Six principles for good IT governance

Mark Toomey argues that British Airways could have prevented huge losses and embarrassment if it had applied the six principles for good governance of IT when opening Heathrow Terminal 5.

British Airways CEO Willie Walsh is intimately familiar with the consequences of information technology problems. Addressing the Institute of Directors Conference in London in April 2008, Walsh said: “There is absolutely no doubt that 27 March — the opening day of Terminal 5 — was a very disappointing day for the country and a bitterly disappointing day for British Airways. We got things wrong and we let people down. I have apologised to our customers and I apologise again. The standard of service that we are now delivering has significantly improved, but we did not deliver on what should have been a day of celebration”.

British Airways is but one of a long list of organisations that has suffered reputational and financial damage as a result of problems with using IT. The many examples of business disruption, unacceptable costs, dissatisfied customers and regulatory intervention remind us all that the risk associated with strategic and operational dependence on IT can be very substantial and often warrants regular assessment by the board.

Many company directors and top executives crave insight and guidance regarding how to understand and control the risks associated with IT. Witness that virtually every AICD event where IT is the lead topic is heavily subscribed. At the same time, many organisations are investing heavily in IT governance, in an effort to improve control. But the IT sector, little more than 50 years old, is immature in its understanding of the concepts of governance, especially when compared to the finance and human resources sectors, and much of what is promoted as IT governance is really focussed on improving the management processes for developing and operating IT systems. When the outputs of IT governance reach the top of the organisation, they are often still too technical and too detailed. They are management information, not governance information, and they are often constrained to address only the supply aspects of IT with little emphasis on the business use of the IT.

With the tendency of IT governance to focus on the technical delivery aspects rather than the business use aspects of IT, it is disappointing but unsurprising that just hours before Heathrow Terminal 5 was to open, British Airways discovered that the new biometric (fingerprint) passenger identification system did not conform with privacy laws. Regardless of whether or not the system operates correctly, it cannot be used for reasons that have nothing to do with the technology itself, and everything to do with business rules and conformance with legislation. How could it be that the right questions were not asked at the appropriate time, so that a conformant approach could be taken to ensuring that the passenger at check-in is the same passenger who actually boards the aircraft?

An effective system of governance, addressing the full scope of business use of information technology, should have provided the British Airways board and executive management with assurance that these questions had indeed been asked, and that any shortcomings had been resolved well before they contributed to a crisis.

While some may continue to hold contrary views, the reality of organisations being dependent on IT means that as part of assuring the current viability and future sustainability of their organisations, company directors should ensure that the organisation’s use of IT is effective, efficient and acceptable. Considering the limited time available, and the lack of deep technology skills that often prevails at board level, organisations should establish a system for corporate governance of IT that enables the directors to evaluate, direct and monitor the current and future use of IT, and to ensure that management is effective in directing and controlling its IT.

Clear guidance on the corporate governance of IT is now available in a new international standard – ISO 38500. Published in June 2008, this standard is based on and supersedes AS8015 – the Australian Standard for Corporate Governance of Information and Communications Technology – which was published in January 2005. ISO 38500 improves on AS8015 in many detailed elements, while remaining consistent with the framework of governance tasks and principles established in AS8015.

The six principles for good corporate governance of IT defined in ISO 38500 provide a useful lens for directors when assessing current and proposed use of IT. Many organisations will benefit from establishing a clear policy based on the principles and from using the principles to check that appropriate behaviour has been exhibited in plans for, and ongoing operational use of, IT. In brief, the principles are:

• Responsibility: Responsibility for effective, efficient and acceptable use of IT should be clearly and appropriately allocated and fully understood by all. Business managers should be responsible for business use and performance, including successful outcomes of projects where IT is a major enabling investment.
• Strategy: Business planning should consider and define direction for IT from the highest level, thus providing the basis for proper alignment of IT activity with business requirements.
• Acquisition: Decisions to invest in, and to continue spending on, IT should be made by fully considering the factors that will determine success. These factors go well beyond the basic business case and include the capacity of the organisation to absorb and manage change, the capability of the IT supplier (whether internal or external) to deliver the required services, the feasibility of the required technology solution and the organisation’s appetite for risk.
• Performance: Demand for IT service and capability in both current operations and development of new business systems should be moderated in respect of the overall business plan and balanced against the organisation’s capacity to obtain or deliver the required service and resources.
• Conformance: All rules, whether external or internal, regarding the use of IT should be formally identified, clearly communicated and appropriately enforced.
• Human Behaviour: Characteristics and the needs of the people in the process (those who plan, control, deliver, implement, operate, use or are otherwise affected by an organisation’s decisions regarding the use of IT) should be taken into account in all aspects of planning and using IT.

Pragmatic assessment of problems like those experienced at Heathrow Terminal 5 invariably shows that one or more of these six principles have not been given sufficient attention. Reports on the Terminal 5 problems show that while some systems were not adequately tested, many of the problems arose because staff were inadequately trained and because the transition to Terminal 5 was more of an all-in-one event than a progressive transition that would have allowed problems to be ironed out before they became debilitating.

Given this understanding, it is surely appropriate that the people who were held accountable for the British Airways Heathrow Terminal 5 debacle were senior business executives. An approach to corporate governance of IT that conforms with ISO 38500 might have saved these executives jobs and quite likely would have saved British Airways from the immense cost and embarrassment that resulted from its ill-advised mass relocation to an untried new environment where IT is critical to every aspect of minute by minute operations.

ISO 38500 is available for purchase through SAI Global, online at: www.saiglobal.com

Mark Toomey FAICD, MACS (Snr) is founder and managing director of Melbourne based company, Infonomics. He represents AICD in the development of Australian standards for IT governance, and represents Australia in international development of related standards