Know the risks and take charge

Getting the board to support IT governance is tough, but scary stories and non-executive directors are powerful allies, writes...

Getting the board to support IT governance is tough, but scary stories and non-executive directors are powerful allies, writes Julia Vowler.

Interest in IT governance has shot up in recent months. In December 2002, a joint meeting of the CW500 Club and the British Computer Society's Elite Group was packed with IT directors from some of the UK's largest companies keen to find a way through this difficult problem.

The reason for the sudden interest is clear: the combination of increased legislative focus on corporate governance, such as the stock exchange's Turnbull Report; growing post-Enron scrutiny of accounting practices; and the chilling spectre of cyberterrorism are beginning to increase business focus on the issue.

Despite this grim catalogue, IT governance also embraces the vision of corporate IT as the engine of business growth and shareholder value.

But effective IT governance is a problem because many senior business managers still do not appreciate that IT can make or break a company. Moreover, IT governance is not something that can be done in isolation by the IT function, general corporate governance needs to be explicitly extended to embrace IT governance.

Getting the board to make that essential extension can be a sticking point, and all too often reflects its indifference or impatience with IT altogether. As ever with IT, getting the board's attention is a tough challenge.

Emphasising the risks of not including IT within the current concern over corporate governance can be the most persuasive argument initially. Reminders about loss of reputation when Web sites fail or hackers intrude; the legal risk in rogue e-mails; even warnings on terrorism; can hit home harder than spelling out how good governance supports well-run IT that creates business value.

It is, as ever, essential that the case for IT governance be put to the board in non-technical language. The message has to be about risk mitigation and value maximisation. So is making it clear just how critically dependent the company is on IT, something that is not always appreciated. In the uphill struggle to make the board embrace the need for IT governance, the IT director does have several allies, however:

  • The media has the ability to focus the executive mind on how poor IT governance can damage a company's reputation

  • The company auditor - following the Enron and its auditor Andersen scandal - is likely to be excessively diligent and both internal and external auditors are keen to be seen as squeaky clean. The only caveat is to ensure there is no potential conflict of interest between the role of the external auditor and the IT consultant from the same company. Keep them separate

  • The non-executive director is a role that is likely to grow in the future. As an outsider, he or she can ask awkward questions, challenge chairs, breathe fresh air and question assumptions. He or she could make an excellent sponsor to put IT governance on the boardroom table. A non-executive director with IT experience is even better, though probably still a rarity. Moreover, the chairman of the audit committee is often a non-executive director.

There is no point getting board attention for the matter of IT governance without having done the groundwork on what needs to be included. Best practice is accumulating on the subject and comprehensive questionnaires and lists of what IT governance must cover (from "How late are your projects?" to "Is IT strategy aligned with business?"), such as those from the IT Governance Institute.

This culminates in Control Objectives for Information and Related Technology (Cobit) which provides the framework and process for identifying and achieving the goals of good IT governance. It also includes a maturity model (zero is total ignorance about IT governance, five is confident best practice) so that companies can assess their status in respect of IT governance, and set targets to move higher.

It is at this point that the issue of cost arises. Achieving good IT governance is not free. It has to be paid for both in setting up and maintaining. Figures of 10% to l5% of IT budget are mooted, depending on the complexity of the company. But the payback comes, of course, when IT-dependent business risks are avoided thanks to good IT governance and business value is achieved faster because IT is well run and delivered at maximal efficiency. There is even the added bonus that organisations achieving Cobit are faster (and therefore cheaper) to externally audit.

What IT directors say about IT governance
IT directors attending the recent seminar on IT governance organised by the Computer Weekly 500 Club and the British Computer Society's Elite Group highlighted the key issues affecting them.
  • "We went through the questionnaire approach. We now have a framework of governance, fixed issues and agendas, and we've picked one domain of Cobit to backfill so that the auditors can get independent evidence of [our IT governance]"

  • "Our external auditors recommended that the governance programme focused on IT"

  • "In our case, the cost [of setting up an IT governance framework] was not the top item in the way we approached it. Any director is interested in effectiveness as much as cost-justification, but yes, [costs] were a pressure on us"

  • "How much management overhead [should be devoted to IT governance]? We can learn from engineers. There are processes which produce planes that fly safely, so it can't be economically unmanageable"

  • "Is there a conflict of interest between the audit function having consultancy attached? There is a massive conflict. We've stopped it"

  • "External threats are a key [persuader]. IT in-house can't do it alone"

  • "Non-executives can be very positive. In our company a lot of initiatives come from the non-execs. The IT literacy on the board is diabolically poor, there has never been a fundamental understanding of the value of IT as an asset at board level"

  • "If it means going to jail, the board will discuss it. But [IT critical] issues are pushed back until they become a crisis"

  • "I need 10% of my IT budget to work in a manner that complies with governance standards"

  • "You could need double the number of staff [to set up the framework] if you are globally dispersed."

More information from the IT Governance Institute which has case studies, board briefing papers and details of Cobit (

IT Governance for IT Leaders is a one-day conference, supported by Computer Weekly, on 29 January at the Royal Society, London (

Read more on IT strategy