Shadow IT Part 2

The Illusion of Control

Baxter Thompson Ltd, Jon Baxter


According to a survey of nearly 400 CIO’s by Logicalis in 2015, nearly 1 in 3 CIOs are bypassed ‘often’, ‘very often’ or ‘most of the time.’ (on technology decisions) . This is the second in a two-part post where in the first post I take an example, and give some detail considerations that could guide our immediate response to business partners. The second post looks at the impact on the role of IT in the context of the growing trend of Shadow IT. For the impact on the role of IT I suggest despite our desire to control or lead the decision-making process, control is a distraction. In fact, it is a much more nuanced approach based on various business and technology considerations, and the acceptance that third party provision of IT services will form part of the business and IT strategy. In order to engage effectively with business partners on this subject, we need to become “Advisors” and “curators” of technology and data. This requires a mind-set change for both IT and business, the building up of governance capabilities and additional competencies that align very closely to Business Relationship Management.  


According to a survey of nearly 400 CIO’s by Logicalis in 2015, nearly 1 in 3 CIOs are bypassed ‘often’, ‘very often’ or ‘most of the time’ (on technology decisions). As information services become more accessible and business users become tech-savvy, the ability for the IT leadership to lead and influence the direction of Technology could be undermined. Is this an issue?

The Illusion of Control

One of the common symptoms experienced is the conflict between departments over the “rights” to control Technology and data. In some instances, based on the considerations below, it could be that a Business Partner may have more liberty to determine what technology and data is deployed. However Business Partners typically are not technology or data experts, nor do they have a holistic view of the business. To delegate this expertise can represent the business with a greater risk and lack of opportunity later.

Vying for control by applying such mechanisms as preventative policy, lack of communication, creation of silos and overlapping capabilities detracts energy, and attention away from realising the business strategy - causing significant amounts of inefficiency and organisational stress.  (I discussed this in another post titled “Marketing and IT: Conflict or Collaboration”.)

Hence the conflict is often seen as “use the IT Department”, “use the third-party supplier” or “own the supplier relationship” for a particular service.

The consequence of this seen through this lens is an issue as it is a not a “win-win” situation but a “win-lose” situation for either party. What are the considerations required to turn it to “win-win”?


  1. Type of business: Using the BCG matrix perspective, is the company a “Cash Cow”, “Dog”, “Star” or “Problem Child”? What is the business strategy as a consequence? Impact: A “Star” will require agility to grow quickly. This may mean third-party services can be quickly adopted or dropped depending on their utility. However certain oversight and governance may need to be in place to manage business risk and funding for integration where required.
  2. Business structure: Is the business a sprawling corporate or an independent business unit? Impact: An independent business unit based on product or geography may well have significantly different requirements to another and therefore require different Technology solutions. This may mean that IT Provisioning and Governance needs to be decentralised with a more open policy to third-party services. The extent of which is determined by the amount of commonality of technology and data that delivers value to the business.
  3. Business Value and Risk. Where is the business value and risk? What are the key differentiating capabilities in the business that drive customer value? Where do the implicit technology and data capabilities feature in the “value chain”? (see my previous “Shadow IT part 1” post).  Impact: If more business value is locked up in technology or information, then the required level of competency in management needs to rise as well as the level of governance required.
  4. Common systems and data. What is the potential for technology and information commonality across business units / departments? What is the amount of value a modular solution and scalable architecture brings to the business strategy? Impact: Here, as discussed in my previous “Shadow IT Part 1” post, considering what is core technology/data and non-core is essential. I suggest that core systems and data need to be kept within the business boundaries.
  5. Agility and innovation at the same cost as suppliers. Can the IT department deploy technology quickly and rapidly integrate new data streams into core systems as a service? E.g. virtual machines, agile software development, or ready-made software stacks such as Bitnami.
  6. View of the Business Partners. What is the attitude of the business partners to IT? Is it a question of avoidance and maximise control, or more open collaboration and partnership?
  7. View of the CIO. What is the view of the CIO and their role in the business? Is the view that Business Partners don’t understand the impact of what they are doing and controls need to be in place to minimise risk? or is the view more towards an open style of being curators and advisors of technology and data?

