Revealing the Clandestine World of Technology Governance

Wednesday, 11 April 2018

Jan Begg photo
Jan Begg
Chair, Standards Australia IT Governance Committee and non-executive director

    Over the last year a number of boards have visited Silicon Valley to see technology and innovation in action. Others have tried to develop their understanding of all things cyber through seminars, consultants' presentations and well publicised horror tales. Whilst these activities are not wasted there is a lot more to governance of technology and how it helps to foster innovation.

    So what is governance of technology and is it discussed in the boardroom, delegated to management or hidden from directors? The international standard on 'Governance of IT' for the organisation (ISO/IEC 38500) defines it as a system by which current and future use of IT is directed and controlled, as a subset or domain of organisational or corporate governance. This guidance document also has a focus on the role of good governance in contributing to improved performance through innovation and strategic alignment.

    I recently participated in the initial discussion of the AICD 'Technology Governance and Innovation Panel'. It is clear that there is a wealth of experience and information available to directors but that it needs to be more accessible. The following includes some tips about what exists and why directors might find it useful. This resource is continuing to evolve and includes voluntary guidance documents that Australian experts have contributed to over the past 20 years.

    What are the right questions to ask about technology and innovation and how will you interpret the answers? A good place to start is with an understanding of your business profit levers, culture and what gets your stakeholders, customers and regulators excited. Combine these factors with the six principles, tasks and governance mechanism in ISO/IEC 38500 (Figure 1) and you will have a framework to find appropriate questions.


    Governance of IT Principles

    • Responsibility
    • Strategy
    • Acquisition
    • Performance
    • Conformance
    • Human Behaviour


    • Evaluate
    • Direct
    • Monitor


    • Delegation
    • Strategy & Policy
    • Proposals & Plans
    • Performance & Conformance

    Figure 1: ISO/IEC 38500 Governance of IT Principles, governance tasks and mechanisms


    Like most things about being a company director, it’s about being comfortable with complexity and building up your knowledge of what makes your organisation tick. You can approach the topic in the same way that you would with other aspects of the governance role such as financials and risk management. Through a lens of strategy and compliance, looking backwards and towards the future, we seek to understand the system in place and how we as directors can influence the outcomes. What are we required to do? How do we do it? How do we know it is being done? What are we going to do differently? What do our competitors do? The questions are a small subset of what we ask ourselves and management as we execute our fiduciary duty.

    At the board level the core standard 38500 started with governance of IT for the organisation and now has been joined by the relatively recent ISO/IEC 38505-1 on the application of these principles to governance of data. This is timely for directors seeking an deeper understanding of the governance of data that is created, collected, stored or controlled by IT systems, and impacts the management processes and decisions relating to data. This standard is currently being adopted by Australia. That means that this guidance will be more readily available to Australian organisations. Shortly this standard will be joined by a technical report 38505-2 that provides case studies.

    The governance of IT standards have now been broadened and supported by the ISO/IEC 30105 series of standards in IT-enabled Services Business Process Outsourcing (ITES-BPO) to recognise the complexity of the way we purchase and provide services.

    At the management level various IT standards are used to improve performance and reduce risk, the continually evolving 20000 series and the ITIL framework are examples. 

    These guidance documents provide a shared vocabulary for directors and management and supplement corporate governance practice to include strategic focus on governance of technology and innovation.

    Latest news

    This is of of your complimentary pieces of content

    This is exclusive content.

    You have reached your limit for guest contents. The content you are trying to access is exclusive for AICD members. Please become a member for unlimited access.