CEO: "What? How could we have spent so much money in the past year on making sure we're compliant? What about funds for technology to support new business? New customers? Innovation in new product development? We're losing market share and dropping profits off the table like crazy. International competitors are starting to eat our lunch!"

CIO: "What would you have us do? You told us to absolutely, positively keep you out of jail and do everything possible to save you. Doing everything possible is very different from doing everything reasonable. Which is your top priority: high competitiveness with reasonable efforts toward compliance, or absolute compliance — with spending on competitiveness coming second? Pick one."

CEO: "Dang."

What kinds of conversations are your CIOs having with your CEOs? In my experience, it is the rare CIO who is willing to push back against a corporate leader the way this one did. In fact, many IT organizations have lost their way completely because they don't have the backbone to fight. Why? Because of the Sarbanes-Oxley Act (SOX) of 2002. Since the enactment of SOX, which has caused some of the most significant cases of unintended consequences in the relatively short history of IT, auditors exert far too much influence on the project priorities of IT organizations. However, you can keep auditors happy by understanding the requirements of compliance and practicing legal and honest business operations. Here, I share ideas about the state of compliance and the unique challenges facing IT.

The Legacy of SOX

What comes to mind when I say "Enron?" Corporate corruption? Unscrupulous executives? Fortunes lost? SOX was a direct result of the Enron situation. Just as one guy — Richard Reid, the "shoe bomber" — forever changed the process of boarding planes in the United States (now people have to expose the holes in their socks and stand in "stinky" security screening lines), Enron has made things far more smelly in IT departments as managers try to keep auditors at bay. Because of the shenanigans of a very small percentage of corporate executives, businesses now have to deal with onerous, costly, and very low ROI-related benefit regulation and oversight related to quality and integrity in financial reporting.

Without dissecting SOX, I'll point out that the one thing that gets the most attention is this — key executives in publicly traded companies can be held personally liable for criminal prosecution should the financial statements of their enterprises be purposely released with false, misleading, or knowingly inaccurate information. Simply stated, your CEO and CFO and maybe even your CIO could go to jail — just as Enron's executives did. However, are the steps corporate executives take as a result of regulations such as SOX (all good intentions aside) in the best interests of businesses? Maybe.

As we learned from Newton's Third Law of Motion, for every action there's an equal and opposite reaction. However, in the world of politically motivated compliance and regulation, SOX has created exponential consequences. Politicians acted, business executives motivated by fear reacted, and IT professionals have spun out of control trying to deal with the result. The unintended outcomes of this chain of reaction have caused businesses to spend billions of dollars to fix a problem that existed in only a tiny number of companies. In the most extreme examples of situations like this, I've seen enterprises completely turn their businesses over to auditors, who seem to take dark joy in pushing IT folks to jump through ever-shrinking, ever-rising hoops in the name of compliance.

Fear is a strange but powerful motivator. The movie The Secret has swept across the world in the past couple of years. It professes to offer the inside track on how to become successful. The film repackages long-known beliefs related to positive thinking. The producers call their secret "The Law of Attraction" and say that by following this law, you focus on what you manifest. Concentrate on debt reduction? Well, you're focusing on debt, so you wind up with more debt. Try to keep the auditors happy? You'll be audited more frequently. What's the lesson here? Instead of focusing on auditors, concentrate on doing what's legal and honest, and you won't need to worry.

Taken to the extreme, approaching the problem backward creates all kinds of layers of watching. It reminds me of a Dr. Seuss story in the book Did I Ever Tell You How Lucky You Are? It's a collection of tales related to jobs you really don't want to do. The part I'm thinking of is about a Bee Watcher in Hawtch Hawtch. The town bee is not producing, so the community hires someone to watch the bee to make sure it's doing what it's supposed to do. Unfortunately, the bee does not improve its performance. So what's the corporate decision? Hire someone to watch the watcher. After all, the watcher must not be doing a good enough job. Alas, the bee still doesn't produce. The solution? Get a watcher to watch the watcher and so on and so on. Ultimately, the story ends with a long series of watchers, each watching the watcher in front of him, and still the town bee doesn't produce.

So what's the answer? Neither mandating compliance nor sending more auditors is going to be effective for the long term. Just as your kids realize that you'll eventually soften your stance on the two-week grounding you gave them for staying out an hour late, simply using the because-I-said-so approach eventually runs out of steam.

