The United States has recently responded with the Sarbanes-Oxley Act, which has significant implications for companies in other countries as well as those based in the US. Most other developed countries are taking similar steps.
Here in New Zealand, the government is pushing the Securities Commission to “lead the development of a set of corporate governance principles to establish a benchmark for shaping the behaviour of New Zealand businesses”, according to commerce minister Lianne Dalziel.
At the same time, the criticality of information systems and technologies in companies continues to grow. The rise of electronic business, the development of finely-tuned IT-based supply chain management, as well as the need for firms to adroitly juggle a complex mix of in-house projects and outsourcing contracts and relationships, have resulted in most companies becoming ever more dependent on their systems’ capabilities.
In light of this, then, IT ought to constitute a critical concern to boards of directors today. Board-level IT challenges range from minimising the risk of loss arising from fraud and error, to identifying critical IT applications for competitive advantage and ensuring IT disaster recovery and business continuity. There is even the added risk of personal liability facing directors who are found to be too passive in their overview of IT. In effect, as management and control systems become increasingly important, the responsibility of board members to monitor and direct the development of IT is greater than ever before. Emerging technologies and the rapidly changing business environment are redefining the role and responsibilities of corporate boards with respect to IT governance.
However, most board members are generalists, and many boards find it difficult to exercise an appropriate level of IT overview. The risks and opportunities presented by IT may require a level of technical insight which is often absent, given the generally limited IT knowledge present on boards. This condition is frequently paralleled within senior management, especially in the case of extended companies operating in an increasingly networked economy. The net effect is that many boards, while tacitly recognising the criticality of their company’s IT, are reluctant to actually discuss and deal with IT governance issues.
Various professional bodies such as the New Zealand Securities Commission, the Canadian Institute of Chartered Accountants and the IT Governance Institute have argued boards and management are in fact adequately equipped to handle IT governance. They point out, like other forms of overview, IT governance requires standard board member skills – a strategic perspective, sound decision-making, clear process formulation and leadership, along with the ability to ask the right questions.
In order to better understand the extent to which boards are involved in IT governance – and how such involvements might vary according to factors such as industry sector, board composition – and board perceptions of the value of IT, we conducted a set of interviews in 17 medium to large companies in late 2003. To provide the study with the sharpest possible contrast, we selected eight corporations from the financial services sector (including several major banks) and nine from the primary resources sector (including forestry, oil and gas exploration, mining and gas transmission companies).
Our basic assumption was, boards of financial services companies are more likely to exhibit closer IT overview than boards in the basic resources sector, given the greater ‘information intensity’ of their business operations. In each company, we interviewed the board chair (or a senior board member) and the most senior information systems executive (often, but not always, the chief information officer). The firms were all based in Canada, most with global operations.
While board structures and practices may differ in some details between Canada and New Zealand, the similarities far outweigh the differences; the basic principles of corporate governance are universal. What we learned from the Canadian companies is quite likely to be reflective of New Zealand companies as well.
Easily the most pervasive IT concern ofnall such boards is risk. Though a weaker concern in the primary industry firms, risk emerged as the number one concern in the financial services sector. IT risk issues are commonly dealt with by a risk and audit committee, but the subject also occasionally makes it to the full board meeting agenda, particularly in the financial services firms.
Topics such as serious outages, virus threats, hacker attacks, data integrity, catastrophic failure, business continuity, information security, risk profile of new investments, and even rogue trader threats in trading companies are regularly reported on to such boards. One financial services board chairman characterised risk as a “routine top 10 item” for most such boards, and we found that to be the case.
Off the radar screen
Beyond some attention to risk at the audit committee level, IT governance is not even on the radar screen for most firms in the primary sector. Companies in this group in our study have never discussed the corporate IT vision (if there is one), IS planning, IS organisational structure or IS operational effectiveness. Generally speaking, IT seldom, if ever, becomes a topic for any board discussion. Yet many of these companies have large IS departments and large IT capital investments. The explanation for this low level of board interest is pertinent. In such firms, board members note, the IT operating budget is modest relative to the corporate budget or revenues. More importantly, these companies’ boards perceive their degree of operational dependence on IT also to be modest. As one board chairman commented, “If IT was completely out of commission for weeks, we would still be digging coal out of the ground and we could probably keep track of things manually with a simple spreadsheet.”
In effect, if IT collapses, the inconvenience may be great, but basic operations will continue. In such companies, where board meeting agendas are typically crowded anyway, only IT investments of a very large magnitude (for example, the decision to invest in an ERP system) ever make the cut. Even in the latter cases, the board is often only “informed” rather than consulted. As one chief information officer observed, “From my perspective, this is largely a defensive measure. If anything goes wrong with a very large project, I want the board to have heard about it from me first.” In this situation, the board is not being consulted for its input, but is instead simply being kept reassured that management is “on top of things”.
By contrast, financial services companies in our study are much more active with regard to their IT governance responsibilities. IT capital investments in such firms often exceed 50 per cent of their entire capital stock. Also, IT spending relative to revenues is higher than in the primary industry companies. Concern about IT risk exposure is universal in the financial services sector. For this reason we expected some of the companies, especially the large banks, to have established IT committees of the board. However, none had done so and only one had even ever discussed the possibility.
Most such boards receive presentations by chief information officers, or a senior vice president, in which the IT vision and the alignment of the IS plan with corporate strategic directions is explicitly examined. A majority of such boards has also discussed the IT development portfolio, IT leadership and such subjects as the structure and effectiveness of IT operations. Some of these boards have instigated IT benchmarking by outside consultants. On the other hand, board scrutiny seldom reaches the level of individual project governance, and then only when the investment is sizeable and the application is critical to operations.
