spent more than 2.4 billion on IT. This is approximately 18 percent of its total operational costs and 25

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 2, 2004

project risk are. Hence, this knowledge feeds into an ongoing risk management processes.

Figure 5Shareholder Return in Insurance 1996-2002

An Investors Approach to IT-enabled Business Investments

In IT circles, CIO stands for chief information officer. Asset managers and investors, however, think CIO stands for chief investment officer. ING has successfully mixed banking, insurance and asset management. Now, the organisation is mixing the roles of the chief information officer and the chief investment officer as well, taking an investors view of ITenabled business investments. The straight line in figure 4 shows the financial return expected from a risk-free investment in government bonds. Any investor or asset manager would normally be interested only in investments that do carry some level of risk, with an expectation, of course, that the return would be higher. Figure 4An Investors Approach to IT-enabled Business Investments

PREMIUM GROWTH CAGR in Net Premiums Written (NPW)

PROFITABILITY Op. Cash Flow as % of NPW

CAPITAL EFFICIENCY Op. Cash Flow as % of Assets

4%

30%

Above Average (7 insurers, 9%)

19%

Above Average (12 insurers, 15%)

3%

Above Average (35 insurers, 44%) Total Insurers (80 insurers, 100%)

15%

Below Average (5 insurers, 6%)

7%

Below Average (23 insurers, 29%)

Below Average (45 insurers, 56%)

Source: IBM

a group of best-performing insurance companies in three steps. He used net premiums written, operating cash flow as a percentage of premiums written and operating cashflow as a percentage of assets, as indicators of premium growth, profitability and capital efficiency.

Return (IRR Weighted by Budget)

80% 70% 60% 50% 40% 30% 20%

Risk Rating 1: Low Risk 2: Fair Risk 3: Material Risk 4: High Risk

Outperforming Assets (0)

Total Shareholder Return of Intelligent Growers

Pieroni categorised the seven best-performing insurers as intelligent growers, 18 as efficiently-operated slow growers, 28 as potential intelligent growers and 27 as poor performers. As a group, Pieronis seven intelligent growersAegon, AFIAC, AIG, AXA, ING, Munich Re, Northwestern Mutual outperformed the major stock market indices, even when adding the more volatile years of 2001 and 2002 (figure 6). Figure 6Total Shareholder Return of Intelligent Growers

3 2 4

1
12% Underperforming Assets (-0) 1 2 Risk 3 4 High

10%

Risk 0% 4% Free 0 Rate Low

To measure the return of INGs IT investment projects per risk class, a graph that looks like this one was created. As shown in figure 4, the rewards increase with the risks until one enters the high-risk category. This sort of analysis is helpful to explain what parts of the investment portfolio may not bring the level of return that might be expected. It helps to ask the right questions of business sponsors and of IT to identify problems early and take whatever remedial action may be required. The organisation wants to make sure that every euro it puts into IT is part of a well-prepared, well-researched and measurable investment plan. The organisation manages and accounts for its IT increasingly as an investment centre rather than as a typical cost centre with a narrow focus on budget controls.

1966August 2002
300

CAGR
% Total Shareholder Return
260 220 180 140 100 60 20 -20 -60 1997 1998 1999 2000 2001 2002

IG

+15.0%

DAX S&P FTSE

+6.4% +5.7% +1.9%

NIKKEI -10.7%
Intelligent Growth (IG) Companies

Shareholder Return in Insurance

An IT and shareholder return project was undertaken in 2002 by IBM and taken a step further by ING and IBM together. William Pieroni at IBMs Global Insurance Industry division compiled a performance classification of 80 of the worlds largest insurance companies covering, initially, the period from 1996 to 2002. Figure 5 shows how he determined
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 2, 2004

IT Metrics of ING
A relevant question for IT managers is has this outperformance anything to do with IT performance? This is where ING entered the picture. INGs IT metrics included relevant IT data on 16 of the companies included in the IBM study. These 16 companies were also well distributed across the four IBM performance categories. Combining the IBM and ING data results in the following picture; the best-performing insurers: Have a lower cost base (in terms of the ratio of operating costs to premium income) Spend more on IT Spend relatively more on IT development and less on maintenance Have higher outsourcing levels It is not rocket science, but it is intriguing nonetheless.

