Much has been written during recent months and years about the growing importance of strong governance in today's volatile and challenging business world. This has had particular resonance following the accounting and related scandals at diverse organisations such as Enron, WorldCom, Global Crossing and Ahold. This article is intended to demonstrate how the global financial services group ING is rising to these challenges and, in particular, how the organisation has managed its IT governance responsibilities.

About ING Group

ING Group is a global financial services institution of Dutch origin offering banking, insurance and asset management to 60 million private, corporate and institutional clients worldwide. ING is a multiproduct, multidistribution company, approaching the customer through his/her channel of choice. The company comprises a broad spectrum of prominent businesses that increasingly serve their clients under the ING brand.

ING employs more than 115,000 people, and 70 percent of its stock is held outside the Netherlands.

In today's financial markets the group has a current market capitalisation of some 23 billion and total assets of more than 700 billion (Note: as of March 2003). Its asset management business has approximately 450 billion of assets under management.

ING is a large and diverse business that has grown significantly in recent years through a combination of autonomous growth and targeted acquisitions.

The organisation's corporate governance and transparency have been improving continuously since ING was created in 1991. This year, ING's governance will make a big step forward, as it moves away from a typically Dutch governance structure toward a structure that is better adapted to the needs of an international company that has 70 percent of its shares held by non-Dutch investors.

ING claims to have full commitment to corporate governance and, as an integral part of achieving its governance objectives, also has full commitment to governance of its IT investments and operations.

Governance: Corporate and IT

There are many definitions of corporate and IT governance, all expressing the concept that running a business must be a well-organised activity carried out by professional people who accept full responsibility and accountability for their actions. In other words, a well-governed company is not gambling with other people's money, whether it be in a new acquisition or an investment in technology.

IT governance is a subset, a very important subset, of governance as a whole. ING cannot afford to apply to its IT governance anything less than the commitment it applies to overall governance, according to the company.

Like all global financial services organisations, ING is totally dependent on information technology, not just to support and enhance its business, but increasingly to enable it. Today's global financial markets have IT as their lifeblood. The organisation is reliant upon it 24/7/365 days a year. Without IT, there would be no business.

IT Road Map

As part of its annual planning exercise, ING produces an IT Road Map. This is designed to set out the current high-level issues concerning its use of IT. It also outlines the organisation's current priorities for IT investment and addresses the way in which it will continue to ensure that IT is properly aligned with the needs of the business. The highlights include:

• The need to continue the existing focus on e-business and leverage further the success so far achieved. The emphasis in this area is very firmly on further benefits realisation.
• The need to ensure that technology properly provides solutions to current business challenges including:
  • Increasing customer centricity
  • Optimising distribution channels
  • Improving operational efficiency and driving down operational costs
  • Improving organisational agility
  • Ensuring operational resilience—business continuity
  • and security
  • Increasing information intensity and availability
  • Optimising cost structures (through, for example, Straight-through Processing)
  • Maintaining a close watch on new technologies such as ubiquitous computing, location sensing, grid computing and web services
  • Identifying key trends and issues from the IT dashboard exercise (to be discussed later)

This information allows for the definition of the organisation's IT agenda and priorities which include:

• Sourcing
• Business architecture alignment
• Rationalisation, consolidation and standardisation
• Improved information and metrics
• Security
• IT governance

Yes, IT governance is one of ING's key focus areas.

Addressing IT Governance at ING

The IT Governance Institute's Board Briefing on IT Governance (now in its second edition) encourages boards of directors to seek answers to questions such as:

• How does IT add value to the business?
• How often do IT projects fail to deliver what they promised?
• Does the board have a clear view on how much the enterprise invests in IT compared to its competitors?

The board of directors at ING does ask these questions, and it is a responsibility of the members of that board to ensure that the mechanisms are in place to provide answers. Sometimes, as with all organisations, the answers may make uncomfortable reading, but at least by asking the questions and finding out the answers ING is in a position to do something about identified problems and issues. Ignorance is only very short-term bliss!

So what is ING's IT governance structure?

IT Governance Structure at ING

The ING IT governance structure was recently profiled in a Gartner report, "Effective Governance by Design," and the model is shown in figure 1.

Within ING, a global IT governance structure has been implemented that meshes with its overall corporate governance structure. In this author's view, this consistency is essential to success. Indeed, the recent reports from the MIT Sloan School Centre for Information Systems Research also strongly recommend that IT governance structures integrate with the overall governance model. This helps ensure the strategic alignment of IT with the business—another important objective of IT governance. This structure is meant not only to improve the quality of the IT function but also to speed up decision-making.