Still, even in the financial services area, some boards are surprisingly inattentive to IT governance. In such cases, boards often cede their overview responsibilities to management, by hiring an ‘IT top gun’. Considerable confidence and trust seems to be vested in such individuals, thereby allowing the board to feel IT is in safe hands and relieving it from further concern about the IT function.
Overall, even among the financial services sector, most boards seem to be passive receivers of information about IT, as opposed to aggressive, proactive questioners. We saw little board-level concern, for example, that the company achieves a good return on its IT investment, or whether IT expenditure is commensurate with corporate prospects – either too high or too low. We seldom heard of discussions regarding whether IT is best centralised or decentralised, outsourced or in-housed.
The general lack of intellectual engagement with IT issues by most boards is perhaps our most significant finding. The disinclination of boards to grapple with using IT for competitive advantage, whether that advantage might be cost-cutting or revenue-generating, suggests the possibility of lost opportunities. The FedEx case is particularly instructive in this regard.
Through insightful IT investments in its logistics and supply chain operations, FedEx has become the world’s largest overnight package carrier and transformed itself into a global company. The secret of this success stems from the realisation the management of information, and not simply prompt and reliable parcel delivery, is the critical success factor in the FedEx value chain.
The lesson here is one path to pushing the envelope in extracting maximum value from IT is for boards to focus on better understanding the role of information in the corporate value chain and in its supply chain management. This doesn’t necessarily mean thinking ‘outside the box’ but, instead, may mean understanding a great deal better what is actually inside the box. To improve its own understanding of IT and provide special focus on its systems, FedEx some time ago created an IT committee on the board. FedEx’s IT committee oversees major IT-related projects, technology-architecture decisions, and advises FedEx’s senior IT management team.
We recognise, of course, the eyes of many directors glaze over the moment IT is mentioned. And board members are invariably too busy to become ‘computer literate’. (Strangely, many board members seem to feel, without a depth of IT technical knowledge, they would not be in a position to debate and discuss strategic IT issues.) We argue instead that by adopting a few simple measures, boards can sharply improve their effectiveness and performance with regard to IT issues.
As a start, boards should consider having the chief information officer or equivalent attend board meetings regularly. This will provide the double benefit of better informing this individual regarding ‘board thinking’ while providing an often absent source of IT management expertise.
Once a year, the chief information officer should provide a brief presentation regarding the IT vision and strategic plan for development. The board’s concern in this regard is to ensure the IT strategy is properly aligned with corporate strategic plans. Not infrequently, we were advised “IS plans emerge from the plans of the operating units” and, for that reason, are not discussed separately. But this tends to reinforce the notion the IS function has little potential for corporate contribution beyond the role of servitor for the operating units, which has the subtle effect of convincing board members the board has no need to consider IT opportunities.
The chief information officer should also occasionally provide brief information sessions to increase the level of IT understanding on the board. These sessions should emphasise the business implications of particular technologies, and should avoid delving too deeply into technical details.
In doing this, the chief information officer should play to the strengths of corporate directors – their business acumen and experience. Such information should not be expected to provoke immediate and valuable insights, but rather to provide a nurturing milieu in which future ideas, as well as the confidence to raise and debate such ideas, can develop.
The argument for the senior IT executive to attend board meetings also has an important behavioural dimension to it. For a starter, getting to know the chief information officer gives board members a ‘personality’ to deal with regarding IT issues, rather than a faceless department, the image of which at the board level may be of a technical group disconnected from the revenue-generating operations of the business.
One chief information officer of a major company spoke of the value of getting to know board members in informal settings. She stated that because of their lack of IT knowledge, directors are often quite reluctant to raise IT issues, for fear of embarrassing themselves in the presence of their colleagues. Yet in one-on-one situations, outside the meeting context, particular board members have exhibited both interest and enthusiasm in discussing IT issues.
In fact, she mentioned having developed a synergistic relationship with one board member who regularly seeks her out as a sounding board for his IT-related ideas, while he serves as a mentor in her own development as a senior manager. By attending board meetings she found herself included in the associated dinners and other social events, which gave directors an informal setting for exchanging ideas with her to develop their own IT thinking.
Another useful step is to recruit to the board at least one individual with an IT background. Our observation is IT management experience is seldom on the list of board appointment criteria. And even if such experience is present in a prospective appointee’s background, this ability is often not seen as a valuable factor in the appointment decision. We feel this is a mistake.
A board member with a deep knowledge of IT issues, perhaps someone with senior IT responsibilities elsewhere, can create a focal point on the board for dealing with IT concerns. Such an individual can also play a valuable role on the board’s audit and risk committee, where issues of IT risk are often examined. Such a person might even form the nexus for a separate IT overview committee, if the board is inclined to create one.
Finally, the board chair must elevate IT issues in his or her own mind, as being ‘worthy’ of board consideration. It is unlikely this will happen, short of a major IT disaster, if nothing else changes. That is why we argue the two steps identified above need to come first: Having the chief information officer attend all board meetings; and appointing an IT-experienced member of the board. These steps will naturally have the effect of increasing the salience of IT in the mind of the board chair and other members of the board.
Changes in the larger business environment combined with rapidly emerging technologies have created new responsibilities and opportunities, which are redefining the role of corporate boards with respect to IT governance. By asking the right questions, bringing senior IT management into board discussions and recruiting IT talent onto the board, boards can become much more effective in dealing with IT issues.
About the authors
Sid Huff is head of school of information management at the Victoria University of Wellington. His co-authors are from the University of Calgary in Canada: Malcolm Munro is a professor of information systems, and also served as associate dean of the faculty of commerce. Mike Maher is professor of business strategy and has served on many Boards. This article is based on a study they conducted on information services and technology function at board level, completed when Huff was a visiting scholar at the University of Calgary.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.