If there is an area where board directors are feeling lost, it’s IT governance. Most boards recognize that they would benefit from a board briefing on IT governance because they recognize that the cost, complexity and consequences of IT issues are continually growing and manifesting in unexpected ways. In many circumstances, board directors are seeking a framework to help them develop IT policies that fit their companies well and assist them in their duties of overseeing IT departments and IT issues that could place the company at undue risk.
Plenty of IT issues continue to surface that cause board directors to lose sleep at night, including cybersecurity issues, denial of service attacks, competitive pressures to address IT issues and automating compliance with governmental regulations. The list goes on.
If board directors are honest, many are willing to admit that they’re often in the dark about IT spending and strategy. Board directors desire to understand the full degree that their operations depend on computer systems and the extent that computer systems play in shaping corporate strategies. They just haven’t figured out how — yet.
Lacking first-hand knowledge about how IT matters can affect the organization or how best to mitigate the associated risks, many boards feel that the best they can do is to watch how other companies approach IT governance risks, learn from their efforts and respond by implementing strategies that they hope will serve the company well.
Board Briefings on IT Governance Require Acknowledging That Best Practices Are Developing
The reality is that IT governance practices are still in the early developmental stages. Other board committees can readily rely on laws, regulations and industry associations as a resource for guidance and best practices, whether IT governance professionals choose to rely on them or not. Unlike audit committees and finance committees, there are currently no sets of accepted, sanctioned standards for IT governance. To date, there are no existing sister associations in IT governance that compare to the Generally Accepted Accounting Principles (GAAP) or the Securities and Exchange Commission (SEC).
It’s challenging, at best, to arrange for a board briefing on IT governance when there is an overarching lack of fundamental knowledge about IT governance. Without understanding such issues as IT risk, IT expense and competitive risk, boards aren’t able to fulfill their board duties in overseeing IT efforts and risks.
According to Richard Nolan and Warren McFarlan, who wrote a Harvard Business Review article entitled, “Information Technology and the Board of Directors,” the lack of IT knowledge on the part of board members put firms in a “dangerous situation” akin to failing to oversee their audit books.
Developing a Board-Level IT Committee or Not?
The Harvard Business Review points to a small group of companies that headed out of the gate early by establishing rigorous IT governance committees. Among the companies are Mellon Financial, Novell, Home Depot, Procter & Gamble, Wal-Mart and FedEx.
Their decision to form an IT board-level governance committee was to assist the CEO, the CIO and senior managers in making better tech decisions, which also allowed for a regular board briefing on IT governance. The end result proves that costly projects remain under control, and subsequently, gives them a competitive advantage.
While some boards are developing a newfound interest in creating an IT governance committee, they question how challenging it could be to oversee technical topics that most of the board directors know little or nothing about. In fact, boards are rightly questioning whether an IT governance committee is right for them at all.
According to the article written by Nolan and McFarlan, there is no one-size-fits-all approach to supervising corporate departments and overseeing IT governance matters.
Nolan and McFarlan’s research tells us that only 23 of the Fortune 500 companies have formed IT committees thus far, with little consistency among them. Each committee bears different titles, and that’s just the beginning. The committee charters vary substantially, as well as the number of committee members, frequency of meetings, duties and responsibilities.
Of the companies that formed IT governance committees, there are 175 different duties listed in the charter, with three to 16 duties for each committee. The experts identified the five most common categories of targeted IT issues as strategic alignment, value delivery, resource management, risk management and performance management. These statistics clearly point in the direction that companies are still finding their way on how best to provide a board briefing on IT governance.
Evaluating the Corporation’s Stance on the Board’s Approach to IT Governance Oversight
At this juncture, boards should at least be starting conversations about what their approach to overseeing IT governance needs to be. Discussions should include the topic of how aggressive they need to be in pursuing IT governance oversight.
In developing IT governance policies, board directors will need to take into account the organization’s operational and strategic needs, as well as keep a watchful eye on re-evaluating their policies as the company’s needs change and new IT governance standards evolve.
According to the Harvard Business Review article, boards should take notice of two issues. First, they need to have a comprehensive understanding of how much the company relies on “cost-effective, uninterrupted, secure, smoothly operating technology systems,” which they deem defensive IT strategies. Second, boards must consider how much the company relies on IT to be competitive with peers through systems that give them added value through products and services or high responsiveness to their customers, which they consider to be offensive IT strategies.
Rather than considering how best to obtain a board briefing on IT governance, some boards may be better off letting their existing audit committees manage IT governance.
Since strategic alignment by far exceeded the most cited role for companies that already have IT governance committees, this topic tends to be a driver for IT processes and delivering value. In addition, boards seeking to form IT governance committees may wish to entertain all five of the most common categories of IT governance as a starting point.
In closing, boards have a long way to go in developing appropriate ways of overseeing IT governance. What boards can do in the interim is to make the best use of digital technologies, such as a board portal and a secure communications platform for managing board business, and consider board briefings on IT governance a work in progress.