With corporate data breaches constantly making headlines, boards of directors are understandably nervous about reliance on information technology to meet business needs. The threat of crashes, distributed denial of service (DDoS) attacks, and sensitive information leaks have raised awareness of IT risk at the highest organizational levels.
Because companies are operationally dependent on systems, IT plays a huge role in shaping enterprise strategies. Yet, most boards have relatively little knowledge about IT strategy and spending, even when committing large portions of their capital spending to corporate information assets.
The role of the board of directors in risk management is complex, but It’s clear that boards should be more involved in IT decisions, but how? There isn’t a uniform model for full board supervision of IT operations due to immense diversity throughout existing businesses. An IT approach that works well for a grocery chain would not accommodate an entertainment media company.
Read on to learn:
- How to gauge boards’ level of involvement in IT decisions
- What an IT governance committee should look like
- How to determine the committee’s oversight responsibilities and scope
- How to develop IT governance policies for your organization
Remember: Tailoring appropriate board governance to your company’s operational and strategic needs helps your enterprise in two critical ways. First, it avoids unnecessary risk. Second, it improves your competitive stance.
The Challenges of Connecting Information Technology and the Board of Directors
Compared to other areas of corporate control, the relationship between information technology and the board of directors can display a relative lack of standards. Unlike accounting and compensation, IT governance lags in establishing a comparable body of knowledge and best practices. This occurs because of:
- A deficiency of knowledge and expertise among board members
- Siloed operations and interests throughout the organization
- Limited knowledge of IT risks and expenses
- A combination of all of the above
An absence of IT oversight can occur despite centralizing IT governance through a chief information officer (CIO). No enterprise organization would leave only one person in charge of its books, yet many firms leave the CIO to manage critical assets on their own, putting the organization at risk.
To address this inconsistency, several companies have implemented board-level IT governance committees that operate alongside their audit, compensation, and risk committees and management teams. Working in concert with senior management and the board to drive decisions around technology, the IT governance committee helps reduce costly projects and continue growing the firm’s competitive edge.
Knowledge of the organization’s technology needs, competitive pressures, and orientation toward risk is needed to develop an IT governance strategy that is sustainable and effective. By understanding their firms’ positions, board members can determine how aggressive an approach they should take to IT governance.
What Is IT Governance and Why Is It Necessary?
The concept of corporate governance was established within the context of crisis management. Since the 1990s, the term has been used to refer to the principles, policies and practices of responsible business management. It’s geared toward creating long-term value within companies.
In the wake of the Great Recession from 2007 to 2009, fundamental principles of sustainable business intensified in importance for companies within every industry. How can companies ensure long-term success while remaining responsible to both stakeholders and shareholders?
Although governance has become a buzzword, the role of the board of directors in ensuring governance over various aspects of corporate activity and decision-making remains unclear. There is not a uniform standard or model for how to govern sustainably.
Most board members are aware of how important risk management, compliance and information security are to the lifelong success of their companies. However, they may not have sufficient background in these areas to understand how to implement adequate monitoring and oversight of these business aspects. Further, some boards may not recognize the board of director’s role in IT governance at all.
Considering External and Internal Factors
To establish systematic and well-integrated governance at the board level — over risk, compliance, and security — board discussions and board meetings need to consider both external and internal factors.
External governance factors include:
- The market and overall economy
- The political environment
- The natural environment
- Cultural and social factors
- Legislation and compliance
Internal governance factors include the company’s overall:
- Technological infrastructure
Although IT governance appears to touch solely upon internal factors, it covers both the internal and external reaches of board of director governance.
Modern communications and IT systems connect companies to the outside world, serving as the public-facing business storefront. Systems like these also leave vulnerable entry points for hackers and other malicious cyberattacks if not guarded appropriately.
Because the technological landscape is competitive, board members need to stay abreast of trends and advancements that competitors can use to gain a business edge. And with the technology sector becoming increasingly more regulated, this is another area where boards need to ensure compliance with legislation and regulations.
