Competent monitoring of IT initiatives by the directors of a company is becoming ever more necessary as information management assumes a more crucial role in the company and corporate governance comes under the microscope following high-profile scandals such as Enron.
Inefficient or failing IT is a legal risk to a business, lawyer Michael Wigley points out. Failure of IT systems may mean the organization can't meet its contractual commitment to customers, and directors could become liable. Security shortcomings could mean the loss of information or compromise of customer privacy.
Then there is the question of inadvertent virus transmission through poor controls, with damage to another company. This gave Wigley another chance to put up his example of failing to take due care over infection in a piggery; but he acknowledges that liability for virus transmission in IT is a more uncertain area of the law than it is in animal husbandry.
An IT manager should not be held to an absolute responsibility to be up with the latest fixes and precautions, he suggests, if the operation values the risk mitigation of staying away from the "bleeding edge".
Wigley and experienced CIO Jenny Mortimer outlined risks, strategies and appropriate lines of responsibility to a joint meeting of the NZ Computer Society and the Technology Law Society last week.
Although directors can hardly be expected to know IT in detail and must to a great extent rely on the advice of their experts, this means lines of communication between them must be good, Wigley and Mortimer note.
Recent guidelines on corporate governance published by the Institute of Directors discuss how direct the line between top management and IT management should be. "As a CIO, I preferred to report directly to the CEO," says Mortimer.
Frequently the line is an indirect one, through the chief financial officer. While this can give the CIO considerable influence, says Mortimer, it can give an undue emphasis to the cost of IT in top management's eyes. The power of the CIO is often a "power to say no", she adds.
The advisability of a committee of the board specifically for IT is another moot point. The IOD guidelines recommend such a committee when an organization critically relies on IT. Its function is to check that IT is aligned with business strategy and planning, and that staff have appropriate skills. At least a board committee should be established for a major IT project the institute suggests.
A small number of companies overseas, including Novell and FedEx, have elevated responsibility for IT governance to their boards of directors in an attempt to ensure that they have high-level oversight of technology investments.