Time to take responsibility for IT

Wednesday, 01 December 2004


    The critical role of information technology as a key driver of performance and business success is a cornerstone reality of the 21st century corporation. IT has redefined business processes and the competitive landscape in which businesses operate, yet when it comes to taking responsibility for IT, many boards are looking the other way.

    The very success of IT's progress from automation tool to strategic linchpin has caught many directors flat-footed. So rapidly has technology implanted itself on organisational processes that a culture of IT governance has failed to take root in most boardrooms.

    IT has never been more important for organisational performance, yet boards, and many CEOs for that matter, take only a cursory interest in IT, confining their interest to whether project deadlines and budgets are being met. The same boardroom rigour that goes into the objective evaluation of financial, legal and HR issues just isn't happening with IT. More often than not, IT is not subject to the same standards of risk analysis, value management and regulatory compliance that apply to other business functions.

    In this era of heightened focus on corporate governance, IT governance may prove to be the weakest link.

    A report released earlier this year by Pricewaterhouse-Coopers and the US-based IT Governance Institute, IT Governance Global Status Report, found a great disparity between IT governance awareness and action.

    The report, based on interviews with CEOs and CIOs in 21 countries, including Australia, found that while more than 93 percent of business leaders recognised that IT was vital to the success of their organisations, more than two-thirds of CEOs were uncomfortable answering questions about governance and control over their IT processes.

    The report also found that 76 percent of business leaders were aware they had IT problems that could be resolved by implementing an IT governance framework, but 42 percent were not considering implementing an IT governance program.

    This is a sobering result in a worldwide regulatory environment which places the spotlight not only on companies' financial reporting, but also on the IT processes which underpin their financial systems and reporting.

    Christina Gillies, a company director and a prominent IT governance adviser, says IT governance is "maturing and moving up the organisation towards the boardroom, [but] in many cases it just hasn't got there yet".

    The push for greater IT governance has its adherents, but they're in the minority.

    Victorian regional bank Bendigo Bank is one listed company to recently establish an IT committee on its board.

    According to Bendigo Bank CEO Rob Hunt: "IT is a key business unit in all corporations. In banking, IT makes up a major part of the annual spend and is critical in providing the quality of service to the customer at the front line, and in supporting the staff in all activities. Establishing an IT governance committee can ensure that appropriate board direction, monitoring and prioritisation takes place in relation to the corporation's IT business."

    Hunt adds: "[An IT governance committee] has the added benefit of providing directors with a forum to overview and contribute to the priorities for this important part of the corporation."

    Gillies, who was an adviser to Bendigo on implementing the IT governance committee, says boards are more aware of the need to act on IT governance, but the problem is often not knowing what course of action to take.

    "Boards do care," she said. "IT risks are a critical concern for boards and directors, the question for many directors is: 'how do we care?'. Many directors feel they are not qualified to ask the strategic technology questions, but in truth they are. You don't have to be an IT person to ask those questions," Gillies says.

    For many boards, particularly those boards without the expertise or confidence in IT, heavy reliance is placed on the CIO to keep directors informed. The effectiveness of that strategy can depend on the attributes of the CIO.

    "Some CIOs have come through a technical background and when they get to run IT for a company, they don't have the spread of competencies, particularly in being able to communicate with a board. Executives are expected to understand what the board is worrying about," says Gillies.

    "I have seen a CIO coming into the boardroom, giving a report on IT, and you can see the directors eyes glazing over. The CIO could be explaining a lot of issues, but the directors don't know how to interpret them, so the board is not properly informed."

    Gillies, who has over 30 years' experience in the IT industry, has made the transition from IT executive to prominent company director. A former CIO of the Bank of Melbourne and Group Executive Integration with St George Bank, in which role she oversaw the integration of St George and Advance banks, Gillies now sits on several boards, including financial services company Sealcorp Holdings, IT services companies CommSecure and Oakton, and Commonwealth Government agency Centrelink.

    Gillies says CIOs must adapt to take their place in the new corporation: attending and reporting to boards, setting IT governance frameworks, and ensuring that IT and business strategies are in sync. But if the future belongs to the CIO, the future must start in the boardroom, with Gillies arguing that Australian companies must speed up their commitment to IT governance.

    "Good corporate governance is incomplete without adequate IT governance, and IT governance is inadequate in many boardrooms," says Gillies, who estimates that fewer than 5 percent of Australian publicly listed companies have IT committees on their boards.

    A serious commitment to IT governance in and from the boardroom will drive good IT governance throughout the organisation, Gillies insists. "It's time for boards and executives to lead by example from the top," she says.

    Gillies urges IT-shy boards to adopt IT governance frameworks. Such frameworks will enable directors to probe into the issues around the company's technology assets in a disciplined and consistent manner, while ensuring that IT strategies are aligned with business strategies.

    The IT Governance Institute's IT Governance Global Status Report found a clear relationship between the effectiveness of IT governance measures and the frequency with which IT is discussed at the board level.

    Companies at which IT is routinely on the board agenda reported better measurement of IT performance, better management of IT resources, better risk management, better delivery of business value through IT, and better alignment of IT with the company strategy.

