Boards and IT who cares and does it matter Information Communication Technology

Lack of director experience in information technology - or just plain ignorance - is an increasing problem in the technology age Boards and IT.

who cares and does it matter?

Lack of director experience in information technology - or just plain ignorance - is an increasing problem in the technology age, says Marianne Broadbent*

Guess which elective session filled fastest at the recent AICD conference? You might be surprised to find that it was the one titled 'Boards and IT Governance: Who cares and does it matter?' How could such a potentially boring topic be so popular?

Perhaps the answer lies in fear of the unknown - or the fact that very few of the top 100 Australian boards have even one board member with top level expertise in integrating IT into business processes or envisioning how IT might be changing their industry. (The boards of government agencies and some mid-sized companies actually seem to fare better).

Just a few boards have a CEO or former CEO from an IT company, though you could argue that this is not nearly as helpful as understanding how companies really get value from IT-dependent initiatives.

In "A Missing Competency: Boardroom IT-deficit", research firm Burson-Masteller reported that among the global Fortune 500 companies just 5 percent have a CIO or former CIO on their board, almost always in a non-executive director position.

These companies - including Wal-Mart, Tesco, GUS, and DuPont - tend to have innovative IT-based systems and, on average, delivered annual returns 6.4 percent above their industry average.

Is this yet another area board members are supposed to deal with? The answer is a qualified yes, in the sense that boards do deal with big decisions, they need to understand and monitor risks, and they have a role in at least endorsing company wide policies.

Information and IT assets are now just one asset class among others that companies deal with - other include as financial assets, people, intellectual property, customer and supplier relationship assets and physical assets. But increasingly, if not managed appropriately and well integrated into the business they leave organisations exposed to huge risk and competitive disadvantage.

IT-enabled business initiatives are big and often risky decisions

The business significance of information and technology capabilities and assets is now very high. We all know when any of the bank's systems are down for any length of time. Channels to customers, links to suppliers and cashflows are now just about all online for many organisations. Yes, IT does matter. We also know of many examples where there is a big disconnect between business directions and ambitions, and the ability of company's information systems and technology to deliver.

There are many more IT-influenced business risks, such as expectations around security, and business continuity and disaster recovery requirements. And let's not forget the increasing demands of privacy legislation and compliance.

Investments in IT-enabled business initiatives and IT infrastructure - whether owned or sourced elsewhere - constitute big investments which, by their nature are risky. They are also critical to get right as they are no longer just backroom functions, but are now the direct conduits to customers. As British Airways CIO Paul Coby says: "We are not about the backroom, but the frontline in every customer interaction."

But how well prepared are board members to probe - appropriately - the issues around the company's information and IT assets. This includes a good understanding of mutuality between business and IT executives, the ways in which priorities are assigned, and how major initiatives are assessed at board level.

In talking with both Australian and UK-based non-executive directors over the past few months there seem to be several different schools of thought and practice, and a number of concerns and questions emerging.

As one leading chairman phrased it: "It's all about how I construct an agenda." What he meant by that was that big issues get top priority in terms of time and location on the board's agenda. So if it's big and important or big and ugly then it is there. Issues around the current status of IT-enabling the business was regularly on the agenda because it was a significant part of strategic developments.

At the base level it's about

CAPEX and risk management

At a base level, significant initiatives which are IT-enabled or IT-defendant come to the board as large capital expenditure decisions. They need to be assessed in the same way as other major initiatives are assessed.

It's about managing risk. Ever since the events of 911, board members are much more conscious of the need to have business continuity plans in place and tested. Many directors have indicated that about 20 percent or more of their audit committee time and energy is spent on reviewing IT-related risks. Now there are many more IT-related risks - getting security and privacy right, ensuring compliance.

At the mature level it's

about leveraging information

and IT assets

The fact that large IT-related investments are increasingly treated just like other major investments is both a good and a bad thing. It's a good thing if the board and executive have a mature and honest approach to the real costs of developments, especially ongoing costs. It's a good thing if they understand the criticality of checking that there is a realistic benefits delivery program in place. It's a bad thing if the company doesn't have a high level of focus on ensuring accountable business sponsors are named and that their rewards and bonuses are linked to benefits delivery. It's a bad thing too if the board and executive lack discipline in monitoring timeliness and costs during implementation.

In that sense, approving and monitoring of IT-related business expenditure is no different from other investments. It's worth saying too that it's no different in requiring some level of expertise to properly assess a major initiative. Boards have expertise in assessing the strategic, financial, and legal aspects of major business developments - depending on the industry, it might be a new mine, major capital raising, an acquisition, closing a line of business, launching or relaunching a product or brand, or signing a major alliance.

However, it seems they don't always have expertise at the same level in envisioning how better IT-enabled business can improve positioning

So who does care?

In their thoughtful recent book Back to the Drawing Board, Carter and Lorsch argue that the discussion around diversity and boards has been too narrowly focused. Canadian academic and adviser Richard Leblanc, who has completed extensive work into board effectiveness, includes technology as one of the under-rated and under-represented capabilities on boards. And even Stephen Mayne of crikey.com.au lists expertise in the business uses of IT among areas under-represented on boards (though I'm not sure that is a plus for the readers of this article . . . ).