Points (6) and (7) are key to the debate. If there is a lack of trust or credibility then there will be low engagement about technology and data from the business partner. Having this engagement in place will allow a meaningful conversation about points (1) to (5)

The Third Way

As discussed in my previous post “Marketing and IT: conflict or collaboration”, The key point is understanding that to deliver the business strategy, one needs to understand the IT department’s key strengths and then collaborate based on those strengths.

For the IT department, strengths can be, say, the provisioning and service delivery of core systems, integration of non-core Systems and data. If the perception these particular areas are weak then the mandate is clear: Improve the IT capability before demanding a particular approach or “owning the relationship”.

For the Business Partner, strengths can be provisioning of subject matter experts (e.g. marketing, sales, finance etc.), process fulfilment, operations management, long term planning.

It could be that the IT strategy is not to invest in some types of capabilities and therefore the adoption of some third-party services will be a necessary component of the business and IT strategy. Hence there is a third way where all three parties – Business Partner, Supplier and IT Dept. contribute their individual strengths.

Key point: Third party IT services are becoming more accessible, more numerous and are fulfilling a variety of new requirements that are inevitably going to attract more tech savvy Business Partners. The IT Department cannot compete with third party suppliers on all of the strengths, in all of the niches on all fronts at all times. I believe for most organisations, a blended approach is required.

However, delivering the business strategy is based in part on organisation change management, risk management, portfolio management and governance. The lack of these strengths or capabilities, irrespective of where they are placed in the organisation is often an oversight whilst Business Partners and IT function slug it out for the illusion of control.

Becoming Curators and Advisors of Technology and Data

The real value to Business Partners is not necessarily the provision of IT management and control but the consultation to enable the Business partner to achieve its business objectives.  In this sense the IT department becomes Curators and Advisors of technology and data. For this to happen governance capabilities need to be adopted as shown in the diagram below.

Diagram derived from content at BRMI

Building these capabilities often requires a mind-set change for the Business Partner and also the IT Department who are both sometimes more focused on service delivery and operational issues than future planning and taking a broader view across the whole business.

To enable these capabilities also requires an additional resource, either in terms of additional role to existing headcount or new people joining the organisation, as there are additional activities to be done.

Key point: I believe there is a strong case for the role of Business Relationship Management to be enabled in the organisation as a consequence of Shadow IT. The BRM role has the competencies that match to a lot of the governance capabilities outlined above.

Roles and responsibilities are key in understanding how the third-party supplier is going to interact with the partner and IT organisation. If the situation was a classic conflict between who “owns the relationship” then the roles and responsibilities tend to be very narrowly focused. However, if there is a more enlightened view, then the discussion about roles and responsibilities will include the activities, the respective skills of the people involved and their contribution.


So fundamentally, The CIO is left with a choice.  On the one hand, one can adopt a laissez-faire approach or try to fight for control. On the other hand, to accept that third party IT services are part of the strategy. They are more numerous and are fulfilling a variety of new requirements that are inevitably going to attract more tech savvy Business partners.

Engaging Business Partners on this topic, we have to demonstrate capability to curate and advise on technology and data, which means building up capabilities in the organisation so that business partners can have confidence in our advice and delivery.

The right level of competency in business relationship management can be one of the larger jigsaw pieces in the bigger picture of how the IT department can add value to the organisation. The investment required is not just financial or in resource – it’s in influencing business partners to adopting a different approach and building up capabilities over time.

How Baxter Thompson Associates can help

We help IT understand the opportunity with business partners through our Reconnaissance for IT framework and can help implement a business relationship management capability to ensure that the Value in IT is delivered. The framework includes the criteria mentioned in this post and is applied though a short diagnostic comprising mainly of interviews and workshops. The outcome being a report on recommended changes, options and a business case for implementation. We also provide training, coaching, recruitment and change management.

Back to Top