We act as an IT Oversight within the financial services sector, with the requirements to develop and present regular reports to the Management team and Board of Directors on the status of Information Technology in their organisation.
Based on our experiences on IT and voluntary membership of boards, once the phrase IT is spoken, many board members switch off, they are lost to the terminology involved, phrases, jargon’s and abbreviations.
To be honest, the odd time I have to ask what on earth XYZ means at times too.
Board of directors are tasked with oversight of governance, policy & procedures to review, which they are generally comfortable with but with IT, they may feel lost.
They understand that they need to have a simple understanding of the cost, complexity and consequences of Information Technology in respect to their business, and that these factors are continually growing and evolving as technology changes. In many circumstances, board directors are seeking a framework to help them develop IT policies that fit their companies well and assist them in their duties of overseeing IT departments and IT issues that could place the company at undue risk.
Information Technology issues cause board members to sit uncomfortably in their chairs – threats from an cyber incident, loss of data, costs involved to stay relevant to members/customers needs, pressure from regulatory authorities to confirm to the new legal requirement, these are only a few.
Only board members who have a background or interest in IT can stay focused, others from experience and talking to them, admit that they are often bamboozled with IT, its requirements, strategy, spend and its relevance to them. Many understand that the operations of the business depends on IT. Discussion points may be double dutch in terms, if it strays into technical issues (it should not at a board meeting) and focus on the strategic issues relating to the organisation
Lacking first-hand knowledge about how IT matters can affect the organisation or how best to mitigate the associated risks, many boards feel that the best they can do is to watch how other companies approach IT governance risks, learn from their efforts and respond by implementing strategies that they hope will serve the company well.
This relates to the level of reporting that IT functions at, is it to board level, CFO, managerial or some other level. This level of engagement affects the clarity of IT to a organisation and the degree which the senior management team and board treat or understand IT.
Working with credit unions, it is interesting to observe the reporting structure. We report into the manager / IT Committee, the IT Working Group and or the Risk Committee, all of which are Board lead committees, and generally staffed with technical savvy persons. This indicates the level of attention IT is given with credit unions, it is understood to be core to the organisation.
It is is a level of trust that boards allow us to guide them in terms of IT Governance. They have to the best of their knowledge some understanding about IT governance fundamentals. However, without understanding such issues as IT risk, IT expense and competitive risk, boards are not able to fulfill their board duties in overseeing IT efforts and risks.
The decision to form an IT board-level governance committee to assist the CEO, and senior officers in making better tech decisions, which allows for a regular board briefing on IT governance. The result proves that costly projects remain under control, and subsequently, gives them a competitive advantage. According to Richard Nolan and Warren McFarlan, who wrote a Harvard Business Review, Oct 2005, article entitled, “Information Technology and the Board of Directors,” the lack of IT knowledge on the part of board members put firms in a “dangerous situation” akin to failing to oversee their audit books.
According to the article written by Nolan and McFarlan, there is no one-size-fits-all approach to supervising corporate departments and overseeing IT governance matters.
In developing IT governance policies, board directors will need to consider the organisation’s operational and strategic needs, as well as keep a watchful eye on reviewing and amending their policies as the company’s needs change and impact of IT on the organisation.
Posing questions for Board of Directors:
Are you comfortable with the Audit committee having oversight of the IT Governance and or is it staffed with directors that are experienced in the area IT, relevant to your organisation.
Do you understand the strategic importance of IT and the reliance of the organisation on it?
Are there sufficient resources allocated to IT?
Are you comfortable in reviewing the IT Governance of the organisation and understanding the controls to mitigate risks of IT?
In closing, some boards may have a way to go in developing appropriate ways of overseeing IT governance.
We are here to help