Accounting for IT Control and Regulation Aspects
Board members charged with ensuring risk management, compliance and security of their companies must consider an IT governance structure as part of their purview. Although this structure will depend on the individual company’s needs and orientation towards risk, IT governance is something that every board of directors should have on their radar.
Aspects of IT regulation and control that every board will need to account for include:
- Governance: Also known as the general framework of rules and guidelines, governance is in place for managing and monitoring IT systems within the company. Governance ensures responsible, efficient, transparent, and secure business control and regulation.
- Risk management: This is a structured and ongoing process for encountering both risk and opportunities. The process should be a standard protocol that is continuously in place to further minimize risk.
- Compliance: Accounting for compliance requires a thorough and rigorous application of all legally binding regulations and guidelines. The aim is to avoid legal risk and to ensure that all products, services, and business processes are above-board.
IT governance touches upon all three aspects. In doing so, it ensures an effective, efficient and ongoing structure. The existence of IT governance is central to the charge of most boards within market-oriented organizations.
Making Connections Between IT Governance and Overall Scope
Some further principles that boards need to implement concerning IT governance as part of the overall scope of the board’s purview include:
- Accountability: The board of directors should be held accountable for the company’s top-level decision-making as it relates to operations — including IT operations. Project spending and other financial decisions should also be vetted at top levels to ensure coordination with other organizational priorities and goals.
- Responsibility: The board must assume responsibility for all aspects of organizational operations. A systematic and rigorous framework for governance avoids siloed interests and ensures that the board can make informed business decisions for the long-term sustainability of the entire company.
- Transparency: By breaking down silos and creating top-level management structures, IT governance at the board level also ensures transparency at all operational tiers for IT spending and decision-making.
- Fairness: As the governing body overseeing all teams within the company’s organizational structure, the board of directors also plays a primary role in ensuring that no team’s interests are prioritized above another. The board must ensure that the allocation of resources and personnel are aligned with the company’s overall vision.
IT has historically been overlooked in most organizations for resources and contribution to a shared vision, but that is changing. More companies now see the importance of their IT teams to the organization’s overall business health and prospects. Still, balancing IT needs with those of other operational teams is an important part of the board’s scope of governance.
How IT Governance Fits Into the Overall Governance Picture
Even boards who understand the importance of IT governance to their organization may not be quite sure how IT governance fits within the overall governance structure.
While this depends heavily on the company’s approach to IT governance discussed below, board members should first assess how they are currently performing the types of governance mentioned below to develop a more targeted IT governance strategy.
Because IT governance touches upon both operational governance and security governance, understanding those systems for oversight will create a clearer picture of how information technology and communications fit within that picture.
As mentioned above, the overall governance framework is everything that businesses put into place to ensure sustainable and responsible oversight over their operations. The point is to ensure long-term value creation and steering.
At the board level, governance establishes oversight over internal and external performance measures. It implements monitoring and control mechanisms for all operations within the organization. IT governance should fit seamlessly within that structure depending upon the enterprise’s overall orientation toward risk and approach to governance.
IT isn’t just about security. It also provides enterprises with a competitive edge in communications and operational efficiency. The latter is precisely why oversight of IT initiatives should integrate with overall governance.
However, security risk is a big part of why IT governance is necessary. Effective security governance aligns the goals of an overall corporate strategy within the context of an information security environment. It works to reduce security risk to a level that is tolerable or acceptable to the company as a whole.
Security governance is not always on the defensive. It also generates value by increasing the company’s reputation for information security, maximizing brand loyalty among customers and clients, and improving the overall trustworthiness of the enterprise.
Oversight over corporate security requires strategic resource management. It aims to ensure that infrastructure and capital are being deployed to keep information secure both within the organization, and as it flows into and outside of the organization.
As with all effective governance, security governance defines performance metrics for information security. It also establishes ongoing monitoring and documentation of key processes. Documentation is an especially important part of security governance because it allows for the detection of risk and effective countermeasures if security vulnerabilities are threatened.
Security governance provides the foundation for an effective IT governance strategy. It is so closely aligned with the company’s information security strategy and potential for risk.