Within the board of directors, this author is responsible for IT policy. The policy is set by the IT policy board, which this author chairs. Two additional main board directors also sit on this committee, thus ensuring proper interest and accountability for IT at the board level. The IT policy board consists also of the OPS/IT portfolio keepers of the three executive centres (ING-speak for divisions) and the director of the Corporate IT (CIT) staff department. There is also an IT leadership council, consisting primarily of business CIOs who advise the policy board. In addition, to demonstrate the seriousness that ING applies to information security, there is a separate information security steering committee that also reports directly to the IT policy board. The IT leadership council has three subgroups dealing with IT standards, IT architecture and IT infrastructure.

ING has particular challenges in many of these areas because of the plethora of inherited legacy systems around the world. ING was created out of a merger and has grown significantly through acquisitions. During the last decade of the previous century, business units, whether a forebear company or an acquired company, had a large degree of autonomy. This has had major advantages for the continuation of business as usual, but it has made it difficult to generate IT-related economies of scale and to leverage synergies and standards among the group. This strategy was abandoned in 2000 when ING rounded out its US position with two major acquisitions. Since then, the integration of systems and infrastructure has been a priority.

A key feature of ING's governance structure is the existence of corporate IT, one of ING's group staff departments responsible for policy preparation, the provision of IT advice to the businesses and monitoring the IT activity within the entire organisation. This latter activity is carried out by a small subgroup within CIT—the IT performance and investment management team.

In addition, there are application forums within the executive centres (divisions) to provide a mechanism for standardising functional application areas (e.g., CRM) across the businesses. The approach is to bring the demand (from the business) and supply (from IT) together to determine the optimum method to move forward.

Who Is Responsible for What?

This graphic shows ING's IT ownership model, which recognises the different needs and the different characteristics of ING's diverse businesses and provides examples of the responsibilities at each level (figure 2).

The IT Governance Institute emphasises that "you cannot manage what you cannot measure." ING fully endorses this adage. ING's IT governance structure, particularly its accountability to the businesses and to the board of directors, would not be able to function effectively without the provision of regular reliable metrics and benchmarks to help measure value, performance and industry comparability. This is where the IT value and performance team come in, together with the annual IT dashboard exercise.

How the IT Dashboard Helps ING

The IT dashboard process, which is carried out at the same time as ING's annual medium-term business planning exercise, provides the information necessary to:

• Enable ING, over time, to develop and compare the most appropriate metrics on IT spend, performance and value
• Help identify positive and negative trends and thus enable best practices to be shared and, where appropriate, managerial actions to be taken
• Enable direct comparison with specifically commissioned, peer group information
• Enable direct comparison of metrics among different business units
• Assist senior business and IT management to exercise their governance responsibilities over IT investments

IT Metrics

The metrics that are collected and analysed include the obvious yardsticks:

• IT costs by category and by activity
• IT staff numbers and costs analysed by activity
• Full-time vs. contract IT staff
• Outsourcing ratios
• Workstation costs
• IT intensity (IT costs as a percentage of total operating costs)
• IT related operational risk incidents (number and value)
• IT security incidents (number and value)

ING has paid special attention to develop metrics to follow-up IT projects and has come to view IT projects as IT-enabled business investments. The corollary is that ING approaches these projects as an asset manager would analyse an investment proposal.

For example, ING wants to know projections in terms of time until completion, budget and functionality. Before providing an approval, ING also demands financial transparency and risk/return metrics. This information, together with other metrics collected, including its own solutions delivery performance, results in a risk/return rating of ING's IT investment portfolio and its ability to actively manage the portfolio on the basis of the capability maturity model (CMM).

The data are collected from ING's own businesses and from a selection of peer group companies to enable ING to make cross-industry comparisons.

ING's IT Cost in 2003

In 2003, ING spent more than 2.4 billion on IT. This is approximately 18 percent of its total operational costs and 25 percent of its total banking business costs. The left pie graph of figure 3 shows ING's total IT costs by IT activity. The pie to the right shows IT costs by cost category—hardware, software, labour, telecoms and outsourcing.

ING employs more than 15,000 people around the world in IT-related jobs; this represents about 13 percent of its total workforce.

Given the amount of money and number of people involved, this author believes that ING is right to stress the need for excellent governance structures and processes. How else to ensure that the right things are being done with the organisation's resources and, as far as possible, the organisation is getting defined value from these investments?

