Opinion: It's time to take IT governance seriously

New Zealand needs more IT experience at board level, says Paul Matthews

Whether we as an industry like to admit it or not, we have a problem when it comes to how IT is regarded in the boardroom and at the senior executive level of many New Zealand organisations. However, this is not an IT problem; this is an overall corporate governance issue and the consequence of failing to understand technology deployments at board level is significant.

There are two important reasons successful companies ensure there is IT and IT governance experience at their board level.

The first is around efficiency, innovation and competitive advantage. Technologists understand the value a good business-aligned IT strategy brings to an organisation. For example, the increased business opportunities in being the first supermarket offering online shopping, or the airline providing full-service online, or the increased yields by incorporating IT in farm or stock management. The possible scenarios are endless.

However, none of this is any good without IT vision and understanding at board level. Without a strong board driving IT strategy and supporting investment in technology, it becomes difficult for the CIO (if the company still has one that is!) to deliver the sorts of improvements in efficiency, service and competitive advantage that IT can and does deliver.

And if the board and senior executive team have no understanding of this potential there are two possible outcomes, both equally disastrous. Either they under-invest in IT, often disestablishing the CIO role and moving it into a purely operational mindset under the CFO, or they “leave it to the IT guys” without any form of mandate from the board, or strategy or governance.

As a technologist you might think this second option is acceptable, however companies have boards for good reasons — to provide organisation-wide strategy and oversight. Boards do not leave all financial aspects to the CFO or accountant and they should not do the same for IT.

The second issue is around the legal, regulatory and ethical responsibilities placed on directors and boards and this is often overlooked in New Zealand. Call this the “butt-covering principle” if you like.

Whether a company views IT as an investment or an expense, there is no getting around the fact that technology is expensive. Not just in terms of the cost to put it in place, but also the pay-off of driving a well-defined and superior IT strategy.

If you are a director, since 2008 there’s been a formal international standard (ISO/IEC 38500) that covers the corporate governance of IT. This means you could be found personally liable should things go pear-shaped, for not meeting your obligations as a director.

ISO/IEC 38500 sets out six principles for good corporate governance of IT, being Responsibility, Strategy, Acquisition, Performance, Conformance and Human behaviour. It also provides a framework of definitions, principles and a model for good governance of IT. It has a strong link to New Zealand, in that Wellington-based NZCS Fellow Alison Holt chaired the group that created the standard.

Conversely, if you’re a company director or CEO there is now an independent professional certification in IT in New Zealand called ITCP. And, if you don’t insist that the CIO and other senior IT executives are independently accredited under the ITCP programme and they are later found wanting, you could be held responsible by angry shareholders.

You probably, at least implicitly, insist that your company’s accountant is a CA, your lawyer is qualified and your builders and plumbers are certified; you would certainly be asking questions if you found out they weren’t. How, though would you explain to your shareholders after one of your software projects went belly-up why you didn’t insist on the same from the person with overall responsibility for one of your largest assets – your critical IT infrastructure? Not a good position to be in.

So what to do about it? There are three options and the best strategy is to utilise a little from each of them.

Firstly, you really should ensure that a portion of directors in your company have a senior IT background or familiarity with IT governance principles, in much the same way you’d always ensure a portion had good financial credentials.

Secondly, ensure all directors have undertaken at least base-level IT governance training and have some experience of governance of IT. NZCS now offers low-cost courses covering the basics of IT governance and ISO/IEC 38500 suitable for non-IT people as well.

And thirdly, if IT is important to an organisation’s ongoing operations and especially if the board lacks depth in IT, ensure that the board has an independent advisor in the same way good boards have independent advisors in other areas providing financial and legal guidance.

IT can be a scary topic for those that have little IT understanding or background in the profession. However it is time more local boards and the directors took their responsibilities in this area seriously to allow more of our companies to reap the rewards of a well executed and board-driven IT strategy.

To not do so provides significant unnecessary risk for both the company and its directors.

Matthews is Chief Executive of the New Zealand Computer Society

Join the newsletter!

Error: Please check your email address.

Tags nz computer societypaul matthewsNZCS

Show Comments
[]