This type of governance offers a set of clear responsibilities, principles, policies, and practices that can be leveraged by the CIO or IT governance expert to establish strategic goals for IT governance. From there, the IT governance committee or expert can work to ensure that the company is managing IT risk and responsibly deploying its IT resources.
Although more difficult to define than security governance — because it touches upon so many areas of organizational effectiveness — there are a few angles from which to understand IT governance and its importance.
Information technology manages both the business’s information — including internal records and customer/client information — and the technological frameworks through which that information is communicated, stored, and safeguarded.
The scope of IT governance covers how decisions about information and technology resources within the company are made, who has the authority to make those decisions, and how those decisions are implemented throughout the organization. It also concerns how resources are allocated for IT projects, and how the enterprise will adopt a strategic stance in regard to its IT capabilities to become or remain competitive.
The goal of IT governance should be a strategic focus on the requirements for continuous operation. It should be concerned with meeting competitive objectives based on the individual enterprise’s orientation toward risk and market viability. It entails the steering and monitoring of the company’s IT resources to ensure consistent and ongoing alignment with the business’s corporate vision and strategy.
Regardless of whether the enterprise has a centralized or decentralized IT structure, an effective IT governance strategy creates a framework and defined targets for configuring IT resources. These targets should include hardware, software and processes to guide the management of these resources in alignment with the overall company vision.
Four Approaches to IT Governance
Company size, industry and competitive landscape play a role in how a board governs IT activities. However, two main factors determine the appropriate level of board involvement in IT decisions.
The first is how much the company is operationally dependent on seamless and secure technology systems, or “defensive” IT. The second is how much the company gains a competitive advantage through IT systems that provide new value-added services and products to customers, or “offensive” IT. Within these two main orientations toward corporate information technology and technological risk, there are four approaches to the board of directors’ involvement.
Depending on where organizations fall in relation to these orientations to technology, they can either consider technological governance a routine matter or a vital asset that requires intense board-level oversight.
Defensive IT focuses on operational reliability over beating out competitors through innovation. This risk orientation prioritizes keeping IT systems running smoothly over gaining competitive advantage through emerging technology. A defensive IT orientation guards against malware and service interruptions, and works to keep technology costs low.
For companies with both a relatively low need for technological reliability and strategic IT, most decision-making around IT will support employees’ activities.
Enterprises that operate best with a support approach to IT governance can withstand repeated service interruptions of up to 12 hours without serious consequences to their bottom lines. They don’t require high-speed internet response and run core business systems on a batch cycle, with most error correction and backup work done manually.
Reversion to manual processes is always an option for these companies, so the technological risk is already kept at a minimum without too much interference from the board.
In this kind of technological environment, it makes the most sense for the existing audit committee to review IT operations. However, if the board decides to be more aggressive in using technology to compete, the company’s stance toward IT governance might transform into an offensive IT turnaround approach.
Companies that aren’t focused on cutting-edge technology but depend heavily on reliable systems require a higher level of board involvement in IT decisions.
These companies resemble factories because, if the IT conveyor belt carrying operations forward breaks down, production stops. Much of their core business systems are online. If systems fail even briefly, they suffer an immediate loss.
Because business continuity is critical for enterprises in this category, regular board oversight ensures that disaster recovery and security protocols are in place.
Offensive IT prioritizes strategic issues over or alongside reliability. Compared to defensive IT practices, offensive IT is more proactive and ambitious. However, it is riskier and often brings a substantial organizational change in order to compete.
As a result, offensive IT requires considerably more resources than defensive IT and necessitates more intensive board involvement with IT decisions at all levels.
For enterprises undergoing strategic transformation, new technology is often the cornerstone for change. When adopting new systems, the need for reliability to maintain the old system drops, and resources are channeled to reengineering efforts.
Turnaround mode requires significant levels of board oversight to ensure that major projects adhere to schedule and budget, especially when competitive advantage is at stake. Once transformation efforts are completed, companies typically shift to the defensive IT factory approach or the strategic approach outlined below.
Companies with considerable competitive pressures place a huge emphasis on total innovation. Both marketplace approaches and daily operations are driven by new technology. For firms adopting a strategic approach to IT, reliability and development are equally important and the IT expenditures are large.