How the IT Dashboard Helped ING with IT Governance

The metrics collected through the dashboard process are merely a means to an end. The results obtained from the analysis help to formulate the right questions and enable ING to focus on specific issues. The kind of questions and issues that ING has identified include:

• Why future IT expenditure predictions are out of line, in some cases, with the majority of competitors. (Further analysis will enable ING to decide whether this is a positive or negative thing.)
• The financial transparency of many IT investments is not as clearly defined as it should be; therefore, ING is not always clear on the returns expected from the investment being made.
• Anomalies have been identified in the IT investment portfolio in terms of risk vs. return. This requires further drill-down to ascertain the true and complete picture. This has led to a board-led requirement to reexamine existing IT investment portfolios.
• In common with many of its peers, ING is not as good at successful project delivery performance it should be. There has been a clear correlation between project delivery success and higher CMM levels. Therefore, the board has taken action to require all business units to attain a defined higher level within a specified and challenging time frame.
• Through the IT investment risk assessment methodology that is embedded into the dashboard process, ING now has a far clearer and more complete picture of where its major areas of project risk are. Hence, this knowledge feeds into an ongoing risk management processes.

An Investor's Approach to IT-enabled Business Investments

In IT circles, CIO stands for chief information officer. Asset managers and investors, however, think CIO stands for chief investment officer. ING has successfully mixed banking, insurance and asset management. Now, the organisation is mixing the roles of the chief information officer and the chief investment officer as well, taking an investor's view of IT-enabled business investments.

The straight line in figure 4 shows the financial return expected from a risk-free investment in government bonds. Any investor or asset manager would normally be interested only in investments that do carry some level of risk, with an expectation, of course, that the return would be higher.

To measure the return of ING's IT investment projects per risk class, a graph that looks like this one was created. As shown in figure 4, the rewards increase with the risks until one enters the high-risk category. This sort of analysis is helpful to explain what parts of the investment portfolio may not bring the level of return that might be expected. It helps to ask the right questions of business sponsors and of IT to identify problems early and take whatever remedial action may be required.

The organisation wants to make sure that every euro it puts into IT is part of a well-prepared, well-researched and measurable investment plan. The organisation manages and accounts for its IT increasingly as an investment centre rather than as a typical cost centre with a narrow focus on budget controls.

Shareholder Return in Insurance

An IT and shareholder return project was undertaken in 2002 by IBM and taken a step further by ING and IBM together.

William Pieroni at IBM's Global Insurance Industry division compiled a performance classification of 80 of the world's largest insurance companies covering, initially, the period from 1996 to 2002. Figure 5 shows how he determined a group of best-performing insurance companies in three steps. He used net premiums written, operating cash flow as a percentage of premiums written and operating cashflow as a percentage of assets, as indicators of premium growth, profitability and capital efficiency.

Total Shareholder Return of "Intelligent Growers"

Pieroni categorised the seven best-performing insurers as intelligent growers, 18 as efficiently-operated slow growers, 28 as potential intelligent growers and 27 as poor performers. As a group, Pieroni's seven intelligent growers—Aegon, AFIAC, AIG, AXA, ING, Munich Re, Northwestern Mutual— outperformed the major stock market indices, even when adding the more volatile years of 2001 and 2002 (figure 6).

IT Metrics of ING

A relevant question for IT managers is "has this outperformance anything to do with IT performance?" This is where ING entered the picture. ING's IT metrics included relevant IT data on 16 of the companies included in the IBM study. These 16 companies were also well distributed across the four IBM performance categories.

Combining the IBM and ING data results in the following picture; the best-performing insurers:

• Have a lower cost base (in terms of the ratio of operating costs to premium income)
• Spend more on IT
• Spend relatively more on IT development and less on maintenance
• Have higher outsourcing levels

It is not rocket science, but it is intriguing nonetheless.

New Development Cost/Revenue Growth

A comparison of the IT indicators of the best in class from the IBM study with those of ING shows that:

• The IT intensity within ING was directly comparable with the high performers.
• ING operated efficiently in terms of operating cost-to-premium income ratio.
• ING was well below best-in-class for percentage of expenditure on new developments.
• ING spent relatively significantly more on legacy system maintenance.
• ING took less advantage of outsourcing IT compared to its fellow high performers.

