No one would challenge the idea that businesses are increasingly dependent upon information technology (IT) and information systems (IS) for handling even routine processes, let alone complex knowledge management. However, in many cases this increasing dependence on IT and IS has been associated with the proliferation of technology positions that report to – and support – a particular business unit of a company rather than being formally a part of the company’s IS/IT organizational structure. As a consequence of operating independent of the Corporate IT function, these groups have been left free to introduce programs and systems of their own choosing that are occasionally at odds with the direction set by Corporate IS/IT. There is a name for these informal IT individuals or groups that function in a decentralized fashion within business units — “Shadow IT.” The question that is now being debated in many corporations is how to deal with these informal groups. Should they be consolidated under the IT/IS department and thus report to the Chief Information Office (CIO), or are there greater benefits in leaving them decentralized? If the decision is that they should be centralized, what does that involve and how should that decision be made?
If consolidation is the choice made, on the surface it might seem that such consolidation of these Shadow IT groups would be as straightforward as simply requiring them to report to the CIO. However, given the nature of these groups, reality is typically not that straightforward. In order to understand what form the consolidation might take, it is useful to examine how Shadow IT groups emerged, the issues and risks to consider when addressing the question of consolidation, and the sequences of decisions involved in determining if the CIO should tackle the consolidation of the Shadow IT groups within Corporate IT.
The consolidation decision should occur as a decision sequence, a process that breaks a high-order decision such as “Shadow IT groups should be consolidated” into a series of smaller decisions. These smaller decisions operate in a stage gate manner in which making one decision allows one to proceed to the next decision. Going through this stage gate process produces higher quality decisions and ultimately a larger number of alternatives from which to select, thereby moving the decision maker closer to the optimum solution.
The Emergence of Shadow IT
As businesses have increased their dependency on systems oriented to timely access to information, as well as to the productivity improvements realized by the personal computer, the demand for services from the IS/IT department have often outstripped its ability to meet these needs. At the same time that quality technical skills were already stretched very thin–as they still are in many cases–the backlog of systems needed by business units increased each quarter. Consequently, business unit leaders began to look elsewhere to have their needs met.
During this time, technology vendors have produced tools to provide a common functionality of database, programming, and connectivity to meet the needs of the mass market. It has become much easier for business units to determine ways to take control of their IT needs internally, thus bypassing the IT department if they have to. As an example, people outside of IT would typically set up and maintain a department network, write programs to handle “small” departmental tasks, and build databases of information extracted from corporate systems.
In the late 1990’s, the Internet took hold in the American psyche, and businesses wanted to make sure they caught the wave. The increased demand for e-business occurred concurrently with IT departments’ worry about Y2K, Enterprise Resource Planning (ERP), and Customer Relationship Management (CRM) implementations. The risks involved in being unsuccessful in these areas left IT executives with very little time or attention to focus on anything else.
With the lack of attention from Corporate IT, business unit leaders increasingly looked elsewhere for technology support and in many cases created their own IT groups. Easy-to-use tools were available, thereby lowering the bar for skills needed to staff a company’s own IT team. Consequently, obtaining budgets for the creation of Shadow IT organizations was relatively commonplace. Once the budgets were in place, the technology operation needs (fix and repair computers, network operations, etc.) were met independent of the Corporate IT function.
The Consolidation Question
Quality Control and Accountability
The down side to technology needs being met outside of Corporate IT is the resulting lack of quality and system controls. Software systems frequently provide the basis of business decisions for management. Without appropriate quality control, business decisions may be based on incorrect information. Similarly, system controls and the overhead associated with these controls ensure the integrity of the data across the enterprise and are the basis for actions taken by internal management and external stakeholders such as investors. Recently, the Securities and Exchange Commission passed the Sarbanes-Oxley Act mandating the implementation of necessary system controls to ensure the accuracy and integrity of data appearing in financial reports.
Since the CIO is officially recognized as being accountable for all information systems within the company, he or she must answer the question of whether or not consolidating the Shadow IT groups into the Corporate IT department is desirable. In fact, it is necessary that senior management also be involved in this decision because it relates to overall strategy of the company. ( Therefore, the question is basically one of how technology is best governed within the enterprise.
The IT Governance Institute (www.itgovernance.org) defines IT governance as “a structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes.”  Understanding the issues involved in making the decision about whether or not to consolidate all (or even just a few) Shadow IT groups into the centralized IT chain of command calls for a multi-faceted profile of what is to be taken into consideration, from structures of relationships and processes to business goal achievement.
The consideration of the structure of relationships and processes involves looking at the people in charge of the Shadow IT organizations, assessing their current levels of accountability in their decisions and actions, and determining how they are related to the Corporate IT function. Since we assume that technology is there to support the business unit, another critical area for consideration is the structure of relationships between the business unit and the Shadow IT Group.
Achievement of Business Goals
A second area to consider is how the Shadow IT function contributes to the achievement of enterprise goals. It is always critical to ensure that all units of an organization–Shadow IT organizations being no exception–are pulling in the same direction. These groups often run afoul of the enterprise strategy because Shadow IT groups are often at least one step removed from the organization and have fewer controls and less accountability than do other units.