As with a turnaround approach, board-level governance is critical for firms with a strategic approach to IT. These organizations should have a fully formed IT oversight committee with at least one IT expert serving as a member.
How To Conduct Board-Level IT Oversight
Once your organization has identified its approach to IT solutions, you can then determine what kind of IT expertise you need on your board. As outlined above, firms with a defensive orientation to IT may concentrate IT oversight within the audit committee, whereas companies on the offensive often require an independent IT governance committee.
Depending on the company’s approach to IT governance, the responsibilities of the board to provide oversight will shift. Those shifting responsibilities are outlined below.
Inventory Assets (All Approaches)
In all kinds of companies, the board needs to understand the overall IT architecture and the importance of asset management strategy. Board members should be familiar with supply chain steps and know what kinds of hardware, software, and information the firm owns. Knowledge of these will help them determine whether or not IT investments are providing adequate returns.
Intangible IT assets are much harder to inventory than physical ones. For most companies, though, intangible assets will be the most valuable and most critical to business operations.
Board members should educate themselves about available information resources, their condition, and their role in generating revenue. They should also ensure that senior management understands these details of IT infrastructure and that employees can use IT systems efficiently and effectively.
Assure Security and Reliability (Factory and Strategic)
For companies with factory and strategic approaches to IT, boards should conduct regular security and reliability reviews. The aim here is to prevent service interruptions from derailing operations. Rather than wait for a crisis to prompt oversight, boards should adopt a proactive approach to assuring security and reliability of IT systems.
Security is an increasingly important — and progressively expensive — concern for large companies. A cyberattack or service interruption can cost an organization millions in lost revenue. To protect the bottom line, boards need to ensure that management is constantly monitoring and protecting against security breaches.
Power failures and natural disasters also pose greater risks to continuing operations. IT governance is needed to ensure that backup systems are continually tested and that services are available even during routine maintenance. Board oversight can ensure that these reliability measures are in place to prevent losses in the event of a system component failure.
Avoid Surprises: Factory, Turnaround and Strategic
Surprises that occur as a result of IT projects are often costly. Usually, they result from ineffective project management. The board plays a role in ensuring that careful and effective project management is in place and that key decision points receive the appropriate attention from senior management.
Boards are also instrumental in negotiating adequate service level agreements (SLAs) with vendors or clients for outsourced IT operations. These agreements should have explicit terms, deliverables, and responsibilities to help avoid serious project management issues. They should also guarantee that the needs of all enterprise teams are met to prevent problems that arise from siloed interests.
Other surprises may surface when companies build on top of legacy IT infrastructure rather than replacing them with new technologies. IT governance committees make important decisions about whether it is the company’s best interest to maintain legacy systems or replace them to avoid misinformation during future operations.
In most cases, replacement is the most sustainable strategy. However, a well-informed IT governance committee should properly weigh the need for seamless data integration against the organization’s budget and maintenance priorities.
Maintain Legality (Turnaround and Strategic)
There are many intellectual property issues in the IT space. Companies need to tread carefully or face legal issues.
Board members need to stay abreast of the potential for intellectual property disputes involving IT and to bring in legal counsel when appropriate. This can be a particularly daunting area of IT governance for board members, many of whom face a confidence gap when it comes to IT knowledge.
The enterprise IT space features rapid change, complicated subject matter, and highly technical language — making it a challenging area for board members to develop familiarity. Yet, the legal and financial implications for lax or ineffective IT oversight are enormous. Board members will need to take steps to overcome this gap and know when to recruit legal expertise.
Look for Threats and Opportunities (Turnaround and Strategic)
For all the work that an IT governance committee does to ensure continuous operations and development within an organization, one of its most important jobs is to look outside the company. An IT governance committee should always be on the lookout for cutting-edge technological opportunities and market trends, as well as competitive threats.
The CIO and board-level IT experts should regularly share information about new products and applications entering the market. They should monitor firms in other industries and study how they use technology to lead.
