IT can be a tricky topic for boards given many lack the knowledge to properly govern technology functions. We list 6 ways to ensure your board is maximising its IT potential.
In the past few years, there has been a rapid rise in the number of industries being turned upside down by information technology (IT). This surge in IT influence has reshaped a wide variety of fields, from taxi services to media to retail, and offers tremendous opportunities but also great risk.
As board coach Elizabeth Valentine and her co-authors Steven De Haes and Greg Timbrell explain in The Boardâs Role in the Governance of Enterprise, a chapter in The Handbook of Board Governance, boards need to ensure that their information technology generates business value, that their leadership team is managing IT properly, and that IT processes and decisions are happening with acceptable risk. But historically, boards have struggled with all three elements of this modern challenge.
Valentine, De Haes and Timbrell say too many boards are responding by delegating IT matters to the IT department, even though they would never dream of delegating finance to the finance department.
Based on interviews with IT governance specialists, here are six steps boards should take to gain control of IT governance in 2019.
- Ensure you can exploit information technology
- Check the boardâs technology capability
âIf youâre not planning to evolve your business to exploit technology, youâre planning to close your business,â says Mark Toomey, an IT governance expert, principal developer of Infonomics Australia, and author of the ISO 38500 global IT governance standard. âAll your competitors are doing exactly that, and organisations and people you didnât even dream were your competitors have got their eye on your lunch.â
âLook at the taxi industry,â says Zac Zahner, a corporate governance consultant. âThe industry and their boards were totally unprepared for the impact of Uber. It was almost too late by the time they realised what was happening.â
The key to exploiting ITâs potential, Toomey says, is making a good choice of executive leaders â that âthe executive is competent and leading the chargeâ. His favourite examples of IT success include the earlier work at the Commonwealth Bank of Australia (CBA), whose board empowered former CEO Ralph Norris to completely overhaul its core banking system.
That renewal helped CBA to differentiate itself from competitors with digital initiatives, including its lauded mobile banking apps.
Like Toomey and other IT leaders, Tim Ebbeck GAICD fears not enough boards are pressing their leadership teams to seize IT opportunities. Ebbeck, a former head of both SAP and Oracle in Australia and New Zealand, wants more boards to ask how they can disrupt themselves before someone else does it. âHow many organisations do you see significantly changing their business ahead of the game?â he asks. âWhen things are going well, itâs easy to say âweâll just delay it a bit furtherâ.â
Zahner notes that to take advantage of technology, boards need the right skills, or at least advisors who can help steer the company in the right direction. Directorsâ ability to drive IT governance is consistently nominated as one of the biggest board challenges in 2019. Ebbeck says many boards badly need greater diversity of knowledge and thinking, as well as deeper technology skills.
A recent global survey of directors by Harvard Business School researchers Yo-Jud Cheng and Boris Groysberg â Innovation Should Be a Top Priority for Boards. So Why Isnât It? â underlines this point. When asked what governance activities and processes boards are good at, technology and innovation ranked 17 and 18 out of 23 respectively â and cybersecurity ranked dead last. A 2015 Accenture global survey, published in the UK, found that even in the IT-intensive banking industry, 43 per cent of boards had no board member with professional technology experience.
- Develop an advisory group
- Send clear signals on cybersecurity
- Ensure the board is on top of major technology projects
- Dig deeper on IT issues
Ebbeck suggests boards that lack broad technology expertise should consider technology advisory groups to supplement their own skills. Zahner emphasises the need to find people who can brief the board on IT initiatives in other industries. Creating an advisory group is also recommended in the AICDâs director tool IT governance: Role of the board. However, Accentureâs survey found only 11 per cent of boards of the worldâs top banks had technology committees of any sort.
Toomey frequently advises boards to set up a business capability governance sub-committee, combining directors, executives and outside experts. By dealing with IT opportunities and challenges as part of a wider capability-building effort, such a group can engage more directors than a purely tech-focused group, he says.
According to a 2017 Stanford University research paper â Critical update needed: Cybersecurity expertise in the boardroom â most boards now recognise âcyber attacks represent a major risk to organisations: the cost of a breach is high, the variety of attacks broad, and the technological issues sophisticatedâ. Boards need to ensure their organisations have effective protection measures and comprehensive crisis plans for the day a breach actually happens.
However, many boards still seem unable to respond effectively to such a complex threat. The Stanford research paperâs authors note that, even after a cyber attack, âcompanies make very few governance changes in responseâ. For instance, Home Depotâs CEO âsuffered no decrease in compensation after more than 50 million credit card accounts were stolenâ.
Boards also need to signal to staff that cybersecurity behaviour matters. As Ebbeck notes, human carelessness is the cause of most security breaches.
Concern over directorsâ personal lack of adherence to cybersecurity policies is remarkably widespread. Toomey says he commonly encounters directors operating under different data security policies from employees. Michael Khoury MAICD, head of forensic IT practice at Ferrier Hodgson, says when organisations roll out updated technology with a new set of rules and processes, directors sometimes respond that âweâre not going to follow itâ.
Fortescue Metals Groupâs cybersecurity head Mark Wallace adds that: âWhen everyone sees thereâs one set of rules for them and another for everyone else, it trickles down. Eventually, nobody does it.â
Experts point to the failed oversight of major IT projects as one of the biggest sources of financial damage and lost opportunities in the IT field. Such projects have the unenviable record of budget overruns and outright failure. The worldâs best-known expert on software project failure, Steve McConnell, who chairs the Executive Council for Software Excellence in the US, estimates a typical business systems project overruns its planned budget by about 100 per cent, with only a quarter of such projects delivered within 25 per cent of their original target.
In 2016, researcher Dr Cecily Macdougall estimated the IT project success rate in Australia was just 64 per cent, with $5.4 billion wasted each year on projects that didnât deliver a benefit or are abandoned. Macdougall concluded the two top success factors boards needed to see are a clear mission for the project, and support for the project from top management.
Boards need to learn to âask the next questionâ on IT issues, says Zahner. However, many feel they lack the expertise.
Toomey counsels directors not to feel they cannot contribute. He says when they ask for IT reports in business terms, probing is not that hard. His favourite example is the bank board that was told every quarter that a system recovery test had been successful. Only when a director eventually asked for the definition of success did the board find a serious problem: âsuccessâ was defined as âidentifying the reason for failure within 24 hoursâ, and the bank had been in breach of its licence for more than two years.
IT governance: Role of the board
The AICD explores the boardâs role as overseer of information technology in its IT governance: Role of the board. It outlines some questions that may uncover IT issues, such as:
- How often do projects fail to deliver what they promised?
- Are end users satisfied with the quality of IT-related services?
- Are sufficient resources, infrastructure and competencies available to meet strategic objectives?
- What has been the average overrun of operational budgets?
- How often and how much do projects go over budget?
- How much of the IT effort goes to âfire-fightingâ, rather than enabling business improvements?
The New Governance of Data and Privacy: Moving Beyond Compliance to Performance by Malcolm Crompton AM FAICD & Michael Trovato GAICD. This new AICD publication is a governance guide to the opportunities and risks data represents from a compliance and performance perspective. It offers practical advice on establishing and overseeing privacy culture, frameworks and practice.Â
Some companies mentioned in this feature have advertised in Company Director, but have had no involvement in or influence on actual editorial content.
Latest news
Already a member?
Login to view this content