Bring the board online with IT governance

The commitment of board directors to effective IT governance is vital, says Paul Williams. And if they fail to take the lead,...

The commitment of board directors to effective IT governance is vital, says Paul Williams. And if they fail to take the lead, they could have to face a lot of angry shareholders.

It was only after the 10-member board of software vendor Computer Associates International narrowly survived a fierce proxy fight that it realised CA needed to improve relations with customers and listen to investors.

The shareholder vote concluded a hostile months-long struggle for control of the New York-based company. In his battle to take control of the company, Texas investor Sam Wyly asserted that mismanagement harmed customers, shareholders and employees. Although the change of control was voted down, a spokesman for Wyly's Dallas-based investment firm, Ranger Governance, said he believes Ranger achieved its goals of forcing CA to become more accountable to shareholders and enhancing value.

Conflicts such as this send a clear message. Enterprise stakeholders want vigorous assurance that executives are using all possible measures to protect a business and position it for continued growth.

As critical business processes increasingly rely on IT, the benefits and risks grow exponentially. Because of this, senior executives and boards of directors must proactively address the governance of IT alongside their other governance responsibilities.

At its core, IT governance is concerned with two responsibilities. First, IT must deliver value to the business. Second, IT risk should be mitigated.

Boards and executive management need to provide the leadership, structures and processes that ensure the organisation's IT sustains and extends its strategies
"Business leaders frequently underestimate how strategically important IT is to the ongoing viability of the enterprise"
Paul Williams
and objectives. IT governance should not be an isolated entity, but should be integral to enterprise governance.

As discussed in my previous CW360.com articles on the subject, most companies appreciate at least the potential benefits provided by technology, but many fail to understand and adequately manage the risks associated with implementing and managing new technologies. Business leaders frequently underestimate how strategically important IT is to the ongoing viability of the enterprise.

One solution to increasing the level and rewards of stakeholder support is an effective IT governance programme. Implementing an IT governance programme is a good business practice that helps protect stakeholders. In fact, two-thirds of investors said they would pay more (up to 16 %) for the stock of an enterprise that was perceived to be well governed, according to the McKinsey Quarterly.

The investors noted that well-governed companies perform better over time, thereby increasing share value. Businesses with effective governance plans manage risk better and rebound from setbacks more quickly.

IT governance entails several activities for board members and executive management, such as keeping themselves informed of the role and impact of IT on the enterprise, assigning IT responsibilities, defining constraints within which IT professionals operate, measuring IT performance, managing risk and obtaining assurance of compliance with IT governance standards.

Non-executive directors can play an important role in encouraging and monitoring IT governance. Indeed companies without specific IT experience in the boardroom would be well advised to look for this knowledge to be represented in a non-executive capacity. However, historically there have been many instances where non-executives have been selected based on the old boy network rather than on their ability to bring specific skills and knowledge to their companies.

David James, a UK based "'company doctor" who recently gained a higher profile through his appointment as "undertaker" for the Millennium Dome has been particularly scathing about the role of non-executives. He is quoted as saying: 'The performance of non-executives has been lamentable. So many give comfort but do not provide a challenge. A non-executive does not need to know the answers, he needs to know the questions."

However, I would take issue with James and say that knowing the questions is not good enough. Non-executives need also to be able to understand the answers in order to ask the appropriate follow-ups and understand the implications for the enterprise. This implies a clear need for relevant IT experience to be represented in the boardroom, if not by an executive director, at least by a non-executive.

Two publications released by the IT Governance Institute address these activities by describing why IT has become critical to enterprise governance and how boards and management can address the issues and risks involved in IT. Board briefing on IT governance and Information security governance: guidance for boards of directors and executive management were developed by a global team of business and professional leaders and build on guidance documents from international regulatory and standards-setting bodies . See the end of this article for more details and how to obtain them.

Leaders of every business need to be aware of what's required for effective IT governance. "To provide effective direction and adequate controls for IT, leaders need to appreciate its risks and constraints. Boards should monitor executive use of IT in achieving the organisation's strategic objectives," according to John W. Lainhart IV of PricewaterhouseCoopers and a former inspector general of the US House of Representatives. "These board briefings help leaders understand their evolving responsibilities and roles in ensuring stakeholder expectations for IT are met and IT risks are mitigated."

His views are endorsed by Robert Roussey, international president of the Information Systems Audit and Control Association: "IT governance is a necessity, not a luxury. Organisations must be proactive in bringing IT governance to the board level. It is not smart business to wait for an IT-related disaster before taking action."

IT's implications are so critical that every board should have an IT committee, according to Stan Nelson, co-founder and chairman of information management group the Scottsdale Institute, and former president and CEO of Henry Ford Health System.

"Having an IT committee is at least as important as having a finance committee, and a case can be made that unless somebody's embezzling from the organisation, it's more important," Nelson says. "Finance is a matter of keeping score, which is obviously important, but it's not playing the game. IT is driving the business."

We will be returning to the subject of IT Committees in a future article.

Paul A Williams, FCA, MBCS, is immediate past international president of the Information Systems Audit and Control Association (www.isaca.org) and partner, Andersen, Technology Risk Consulting

How to obtain the IT governance guides:
Board briefing on IT governance and Information security governance: guidance for boards of directors and executive management, are available for complimentary download from the IT Governance Institute ( www.itgovernance.org/resources.htm). Print versions can be purchased from bookstore@isaca.org or by telephoning +1 847 2531545, extension 401.

Board Briefing on IT Governance and Information Security Governance were developed to build on guidance documents from international regulatory and standards-setting bodies, including Control Objectives for Information and related Technology (COBIT) 3rd Edition, an international and generally accepted IT control framework. COBIT is available for download from the Information Systems Audit and Control Association - www.isaca.org

Read more on Antivirus, firewall and IDS products

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close