New information gleaned from these practices can be evaluated against the company’s current operations to find new opportunities for advancement. For example, any processes that are currently performed manually have the potential for automation and increased quality of service.
At the same time, IT governance teams must vigilantly track technology-borne competitive threats. This requires benchmarking and gathering intelligence from competitors. The aim is to avoid being blindsided by competitors’ advancements in products and services.
The need for extensive and continuous access to news and insights related to corporate IT may make it necessary to bring a monitoring tool on board. Using a product like this ensures that your organization doesn’t miss out on critical, actionable data.
Overall, what’s most important is that a well-informed IT governance committee stays abreast of new malware and data security threats that may affect the organization. It’s the best way to safeguard against them. The best defense is a good offense when it comes to phishing, DDos, or other cyberattacks. With this in mind, the board should ensure that a proactive strategy is in place to combat these malicious threats to data integrity.
Building the IT Governance Committee
There are three steps to creating an IT governance committee:
- Select the appropriate members and the committee chair
- Determine how the group will work with the audit committee
- Prepare the charter
The first two steps are especially important to the overall functionality of the committee.
The relationship between the IT governance committee and the audit committee should be a close one. IT issues can affect economic and regulatory matters, so one audit committee member should also serve on the IT oversight committee. The IT committee’s charter should explicitly describe its relationship to the audit team — as well as its organization, purpose, oversight, responsibilities and meeting schedule.
Committee Chair Candidates
Once you have determined that your organization requires an IT governance committee to provide board-level oversight of IT operations and decision-making, how do you select the chair of the committee?
For companies with support, factory, or turnaround approaches to IT, the chair doesn’t need to be an IT expert. However, they should be at least an IT-savvy senior manager who has demonstrated the use of IT to gain a strategic advantage in another organization. For enterprises with a strategic approach to IT, an IT oversight committee should be in place and chaired by an IT expert.
Committee Member Candidates
As with audit and compensation committees, the IT governance team should be made up of independent directors.
At least one member of the committee should be an IT expert who operates at the senior management and board level. Their role is to challenge entrenched thinking about in-house operations without talking down to board members. Rather, the IT expert should be a skilled communicator with experience working within technology-averse cultures. They need to be able to reframe challenges and difficulties as opportunities and unite focus around the big picture.
The IT expert is the person within your organization who can address the board’s confidence gap by educating fellow board members. Their explanations should make IT problems and opportunities approachable and easier to handle. It is the IT expert’s role to bring knowledge and information to the board and share it with fellow board members in a way that can be understood and appreciated.
At all costs, the IT expert should avoid too much technical jargon. Conversations around IT strategy are less likely to be productive when they are weighed down by technical details. While a firm grounding in technological knowledge is necessary for success, the IT expert also needs a rich and holistic view of the enterprise and its systems architecture.
To advance the firm’s economic outlook, the IT expert should have a thorough understanding of the underlying dynamics that govern changes in technology as a whole. Think of the IT expert in this situation as the counterpart to the certified financial expert on an audit committee. They serve much the same function.
Ideal IT Expert Candidates
A chief technology officer (CTO) or CIO might be a great fit for this role. An IT consultant could also be a good candidate if a skilled, business-oriented technology strategist is difficult to recruit. You may consider a divisional CEO or COO who is actively managing IT, as well.
A manager who has served in an influential technology company can also help a company understand its own IT approach. A professional like this may help you embrace emerging technologies and bring in other experts to inform the firm’s IT culture.
Establishing IT Governance From Day One
Whether IT governance is centralized in a board-level committee or not, the governing entity must play a key role in shaping effective IT practices. They should regularly interface with the bodies responsible for IT risk, compliance and security management. The point is to identify, define and structure these relationships in the context of the organization’s overall vision and strategy.
What Comprises Effective IT Governance?
