IT Governance – the Role of the Board

By Andre Griffith

“A lack of board oversight for IT activities is dangerous, it puts the firm at risk in the same way that failing to audit its books would“.

The above opinion was expressed by Richard Nolan and F. Warren McFarlane both of Harvard Business School, and was made in the context of companies investing in and using Information Technology.  It should be appreciated that there are certain dynamics that drive concerns about information technology that are probably still in embryonic form in our local context.  One such dynamic is the intensity of the use of the open capital markets and the concomitant obligations on the part of the Board of Directors to their shareholders for prudent management the funds that are entrusted to them.  From an IT perspective this has resulted among other things, in concerns about the appropriateness of “mega projects” such as Disney Corporation’s “go.com” project (shut down after 878M in expenditure) or Nike’s 400M investment in software (subsequently written off as a disaster).  In the local context business executives in both the public and private sectors no doubt have their own horror stories to tell of IT investments and even though in absolute terms the sums involved may be several times less, in relative terms, the effect is similar and the frustrations are probably identical.

Obligations required of non-executive Directors have evolved over time and the trend in the recent past has been for these Directors to be held to be progressively more responsible for the actions of executive management.  Even though our national discourse on Corporate Governance is in what I consider to be in its embryonic stages, I always hold the view that it is better to change (for the better) in advance of the pack and certainly before such change is forced upon us.   We therefore continue our discussion of IT Governance with a look at the role of the Board of Directors.

Strategy Making

Many organisations will look to the IT executive to define IT strategy, however it should be borne in mind that one characteristic of strategic courses of action is that once embarked upon, the consequences of retreating from them are non-trivial.  This is why strategy making is usually the preserve of the Board and IT strategy is no different.  In the above cases, of Disney and Nike, the investments in IT were strategic decisions and it can be seen that the amounts involved (and wasted) were immense.

Regulatory Compliance

Organisations offering financial services such as banks, insurance companies, trust companies are routinely subject to regulatory compliance issues that need to be embedded in their IT systems.

However, not only financial institutions are subject to these types of regulations, for in some jurisdictions, almost every public company is subject to compliance regulations that impact their information systems.  An example of such is the set of requirements embodied in the Sarbanes-Oxley Act of the US which, with respect to internal controls, effectively demands certain characteristics, of a company’s information systems, their implementation and their operation.

Insofar as non-executive Directors are now subject to ever-increasing personal liability for violations, their need for effective control over IT governance within their organisations, is increasingly appreciated.

Apart from the above issues which essentially pertain to safeguarding the interests of shareholders, there is also a whole area related to privacy and security of sensitive information that has stimulated regulatory attention and demands compliance with guidelines related to information security.  In late 2007, in Great Britain, it was discovered that the tax records of some 25 million subjects, were lost when Her Majesty’s Revenue and Customs sent these records by post to the Audit Office.  The responsibility for ensuring that appropriate policies are in place concerning the secure storage of, access to, and retrieval of sensitive information is squarely the responsibility of the Board of Directors.

The responsibility of implementing those policies rests with executive management.

In our local Public Sector, institutions such as the Bureau of Statistics, the National Insurance Scheme, function under statutes that in some cases mandate privacy of information that may be gathered during the normal course of execution of their mandates.  Added to these are security institutions such as the Guyana Police Force and Guyana Defence Force where much of the information that is worked with on a routine basis is of a sensitive nature.

To the extent that these institutions use computer systems to generate, receive or record sensitive information, the relevant governing entities need to become involved in their Information Technology Governance to ensure that appropriate policies exist to safeguard sensitive data.

The IT oversight
committee

An essential mechanism by which a Board can begin to establish and drive the IT Governance agenda is by establishing a Board Level IT oversight committee.  While it is usually recommended that this committee be chaired by person who is “IT savvy”, I personally believe that the only quality this person need  have is the ability to demand that the IT executive presents arguments that make sound business sense.  In other words it is the role of the IT executive to make the translation between the technology and the business and to present issues to the Board and its members in a such a manner that these issues are easily understood.

It is my view that the easiest way to spot an “IT charlatan” is if you can’t understand what he or she is saying to you.  There is however a real issue of having relevant expertise available to the IT oversight committee.  This expertise needs to be separate from the expertise of the IT executive who reports to the committee since by definition the committee exists to oversee IT in the organisation.  This issue (of expertise) stems from the realisation in the wake of the Worldcom, corporate governance disaster, that the Audit Committee of that company’s board lacked persons with the requisite financial expertise.  If there is no non-executive director with sufficient grasp of the IT issues most entities that have IT oversight committees will engage a external advisor to sit it.

Other stakeholders in the IT Governance structure include the Chief Executive Officer, The IT executive, and if necessary IT steering committees that may be assembled from time to time to oversee implementation of various initiatives.  Despite our focus on businesses, our next article will examine IT governance in action in one of our local institutions.