These results indicate that it was not ING's IT performance that put ING in the top seven best-performing global insurance companies. ING probably owes its high ranking to the successful mix of autonomous growth and acquisitions during the period covered by the study. The important thing is the lessons learned from the study. Looking forward, it is clear that ING could gain from investing more in new, strategic developments and less in legacy maintenance. ING could also benefit from a greater focus on targeted IT outsourcing. As it happens, ING was already moving in this direction with its operations/IT strategy.

Another important thing that was discovered as a result of the study is that this type of analysis is also a great tool for comparing business units within ING. As a follow-up to the comparison with peers, the approach was tested on a number of ING's own insurance business units. A pattern similar to the external study was found. Using the operating cost-to-premium income ratio as the performance metric, the internal analysis showed that:

• Higher performing business units generally had a higher IT intensity.
• Higher performers spent more on new IT developments and less on maintenance, albeit marginally more.
• Higher performers made greater use of external IT labour (including targeted consultancy).

Rethinking IT as an Investment Portfolio

These insights are valuable as they help to improve the organisation's IT decisions. However, it remains difficult to know precisely which types of IT investments should get priority. Therefore, ING decided on a further refinement of the study, applying the four categories—transactional, informational, strategic and infrastuctural—developed by Peter Weill at MIT Centre for Information Systems Research. Transactional investments aim to increase efficiency and to reduce costs. Informational technology provides the information for managing and controlling the organisation. Strategic investments are designed to increase competitive advantage, enable the entry into new markets or otherwise enhance revenue streams. Investments in infrastructure, e.g., a new operating system, do not usually in themselves generate any easily directly quantifiable financial benefits, however useful or essential they might be.

A study of the 16-company peer group indicated that higher performers invest relatively more in IT projects that fell into the infrastructure and transactional categories. The analysis of 184 internal projects led to the same conclusion: the higher performers among ING's insurance business units spent 79 percent of their investment budget on projects in these two categories against 60 percent for the lower performers. Furthermore, the higher performers spent 14 percent of their IT investment budgets on strategic initiatives compared to just 4 percent for the lower performers. Strategic investments do tend to be high-risk but potentially have very high returns. Therefore, they should take up a measurable part of a properly balanced investment portfolio.

Conclusions

ING believes that the IT dashboard and the IBM/ING research are both very useful. They provide knowledge and tools that improve the IT investment process and help to better manage IT expenditure.

The main conclusion is threefold. First, shareholder return is at least partly related to IT intensity, i.e., how much is spent on IT. Equally important is how the money is spent. There is econometric evidence for potentially good returns on IT new development activity. This is consistent with a recent UK study demonstrating total shareholder returns from organic growth based on research and development investment in the engineering automotive and aerospace sectors. In the short term, best shareholder return is generated by transactional (cost saving) projects because they emphasize standardisation and efficiency, which result in lower cost per transaction. However, strategic IT investments must also be pursued to create future revenue growth and to further improve sustainable financial performance for all stakeholders. Entrepreneurial companies, such as ING, are not risk-averse, but they strongly prefer to take a calculated risk. ING is a company that takes both corporate and IT governance extremely seriously and believes that it has taken some innovative and forward-looking steps toward the achievement of world-class IT governance processes. The organisation recognises that it still has a long way to go, but it is proud of what has been achieved so far.

With the success that can be demonstrated from its own IT dashboard analysis and the knowledge and the tools that have been developed, ING is considering the potential benefits to the organisation in providing similar IT value and performance services to other organisations as a commercial service. ING believes that the know-how it has acquired through its own initiatives over the last few years will be valuable to other organisations currently facing the same issues. The challenge to ING's team will be gearing up to provide this as an external service whilst continuing to maximise the benefits that are provided to ING itself.

References

Broadbent, M.; P. Weill; "Effective IT Governance By Design," (Gartner Exp Premier Report) ING Case History, January 2003, p. 42-45

Harding, B.; "Total Shareholder Return from Acquisition Growth based on R&D Investment," UK Department of Trade and Industry, The 2002 R&D Scoreboard, 2002, p. 8-32

Author's Note:

This article is based upon the transcript of the keynote presentation given by Dr. Alexander Rinnooy Kan at the ISACA EuroCACS Conference, Amsterdam, 24 March 2003.

Assistance from John Spangenberg and Paul Williams of ING Corporate IT in the preparation of this article is gratefully acknowledged.

A.H.G. Rinnooy Kan
is a member of the executive board of Amsterdam-based ING Group, where, amongst other responsibilities, he has direct responsibility for information technology.