A third area of consideration is the degree to which the Shadow IT group adds value to the business unit in which it is embedded. The business unit being supported needs to answer this concern. Shadow IT groups usually evolve out of a lack of responsiveness from Corporate IT. Thus evolution of such groups may serve as a barometer indicating the Corporate IT group’s quality. The Shadow IT group’s effectiveness may range from providing excellent support to raising significant issues that indicate a burning need for change.
Balance of Risk and Return
A final consideration involves looking at how the Shadow IT group balances risk versus return in its technology activities. This examination must reveal how well the costs associated with Shadow IT technology are being controlled, how well the technology investments are being managed, how successful the group is in managing the build/upgrade/run aspects of the application portfolio, maintaining the security of technology assets (including the data/information), and managing the risks related to business continuity.
Each of these four areas of examination may require analyzing an extensive amount of detailed information. At this preliminary stage, it is important that you be comfortable with the answers at a “High-Medium-Low” (or 2, 1, 0) degree of accuracy. By using information at this more general level of detail, it is possible to determine a composite “Governance Score” for the Shadow IT group. By multiplying each of the four areas, you will arrive at a composite score. This score can also be derived for the Corporate IT function for comparison purposes.
The decision sequence involved breaks a high-order decision such as “Should Shadow IT groups be consolidated?” into a series of smaller decisions. These smaller decisions operate in a stage gate manner in which answering one decision will allow you to proceed to the next decision. Only after all gates have successfully been passed can the primary decision be made.
The first three of these stage gates bring you to the point of answering the question “Should the Shadow IT group be consolidated into Corporate IT?” It is important to remember that each Shadow IT group under consideration would be evaluated independently of the others because each group will be unique.
The first three stage gates are as follows:
1. Is the Corporate IT house in order? This is a difficult and challenging question that the CIO must answer. While there is no perfect IT organization, the CIO must look in the mirror and identify where the strengths and weaknesses lie, where there is available capacity in terms of people, process, and technology, and what the ripple effects would be of taking on additional work. If the decision at this point is that the Corporate IT department can take on additional responsibility, the next stage gate can be queued up.
2. Can Corporate IT provide better support to the business unit than is being provided by the Shadow IT groups? It may be that the Shadow groups have everything under control, are providing sufficient support, are following the architectural standards as laid out by Corporate IT, and are providing development, maintenance, and operational support at the same level of proficiency as is Corporate IT. However, if the result of this decision is that Corporate IT can provide better support, then you can move to the next stage gate. The figure below depicts the evaluation of this as a “Governance Score.” By scoring both the Shadow IT group and Corporate IT, an objective review of the situation can be a developed, as well as identification of the groups’ strengths and weaknesses.
3. Do you want to consolidate the Shadow IT groups into Corporate IT? While the first two decisions are based on logic, this one is based on emotion and politics. The CIO’s current environment may or may not currently be conducive to absorbing the IT responsibilities of the business units. However, if Corporate IT decides to absorb the shadow groups, then you can move on to the next decision.
Once positive answers to each of these stages have been determined, the decision has been made to consolidate the Shadow IT group under consideration. The following questions start to frame the actions to take regarding this decision.
4. To what extent should consolidation take place? There are several levels at which consolidation can be carried out. At one end of the scale, consolidation may take place only in the areas which are in need of extra support, i.e., management, development or maintenance support, technology alignment, etc. At the other extreme, it may be necessary to completely absorb the Shadow IT into Corporate IT, thereby absorbing the staff, technology, and operational support currently provided by Shadow IT.
5. How should you approach consolidation to maximize effectiveness? This decision relates to how you should approach the consolidation itself. How much of this consolidation is related to managing change? How much is related to management and leadership? Understanding the areas necessary to impact decision making will help to determine the consolidation approach.
6. Can the consolidation be done internally, or should external expertise be used? As with the first decision, this one is internally focused. First examine what is involved in the consolidation: the number of Shadow IT groups that will be consolidated, the complexity of the consolidations, as well as the skills, time period, experience in this area and the risks involved in an unsuccessful consolidation. Then make the decision regarding whether or not to perform the consolidations in-house or to bring in external expertise for these consolidations.
The decision to consolidate the Shadow IT groups is not arrived at easily. The issues are complex and the business risks involved are significant. Shadow IT groups have come into existence primarily due to a lack of responsiveness from Corporate IT. While the priorities of the Corporate IT department may now allow for additional support and emphasis, the perceptions are likely to remain that Corporate IT will not be very responsive. These perceptions will have to be overcome with positive experience before any consolidation can be successful.
 Bradford Brown, James M. Kaplan, and Thomas Weber. “Recentralizing IT,” McKinsey Quarterly, Number 2 (2003): 19.
 J. W. Ross and P. Weill, “Six IT Decisions Your IT People Shouldn’t Make,” Harvard Business Review, 80, Issue 11 (November, 2002): 84-92.
 IT Governance Institute, “Executive Summary,” COBIT Implementation Tool Set, (2002). (Note: Access to this document requires registration with the website.)