    Professor Marianne Broadbent, associate dean of the Melbourne Business School and a former group vice-president of US-based advisory firm Gartner, is an international authority on IT governance. She defines IT governance as "the assignment of decision rights and accountability frameworks to encourage desirable behaviour in the business use of information and IT".

    A corollary of growing awareness and recognition of IT in the boardroom is that the CIO will in turn take an elevated strategic role. But as Broadbent and Gartner vice-president Ellen Kitzis point out in their new book, The New CIO Leader: Setting the Agenda and Delivering Results (Harvard Business School Press), only if they firstly win the crucial credibility upon which effective leadership depends.

    The authors argue that CIOs find themselves at the crossroads. Their future, and the future of good IT governance, depends on the path they take.

    "The path influenced by the view that IT is irrelevant to competitive advantage leads to a role that might be called "chief technology mechanic", a role ultimately no more prestigious than a factory floor manager. The other path, influenced by the view that IT is at the heart of every significant business process and is crucial to innovation and enterprise success, leads to a new role we call "the new CIO leader". The new CIO leader bears all the prestige, respect and responsibility of other senior executive positions (in fact the position will be a not infrequent stepping stone to COO and CEO positions.)"

    In the meantime, CIOs remain the new kids on the corporate governance block. According to research by US-based public relations group Burson-Marsteller, only 5 percent of Fortune Global 500 companies have CIOs or chief technology officers on their boards.

    Most boards remain focused on financial, managerial and legal experience and are not giving equal weight to technology experience, says Heidi Sinclair, chair of BM's global technology practice.

    "Information technology is strategically placed at the heart of the world's major industries, running most of their critical business processes, yet this study shows that most of the world's largest companies are not receiving board-level strategic advice on how technology can address current and future business problems," she says.

    The challenge in Australia, according to the Australian Computer Society (ACS), is to position information and communications technology (ICT) as a corporate governance issue, "that ICT [governance] is core to good corporate governance". But that's not the only challenge.

    Marghanita da Cruz, chair of the ACS's Governance of ICT Committee, says despite the critical role of IT in business, IT and non-IT engagement does not come easily, particularly at the senior management and board levels.

    For the past two years, the ACS has played a critical role in contributing to the development of an Australian Standard for the governance of ICT. Standards Australia is due to release the standard by the end of the year.

    "The objective of the Governance of ICT standard is to provide guidance to board members and their advisers on the principles and model for the control and direction of the use of ICT. It defines roles and responsibilities, a vocabulary and principles for good governance," says da Cruz.

    The standard will cover compliance (including spam and privacy legislation), software licensing, security, guidance to directors on their duties, and governance standards.

    "With ICT having such a direct and immediate effect on the business, boards are as accountable for ICT as they are for finances. ICT managers and other advisers will be expected to provide boards with better information and timely analysis on operational and strategic risks arising from the use of ICT," da Cruz says.

    The standard will provide directors with a framework for governing technology, however da Cruz says there is also strong demand for a framework among IT executives who must report to boards.

    Australia in the lead with IT Governance

    By Mark Toomey

    Many formal standards focus on intricate detail that is best left to specialists. The Information and Communications Technology (ICT) field has standards such as AS8018 (ICT Service Management) that concentrate on detail of equipment, software, risk and management.

    Standards Australia recognises that success with ICT is not merely a matter of technical detail. Research demonstrates that ICT success depends on how organisations go about controlling their ICT.

    The recently finalised Australian Standard AS8015 deals with Corporate Governance of Information and Communication Technology. This educative standard is designed to help directors understand why and how they should take an active role in governing their organisation's use of ICT. With its focus on supporting directors, AS8015 provides global leadership, as the first formal standard addressing top level governance of ICT. Its six powerful principles of ICT Governance apply across all forms of organisation, small, medium and large, public and private, for and not for profit.

    AS8015 shows directors what to look for as they evaluate, direct and monitor the organisation's activities. Real life experience shows that most IT failures have clear breaches of these commonsense principles. They warrant close consideration, and directors should insist that appropriate policies exist to guide compliance.

    1 "Establish clearly understood responsibilities for ICT".

    2 "Plan ICT to best support the organisation".

    3 "Acquire ICT validly".

    4 "Ensure that ICT performs well, whenever required".

    5 "Ensure ICT conforms with formal rules".

    6 "Ensure ICT use respects human factors".

    * Mark Toomey represents AICD on Standards Australia's ICT Governance Committee. He is principle of Infonomics, specialising in plain language about IT governance. Contact him at mtoomey@infonomics.com.au, or see www.infonomics.com.au


    The purpose of this database is to provide a full-text record of all articles that have appeared in the CDJ since February 1997. It is aimed to assist in the research and reference process. The database has a full-text index and will enable articles to be easily retrieved.It should be noted that information contained in this database is in pre-publication format only - IT IS NOT THE FINAL PRINTED VERSION OF THE CDJ - therefore there might be slight discrepancies between the contents of this database and the printed CDJ.

    Latest news

    This is of of your complimentary pieces of content

    This is exclusive content.

    You have reached your limit for guest contents. The content you are trying to access is exclusive for AICD members. Please become a member for unlimited access.