Most of the average company’s capital investment portfolio is tied to information technology, and organizations today can’t do without their information systems.
Meanwhile, the role of IT is expanding within and outside organizations; and with the extent of current global connectivity, the decisions of one corporation can affect many other enterprises.
Add to this situation the increased emphasis on corporate governance in the wake of scandals such as Enron, and the reasons are clear for IT to warrant greater attention from boards of directors.
- promote communication between top executives and IT personnel
- provide expertise in determining how technologies can improve competitiveness and bottom-line performance
- bring IT into senior management discussions
- provide ‘much-needed top-down leadership’
Boards can start by creating what I call the “next big thing” in IT: board-level IT oversight committees, which are much like the audit and compensation groups of which most corporate boards are already a part. This level of attention helps ensure that top management and those in the IT organization are engaged in a continuous dialogue on technology issues, IT strategy, managing IT assets, service levels, legal issues, and technology risk.
At the same time, these committees are equipped to determine how emerging technologies can improve competitiveness and bottom-line performance.
Here are 10 questions that an IT oversight committee must ask and answer, divided into five key areas.
ASSET MANAGEMENT QUESTIONS
Is the company getting an adequate return from its investment in information resources? This is elusively easy to state, but not so easy to answer. The committee must determine how benefits are achieved from IT investments and what kind of return is needed.
Do the firm’s professionals have the appropriate IT infrastructure and applications to exploit development of intellectual assets? While physical assets have largely taken on commodity-like characteristics, intellectual assets, such as knowledge workers, are becoming the primary source of competitive advantage.
Does the firm have established management practices to guard against obsolescence of IT human resources, hardware, and software and applications, especially legacy applications?
Does the company have adequate security in place to ensure the protection and confidentiality of its information assets? Specifically, can IT repel a hacker or denial of service attack? There’s a great deal going on in this area, which I expect to mushroom in the next year.
SERVICE LEVELS QUESTIONS
Does the company have management processes in place to ensure 24/7 service levels, including tested backups, such as for electrical power? This can happen even in the best-run IT operation; how can you recover?
Are processes in place to exploit discovery and execution of IT strategic opportunities?
Are processes in place to protect against a strategic jeopardy in IT? Strategic jeopardy arises from neglect and ignorance of the IT-enabled strategies of your competition. When the new competition hits, an at-risk company may not be able to catch up before critical market share is lost.
Is benchmarking a standard practice to ensure maintenance of the company’s competitive cost structure?
Are procedures in place to prevent costly lawsuits, including violations of software copyrights and patents and adherence to licensing agreements? This issue is coming from everywhere today and can blindside a company. Pay especially close attention to third-party license restrictions for legacy and package software.
Are processes in place to prevent IT-based surprises from blindsiding senior management and the board? Such surprises can include millions of dollars in project cost overruns, lax internal controls in information networks, and legacy systems that are ticking time bombs.
In business, we have experienced an incredibly high rate of change over the past 10 years. During sustained periods of high rates of change, management controls are challenged and can fail to function correctly. You might observe such an occurrence when old systems and processes break down or when rapid change causes the failure of corporate checks and balances.
First came the accounting systems. After Enron had filed for protection under US bankruptcy laws, Jeffrey Skilling testified before Congress that he didn’t understand the off-balance-sheet accounting and had left this task to his accountants. Then, after WorldCom sought relief under Chapter 11, we learned that the company’s board did not have financial experts on its audit committee and that the audit charter actually stipulated that because no member of the committee was a financial expert, none of them could be held accountable for statements made.
Something similar could happen in IT. Too much is being left to the technical people and the CIO, and senior management is not sufficiently engaged in strategic IT decisions and scenarios, which — if they go awry — could put a company at risk. I foresee some disasters, and I hope that burdensome legislation, like the Sarbanes-Oxley Act in the US, does not follow them.
THE IMPACT OF AN IT OVERSIGHT COMMITTEE
My experience concerning the establishment of IT oversight committees is that the impact is almost immediate in bringing IT into senior management and board discussions. In one case, a board member identified an obsolete legacy system as the cause of a problem flagged in an internal audit report. In another case, the IT oversight committee was instrumental in involving top management and board members in a beta test of a strategic IT product. From this experience, top management identified several key usability problems, which resulted in the rapid response of marshalling the appropriate resources to correct the problems.
But most important is the impact of the IT oversight committee as it establishes an agenda to review and discuss the 10 oversight questions over the course of the year. Based on the agenda, the CIO works with his boss to prepare advanced materials on these questions, and then the CIO and his management team have the opportunity to engage in substantive discussion regarding the questions with oversight committee members, and then further discussion with the entire board during the committee’s report-back process.
Someone must intervene, and the board of directors is in the best position to provide much-needed top-down leadership. Too many CEOs and boards have had their heads in the sand and have failed to understand the impact, and the risks, of IT strategic jeopardy and the strategic opportunities underlying IT. But shareholders and the public, especially in the US, appropriately expect far more from CEOs and boards. And the fact that today’s new investors are far more IT literate and savvy than the last generation bodes well for an enhanced understanding of technology at the board level. Establishing a board-level IT oversight committee is just another step in the right direction toward good corporate governance.