Another very different tactic is possible, and I believe it is the one that has the long-term ability to stick around permanently: We need to tackle our work differently in IT than in other fields. IT leaders must instill a passion for quality and professionalism in IT project delivery.

From Chaos . . .

As evidence that we need more zeal, excellence, and proficiency in IT projects, witness the results of an oft-cited 1995 report, as well as the same report from 2006. The Chaos Report from the Standish Group noted that in 1995, a total of 31.1 percent of all IT projects were cancelled before they began, and that 52.7 percent of the projects in the mid-1990s cost 189 percent of their original estimates. On the "success" side, the report indicated that only 16.2 percent of IT projects were completed on time and on budget, meaning that a whopping 83.8 percent were not. In large companies, the success side was even worse — only 9 percent of projects were completed on time and on budget, leaving a 91 percent failure rate. In addition, 52.7 percent of IT projects in the mid-1990s failed to meet end-user expectations. Wow. The mid-1990s were the heyday of IT, when everyone received 10-15 percent raises each year, and unemployment was in the 1-2 percent range for IT. Talk about not being paid for performance.

How is the industry doing now? In its most recent release of the Chaos Report in 2006, the Standish Group indicated that the profession had "improved" all the way to having 35 percent of projects labeled as successful. So in about 10 years, companies had moved from almost 84 percent of IT projects failing to meet expectations of time and budget to only 65 percent of projects failing. The industry also improved to only 46 percent of projects failing to meet end-user expectations as opposed to nearly 53 percent in the mid-1990s. Egads!

I've mentioned this fact several times in IT-focused seminars and workshops I've led, and I get a "yeah, so?" kind of response from way too many of the attendees. What? Everyone in the IT community should look at this report and react with words like "unconscionable," "unbelievable," and "we're mad as heck and won't stand for it any longer!" But they don't.

No wonder the U.S. Congress took legislative action related to compliance, what with unscrupulous executives (a few) and IT projects regularly failing (a lot) to meet expectations related to quality, cost, and time. Maybe the auditors did need to swoop in and clean house — but that's not the long-term answer.

What if the industry had taken a different view as a group and truly acted as a profession? What if IT pros had looked at these results the same way a group of medical doctors, lawyers, or professional engineers might? Can you imagine 65 percent of surgical procedures failing to meet expectations or 65 percent of bridges collapsing or 65 percent of the laws being unreliable?

Ancient philosophy can be a great teacher. After all, humankind has wrestled with the same issues for the past 10,000 years, and I'll bet it will still be dealing with these kinds of problems for 10,000 more. One of my favorite lessons is this: When asked how to teach people to build boats, the philosopher said, "You don't teach people to build boats by taking them into the forest, showing them trees, giving them saws, hammers, and nails. You teach people how to build boats by instilling in them a love for the sea."

. . . To Success

How do you create a higher level of success related to IT projects? Issuing compliance mandates is one way — but again, it is not a sustainable model. It works for a while, but after the cat's away, the mice will play. I believe it's time for IT leaders to instill a passion for quality and professionalism in IT project delivery. Managers need to build and deploy IT solutions in a way similar to how people design and build public infrastructure. Maintenance questions aside, you rarely hear about bridges that collapse or surgeries that fail due to gross negligence. In these exceptional situations, the engineers and doctors make headlines because Americans generally have high confidence in such professions.

The same cannot be said about IT.

Yes, there will always be unscrupulous business types who are blinded by profits or personal gain. However, with real professionalism in the IT department, the rotten apples won't circumvent the systems. No way.

It's time to push the auditors out the door by being accountable and by actively deciding to do a better job. Fight back against business executives who want you to install different technology or use shortcuts in IT processes simply to save money. Get very close to a 100 percent success rate for projects — in meeting time, cost, and user expectations.

Be loud. Be proud. Be professional.

Robert S. Tipton is president of R S Tipton, Inc., and a long-time contributor to System iNEWS magazine. His book Untangling IT: 25 Years of Lessons in Effective IT Leadership (available at the System iNetwork Bookstore at pentontech.com/education) and R S Tipton’s workshops and consulting services focus on designing and facilitating transformational change and higher levels of effectiveness through innovation, inspiration, and common sense.