The Fortune 500 companies who have a CIO or former CIO on their board makes interesting reading. As mentioned above, they include companies like Wal-Mart and Tesco - generally regarded as "breakaway" companies. They are also companies where the business and IT strategy and execution are very much interwoven, where IT does matter, where the business is heavily information and IT-enabled, and where IT-related risks and rewards are high.

And what are (some) boards

doing about it?

First they are treating information and IT investments like other major initiatives. They are asking the same sorts of questions and are not afraid to ask "dumb questions". They are ensuring that every initiative has a named business sponsor or owner. They are checking that a "benefits" or "value realisation" process is in place - and that the delivery of the benefits is linked to the performance appraisal and reward system of a senior executive. Of course if this level of discipline is not in place for other types of initiatives, the risk levels are even higher.

Second, some enterprises, such as Bendigo Bank and Centrelink, have established board level IT committees, alongside their audit, risk and other committees. The IT committee has a charter and clearly and simply stated scope and responsibilities.

Non-executive director and former CIO Chris Gillies has been instrumental in working with both these organisations to ensure the necessary board level capabilities and processes are in place. (It is also worth noting that these capabilities were instrumental in the Centrelink Board questioning the Federal Government's "one size fits all" approach to outsourcing and the subsequent major change in the Government's sourcing approach).

Third, boards are ensuring that the CIO, or most senior executive responsible for business-driven IT strategy and service delivery is someone who really understands the business.

In at least two cases cited in interviews, a CIO's presentation to the board resulted in significant concerns about how well that executive really understood the business and what level of risk the organisation was exposed to as a result. In one case the services of the CIO were subsequently terminated. In another the CIO was regarded as having considerable potential but in need of further development. In the latter case the developmental opportunities were put in place, and 15 months later, that person has now been appointed to a line of business role. This is not about usurping management's role, but monitoring the capabilities of the executive team and managing risk.

Finally, boards which have an astute appreciation of the criticality of information and IT to their business are checking to ensure that good business governance processes are in place to enable the company to make better and faster decisions. We know that clarity and transparency around input and decision rights and in accountabilities really matters. Some boards are checking to see that, just as they have sound financial governance about who has what rights and accountabilities, so they are checking a few key decision domains around the governance of information and IT.

The challenge of comfort zones

The mere act of questioning non-executive directors about how the boards they are on are dealing with significant I and IT issues has been something of a catalyst.

In the words of a very senior UK-based chairman and non-executive director: "The most important question is - am I doing enough, is my apparent complacency justified or is it a factor of ignorance. We know these issues are important but now that you raise it, I just don't know whether we are doing enough in terms of our expertise and how we consider these matters".

A senior Australian based non-executive director commented on the paradox of importance against the nature of conversations around I and IT issues at board level. He indicated that information and IT are very significant overall areas of focus regarding company well-being and the ability to function: "They are critical in terms of the company's communication, control, governance. At the same time though, they are the most under-rated and understood area a board has to deal with. We risk collapse of the business if systems are not fully understood".

Some directors have indicated that the real issue is the average age and experience of board members. Many former CEOs have not been personally responsible for major IT-enabled business initiatives in their executive and line roles. This means this area is outside their comfort zones.

Another way of expressing this is, in the paraphrased words of a number of directors: "Boards are collections of individuals who don't want to expose their ignorance. Boards probe areas where they are comfortable, areas that they know about. Not enough are comfortable with reviewing issues around information and technology so these are often dealt with at a superficial level".

On the other hand others have indicated that "no-one has mentioned this previously and that seems quite appropriate". For the companies whose boards they are on, IT capabilities are not a significant issue. IT-enabling the business is about backroom efficiencies, and, in the scheme of things, IT-related expenditure is relatively minor.

So what's a board to do?

The first step is just to be open to the some of the changing requirements that might be necessary at board level and be prepared to act on it. Some executive search firms are now recommending shortlists which include suitably qualified individuals with experience as a top level CIO or adviser in this field.

But they indicate that the reaction they often get with their clients in the final stages is that "this doesn't look like someone we would normally have on our board". And they are right. Too often the talk around "extending the talent pool" is just that - talk. It's hard to make the decision that then implements this expressed desire. And this is not only in the area of company information and IT expertise.

At the same time several UK-based directors who do have that background have warned against "tokenism" and then abrogation of duties by the rest of the board. As one director expressed it: "In many areas, it's in the same category as really understanding the industry and knowing the dynamics of different strategic options - every board member needs to have that basic understanding about the company and industry."

So why was the 'Boards and IT governance' forum so popular? Probably because deep down as one participant expressed it: "I don't want to see my company in the headlines for the wrong reasons. We suspect we are at risk but we are not sure exactly how to assess that".

Perhaps some different expertise might help there.

* Professor Marianne Broadbent is associate dean, Melbourne Business School

Disclaimer

The purpose of this database is to provide a full-text record of all articles that have appeared in the CDJ since February 1997. It is aimed to assist in the research and reference process. The database has a full-text index and will enable articles to be easily retrieved.It should be noted that information contained in this database is in pre-publication format only - IT IS NOT THE FINAL PRINTED VERSION OF THE CDJ - therefore there might be slight discrepancies between the contents of this database and the printed CDJ.