New Development Cost/Revenue Growth

A comparison of the IT indicators of the best in class from the IBM study with those of ING shows that: The IT intensity within ING was directly comparable with the high performers. ING operated efficiently in terms of operating cost-topremium income ratio. ING was well below best-in-class for percentage of expenditure on new developments. ING spent relatively significantly more on legacy system maintenance. ING took less advantage of outsourcing IT compared to its fellow high performers. These results indicate that it was not INGs IT performance that put ING in the top seven best-performing global insurance companies. ING probably owes its high ranking to the successful mix of autonomous growth and acquisitions during the period covered by the study. The important thing is the lessons learned from the study. Looking forward, it is clear that ING could gain from investing more in new, strategic developments and less in legacy maintenance. ING could also benefit from a greater focus on targeted IT outsourcing. As it happens, ING was already moving in this direction with its operations/IT strategy. Another important thing that was discovered as a result of the study is that this type of analysis is also a great tool for comparing business units within ING. As a follow-up to the comparison with peers, the approach was tested on a number of INGs own insurance business units. A pattern similar to the external study was found. Using the operating cost-to-premium income ratio as the performance metric, the internal analysis showed that: Higher performing business units generally had a higher IT intensity. Higher performers spent more on new IT developments and less on maintenance, albeit marginally more. Higher performers made greater use of external IT labour (including targeted consultancy).

priority. Therefore, ING decided on a further refinement of the study, applying the four categoriestransactional, informational, strategic and infrastucturaldeveloped by Peter Weill at MIT Centre for Information Systems Research. Transactional investments aim to increase efficiency and to reduce costs. Informational technology provides the information for managing and controlling the organisation. Strategic investments are designed to increase competitive advantage, enable the entry into new markets or otherwise enhance revenue streams. Investments in infrastructure, e.g., a new operating system, do not usually in themselves generate any easily directly quantifiable financial benefits, however useful or essential they might be. A study of the 16-company peer group indicated that higher performers invest relatively more in IT projects that fell into the infrastructure and transactional categories. The analysis of 184 internal projects led to the same conclusion: the higher performers among INGs insurance business units spent 79 percent of their investment budget on projects in these two categories against 60 percent for the lower performers. Furthermore, the higher performers spent 14 percent of their IT investment budgets on strategic initiatives compared to just 4 percent for the lower performers. Strategic investments do tend to be high-risk but potentially have very high returns. Therefore, they should take up a measurable part of a properly balanced investment portfolio.

Conclusions
ING believes that the IT dashboard and the IBM/ING research are both very useful. They provide knowledge and tools that improve the IT investment process and help to better manage IT expenditure. The main conclusion is threefold. First, shareholder return is at least partly related to IT intensity, i.e., how much is spent on IT. Equally important is how the money is spent. There is econometric evidence for potentially good returns on IT new development activity. This is consistent with a recent UK study demonstrating total shareholder returns from organic growth based on research and development investment in the engineering automotive and aerospace sectors. In the short term, best shareholder return is generated by transactional (cost saving) projects because they emphasize standardisation and efficiency, which result in lower cost per transaction. However, strategic IT investments must also be pursued to create future revenue growth and to further improve sustainable financial performance for all stakeholders. Entrepreneurial companies, such as ING, are not risk-averse, but they strongly prefer to take a calculated risk. ING is a company that takes both corporate and IT governance extremely seriously and believes that it has taken some innovative and forward-looking steps toward the achievement of world-class IT governance processes. The organisation recognises that it still has a long way to go, but it is proud of what has been achieved so far. With the success that can be demonstrated from its own IT dashboard analysis and the knowledge and the tools that have been developed, ING is considering the potential benefits to the organisation in providing similar IT value and performance services to other organisations as a commercial service. ING believes that the know-how it has acquired through its own

Rethinking IT as an Investment Portfolio

These insights are valuable as they help to improve the organisations IT decisions. However, it remains difficult to know precisely which types of IT investments should get

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 2, 2004

initiatives over the last few years will be valuable to other organisations currently facing the same issues. The challenge to INGs team will be gearing up to provide this as an external service whilst continuing to maximise the benefits that are provided to ING itself.

Authors Note:
This article is based upon the transcript of the keynote presentation given by Dr. Alexander Rinnooy Kan at the ISACA EuroCACS Conference, Amsterdam, 24 March 2003. Assistance from John Spangenberg and Paul Williams of ING Corporate IT in the preparation of this article is gratefully acknowledged. A.H.G. Rinnooy Kan is a member of the executive board of Amsterdam-based ING Group, where, amongst other responsibilities, he has direct responsibility for information technology.

References
Broadbent, M.; P. Weill; Effective IT Governance By Design, (Gartner Exp Premier Report) ING Case History, January 2003, p. 42-45 Harding, B.; Total Shareholder Return from Acquisition Growth based on R&D Investment, UK Department of Trade and Industry, The 2002 R&D Scoreboard, 2002, p. 8-32

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content. Copyright 2004 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 2, 2004