Some of the aspects of effective IT governance that the committee will need to implement from day one includes:
- A comprehensive IT strategy that aligns with the company’s goals and business targets
- A framework for a managed, structured, and well-maintained information security management system that ensures all IT activities map back to the organization’s security management strategy
- Investments in information security that are calibrated to the company’s exposure level and context
- Identification of existing and potential regulatory requirements that may affect compliance
- Analysis of situational, market and stakeholder forces that could potentially impact information security
- A clear definition and delegation of roles and responsibilities around information technology to ensure that various functions are entrusted to the most appropriate people
- Firmly established internal and external communications channels
What Should Be the Focus of IT Governance Committee Meetings?
The charge of the IT governance committee or board-level expert will be to answer the following strategic questions on an ongoing basis:
- What are the major factors influencing information security for the enterprise?
- Does the IT governance committee have access to the relevant information and resources it needs to be effective?
- Is the information updated and communicated regularly?
- Does it reach outside the company to include technology industry developments and competitive market analyses or is only internal data available?
- Are all relevant stakeholders aware of any external regulations that may affect the company in relationship to IT operations?
- What team handles compliance issues?
- Does that team have the necessary knowledge and expertise to understand IT compliance?
- For companies that operate internationally, is there sufficient expertise at the board-level to understand how IT compliance and security issues change across borders and cultures?
- How will effective governance practices and principles be documented to ensure continuous oversight?
- What formal governance processes are in place, and how will the committee fit into that structure going forward?
IT Governance as a Responsibility and a Strategy
Regardless of the particular approach a company takes to the combination of information technology and the board of directors, top-level commitment is critical to success. Board engagement with IT oversight is crucial. Board members and senior managers must understand the organization’s IT approach and impact to gauge their involvement in IT decision-making and processes.
Effective and comprehensive governance strategies can help an enterprise achieve a harmonious balance among corporate culture, operational principles and processes, and the actual organization structure and practices within the company. Having an IT governance plan in place adds information security and technological infrastructure into this mix while continuing to touch upon important areas of governance like IT security, risk and operational efficacy.
Consistent Recalibration and Constant Accountability
Because IT approaches change as companies grow and face new challenges, board-level governance will need to constantly recalibrate to determine effectiveness. Top-level managers must be accountable for technological risk, project expenditures, and return on investment from IT. The more the board understands the need for oversight, the more an enterprise can maximize its efficiency and effectiveness.
There is no such thing as too much accountability when it comes to IT. In fact, increased accountability and oversight confers several advantages to businesses. It reduces the siloing of teams to help streamline operations and allocation of resources. It also allows board members to assess risks and opportunities, especially related to IT projects and information security.
Transparency and Alignment Improvement Through Tools
Board-level governance of IT initiatives ensures continuous alignment with enterprise vision and goals, as well as industry-wide regulations and requirements. It also allows relevant IT information and priorities, like email security threats and issues of compliance, to be communicated through all channels within an organization. The transparency ensures strategic coordination at all levels.
To support your board’s IT governance initiatives, consider leveraging tools that can support insight and analytics for technological oversight within your firm. Diligent, a leader in governance technology, provides insights and analytics to help your board uncover risk and opportunities both in and out of the boardroom.
With so much data and so many moving parts to IT governance, being able to monitor corporate and industry news to identify risks and opportunities is one of the keys to success in the enterprise technology space.
Diligent Insights and Analytics: Personalized Governance Intelligence
Diligent Governance Intel Software provides comprehensive monitoring that allows you to track companies, competitors, topics and industries that are critical to you and your organization. With National Association of Corporate Directors (NACD) data, you also enhance your board recruitment efforts with real-time, data-driven executive profiles.
In a fast-evolving business environment, boards need the right technology infrastructure in place to meet governance challenges at all levels. With Diligent, boards gain a competitive advantage. They’re able to improve governance with the analytics and insights needed to head off risk, act quickly when opportunities arise, and turn information into action.
Diligent’s products are also backed by the world’s leading security standards. You can be sure your data is protected. They are available across devices and operating systems, ensuring ease of use and an intuitive user interface (UI) that can seamlessly integrate with your board’s existing processes and tools.
Do you have additional questions about information technology and the board of directors? If you’re looking to improve your IT governance strategy, Diligent can help. Refine and enhance your organization’s collaboration, productivity and security processes — contact Diligent today.