Article

The expanding role of IT governance for utilities

Driving greater awareness and collaborative decision-making for important initiatives, risk management, and investment decisions

October 12, 2023

Utilities are acquiring more technologies and becoming more interconnected—making it more important than ever to incorporate IT in decision-making. Doing so provides a pervasive lens on best practices and security to drive efficiency, optimize spend, and prevent breaches.

As utilities embrace digital ways of working, the need for IT governance grows.

Many utilities still work in silos where business units (such as engineering, operations, customer service, field operations, IT, etc.) operate with a large degree of autonomy. But with the convergence of IT and OT over the last decade, there’s been an increase in the establishment of formalized IT governance committees.

The evolution of cybersecurity regulations (e.g., NIST Cyber Security Framework 2.0) has made it critical for utilities to implement the necessary governance to act decisively when needed. While many organizations have this goal, it does not come without challenges.

Culture and change management hurdles

The siloed nature of utility organizations can sometimes set IT and the business at opposite ends of the table—whereby the business perceives IT as imposing restrictions. As a result, IT can end up with more homegrown or rogue technology procurements from the business units. 

When it comes to cybersecurity, this is often viewed as a technical issue rather than an integral part of the business culture—which can lead to a lack of funding, inadequate training for employees, and a failure to implement robust security controls. There’s clear friction, and it breeds a culture lacking in harmony and trust. 

A well-orchestrated governance framework can flip the narrative and produce proactive and inclusive engagements. It’s critical that when standing up an IT governance committee that all groups within the utility can participate and have visibility across the board to understand and weigh in on impacts for their designations and provide considerations to others.

IT standards and security best practices 

While most utilities have taken to digital modernization in many shapes and forms (e.g., mobile workforce management, advanced metering infrastructure), the scale and pace of adoption has not kept pace with advancements in technology and innovation. 

Traditionally, this has been in part due to the varying speeds at which IT operating models have transitioned from being an order-taking service hub to strategic partners working cross-functionally across the business to achieve value for the customer and the business using continuous delivery methods.

The pace of change and the speed of a growing technical backlog can be overwhelming and make it difficult for utilities to know where to start when trying to establish a governance structure.

What becomes clear is that without any such structure in place, the challenge of building or modernizing enterprise systems, adhering to cybersecurity best practices, leveraging data, and keeping pace with the evolving digital needs of the customer may not be met.

When coupled with the growing threat and sophistication of security incidents, the urgency to stand up governance to enable a utility to act in a planful and prepared manner can intensify—and without a clear idea of where and how to begin, utilities will quickly fall behind.

It can be costly (and run up against resource constraints) to catalogue and prioritize the most critical assets and vulnerabilities or assess the risk and determine the potential consequences to ultimately identify and implement effective cybersecurity solutions for a utility.

Recent cyberattacks across large municipalities in the U.S. provide a timely reminder of the ever-present risk. Meanwhile, impending and evolving regulatory or guideline changes—(e.g., NIST CSF 2.0, FERC INSM, Cyber Incident Reporting for Critical Infrastructure Act of 2022, TSA Cybersecurity Directive, EPA Cybersecurity Assessment and Risk Mitigation, AWIA Risk and Resilience Assessments and Emergency Response Plans)—are slated to bring new cyber resiliency requirements to bear and have changed the need for governance from a desire to an imperative.

Having governance in place will be critical to assess requirements, design and implement controls, and maintain compliance with annual inspections/audits as applicable. 

Although the regulations provide direction for utilities, they are now also tasked to conduct analyses and planning efforts upfront to meet the guidelines—in addition to all the work on the backend to stay in good standing. This takes considerable time from technical and operational experts who are often already fully allocated.

Staffing and resource constraints persist

As utilities navigate new technological developments such as artificial intelligence/Machine Learning (AI/ML) and face increasingly sophisticated cyber and data security threats, having an appropriately sized and skilled IT organization to empower and advise the organization remains a challenge.  

In a recent survey of utility CIOs, two of the biggest enterprise struggles they identified were:  

  • The cost and scarcity of talent
  • The difficulty in integrating a digital vision with existing enterprise-level strategies because of changes required in mindset, culture, business process, and governance  

The intersection of these challenges is often exemplified by the lack of an IT team equipped with the requisite levels of staffing and technical literacy to support, advise, and equip business leaders in decision-making roles and forced to do more with less.

Though the number of IT full-time equivalents (FTEs) as a percentage of total employees has risen to 6.8% in the last two years, an undersized and consequently overstretched IT team is still the norm. IT teams are preoccupied with keeping the lights on—with supporting enterprise projects an additional item on an overflowing plate.   

Utilities seeking to establish or enhance IT governance should consider the following steps:

  • Determine the scope of processes and activities that the IT governance committee should establish and oversee (including IT strategy and investments, business case validation, benefit monitoring and realization, and overall decision-making authority on strategic priorities)
  • As part of scope definition, determine level of adherence to an appropriate set of industry standards and guidelines (e.g., NIST, ITIL, EPA, etc.); this may tie in with the utility’s existing or future IT processes/policies
  • Determine appropriate structure and membership of committee (e.g., level/seniority, representation of business units), ensuring that adequate representation is given across functions that have a stake in an initiative’s outcome
  • Determine cadence for governance committee meetings and subsequently establish a clear agenda. These should cite current and upcoming IT-related initiatives
  • Develop and finalize an IT governance charter that establishes a recurring cadence and a clear mandate in addition to the scope of oversight
  • Select ongoing or upcoming initiatives, projects, or activities to pilot and iterate on the initial agenda for governance (e.g., review of ongoing project trackers, intake of future projects, and investment priorities) 

Conclusion

The overall effort to stand up a new IT governance function or group depends heavily on the level of structure already in place. Some utilities have most of the components in place today and simply need to pull them together—for others, it will be net-new. 

The initial set-up may take as many as 10 weeks—depending on the maturity of the organization and aforementioned factors. The committee should expect to continue iterating on the governance process, with a heavier lift during the initial three to five meetings. This effort may also be preceded by the definition of accountabilities between stakeholders for key IT/OT processes if roles have not been clearly articulated. 

Regardless of where a utility is in the process, setting up a governance structure will yield benefits, including stewardship on IT projects and programs. The committee increases transparency across stakeholder groups on IT needs, ideas, and projects to allow for prioritization and collective decision-making. This reduces the likelihood of overspend on IT when there is consensus on the investments being made and commitment to results. IT governance is also known to promote productivity for staff and lift morale. As an example, the governance strategy will likely shift the focus from break-fix to more proactive work and standardization of equipment and applications drives efficiencies.  

When IT governance takes root and becomes further engrained in the organization, the utility will be more adept to understanding and adapting IT best practices and reducing cybersecurity threats. 

Although a governance committee is a small representation of the entire utility, the awareness and heightened standards will over time percolate more throughout the organization.

It’s ultimately the role of IT governance to help the organization stay compliant with regulations and guidelines to drive engagement and effectiveness for IT’s interaction with the utility.