6 helpful ways to improve IT governance on your board

Wednesday, 20 March, 2019 - 06:35

IT can be a tricky topic for boards, given that many lack the knowledge to properly govern technology functions. We list 6 ways to ensure your board is maximising its IT potential.

In the past few years, there has been a rapid rise in the number of industries being turned upside down by information technology (IT). This surge in IT influence has reshaped a wide variety of fields, from taxi services to media to retail, and offers tremendous opportunities but also great risk.

As board coach Elizabeth Valentine and her co-authors Steven De Haes and Greg Timbrell explain in The Board’s Role in the Governance of Enterprise, a chapter in The Handbook of Board Governance, boards need to ensure that their information technology generates business value, that their leadership team is managing IT properly, and that IT processes and decisions are happening with acceptable risk. But historically, boards have struggled with all three elements of this modern challenge.

Valentine, De Haes and Timbrell say too many boards are responding by delegating IT matters to the IT department, even though they would never dream of delegating finance to the finance department.

Based on interviews with IT governance specialists, here are six steps boards should take to gain control of IT governance in 2019.

    1. Ensure you can exploit information technology

“If you’re not planning to evolve your business to exploit technology, you’re planning to close your business,” says Mark Toomey, an IT governance expert, principal developer of Infonomics Australia, and author of the ISO 38500 global IT governance standard. “All your competitors are doing exactly that, and organisations and people you didn’t even dream were your competitors have got their eye on your lunch.”

“Look at the taxi industry,” says Zac Zahner, a corporate governance consultant. “The industry and their boards were totally unprepared for the impact of Uber. It was almost too late by the time they realised what was happening.”

The key to exploiting IT’s potential, Toomey says, is making a good choice of executive leaders — that “the executive is competent and leading the charge”. His favourite examples of IT success include the earlier work at the Commonwealth Bank of Australia (CBA), whose board empowered former CEO Ralph Norris to completely overhaul its core banking system. That renewal helped CBA to differentiate itself from competitors with digital initiatives, including its lauded mobile banking apps.

Like Toomey and other IT leaders, Tim Ebbeck GAICD fears not enough boards are pressing their leadership teams to seize IT opportunities. Ebbeck, a former head of both SAP and Oracle in Australia and New Zealand, wants more boards to ask how they can disrupt themselves before someone else does it. “How many organisations do you see significantly changing their business ahead of the game?” he asks. “When things are going well, it’s easy to say ‘we’ll just delay it a bit further’.”

              2. Check the board’s technology capability

Zahner notes that to take advantage of technology, boards need the right skills, or at least advisors who can help steer the company in the right direction. Directors’ ability to drive IT governance is consistently nominated as one of the biggest board challenges in 2019. Ebbeck says many boards badly need greater diversity of knowledge and thinking, as well as deeper technology skills.

A recent global survey of directors by Harvard Business School researchers Yo-Jud Cheng and Boris Groysberg — Innovation Should Be a Top Priority for Boards. So Why Isn’t It? — underlines this point. When asked what governance activities and processes boards are good at, technology and innovation ranked 17 and 18 out of 23 respectively — and cybersecurity ranked dead last. A 2015 Accenture global survey, published in the UK, found that even in the IT-intensive banking industry, 43 per cent of boards had no board member with professional technology experience.

Accenture’s survey found only 11 per cent of boards of the world’s top banks had technology committees of any sort.

3. Develop an advisory group

Ebbeck suggests boards that lack broad technology expertise should consider technology advisory groups to supplement their own skills. Zahner emphasises the need to find people who can brief the board on IT initiatives in other industries. Creating an advisory group is also recommended in the AICD’s director tool IT governance: Role of the board. However, Accenture’s survey found only 11 per cent of boards of the world’s top banks had technology committees of any sort.

Toomey frequently advises boards to set up a business capability governance sub-committee, combining directors, executives and outside experts. By dealing with IT opportunities and challenges as part of a wider capability-building effort, such a group can engage more directors than a purely tech-focused group, he says.

4. Send clear signals on cybersecurity

According to a 2017 Stanford University research paper — Critical update needed: Cybersecurity expertise in the boardroom — most boards now recognise “cyber attacks represent a major risk to organisations: the cost of a breach is high, the variety of attacks broad, and the technological issues sophisticated”. Boards need to ensure their organisations have effective protection measures and comprehensive crisis plans for the day a breach actually happens.

However, many boards still seem unable to respond effectively to such a complex threat. The Stanford research paper’s authors note that, even after a cyber attack, “companies make very few governance changes in response”. For instance, Home Depot’s CEO “suffered no decrease in compensation after more than 50 million credit card accounts were stolen”.

Boards also need to signal to staff that cybersecurity behaviour matters. As Ebbeck notes, human carelessness is the cause of most security breaches.

Concern over directors’ personal lack of adherence to cybersecurity policies is remarkably widespread. Toomey says he commonly encounters directors operating under different data security policies from employees. Michael Khoury MAICD, head of forensic IT practice at Ferrier Hodgson, says when organisations roll out updated technology with a new set of rules and processes, directors sometimes respond that “we’re not going to follow it”.

Fortescue Metals Group’s cybersecurity head Mark Wallace adds that: “When everyone sees there’s one set of rules for them and another for everyone else, it trickles down. Eventually, nobody does it.”

5. Ensure the board is on top of major technology projects

Experts point to the failed oversight of major IT projects as one of the biggest sources of financial damage and lost opportunities in the IT field. Such projects have the unenviable record of budget overruns and outright failure. The world’s best-known expert on software project failure, Steve McConnell, who chairs the Executive Council for Software Excellence in the US, estimates a typical business systems project overruns its planned budget by about 100 per cent, with only a quarter of such projects delivered within 25 per cent of their original target.

In 2016, researcher Dr Cecily Macdougall estimated the IT project success rate in Australia was just 64 per cent, with $5.4 billion wasted each year on projects that didn’t deliver a benefit or are abandoned. Macdougall concluded the two top success factors boards needed to see are a clear mission for the project, and support for the project from top management.

6. Dig deeper on IT issues

Boards need to learn to “ask the next question” on IT issues, says Zahner. However, many feel they lack the expertise.

Toomey counsels directors not to feel they cannot contribute. He says when they ask for IT reports in business terms, probing is not that hard. His favourite example is the bank board that was told every quarter that a system recovery test had been successful. Only when a director eventually asked for the definition of success did the board find a serious problem: “success” was defined as “identifying the reason for failure within 24 hours”, and the bank had been in breach of its licence for more than two years.

IT governance: Role of the board

The AICD explores the board’s role as overseer of information technology in its IT governance: Role of the board. It outlines some questions that may uncover IT issues, such as:

  • How often do projects fail to deliver what they promised?
  • Are end users satisfied with the quality of IT-related services?
  • Are sufficient resources, infrastructure and competencies available to meet strategic objectives?
  • What has been the average overrun of operational budgets?
  • How often and how much do projects go over budget?
  • How much of the IT effort goes to “fire-fighting”, rather than enabling business improvements?

The New Governance of Data and Privacy: Moving Beyond Compliance to Performance by Malcolm Crompton AM FAICD & Michael Trovato GAICD. This new AICD publication is a governance guide to the opportunities and risks data represents from a compliance and performance perspective. It offers practical advice on establishing and overseeing privacy culture, frameworks and practice.