The board of an organisation is required to understand the strategic importance of IT, assume responsibility for the governance of IT, and place IT governance on the board agenda. By Marius van den Berg
This first principle in Chapter 5 of the King III code is central to the governance of Information Technology (IT), yet many organisations are wrestling with reporting to the board on IT in such a way as to enable the board to exercise appropriate oversight.
In this article, I explore some of the aspects of IT governance in an attempt to demystify IT board reporting.
MEETING AND MANAGING THE REQUIREMENTS OF IT BOARD REPORTING
IT is an essential aspect of virtually all organisations, managing – as it does – the transactions, information and knowledge required to initiate and sustain a business. Owing to its nature as an integral part of the business, it is crucial that the board understands the strategic importance of IT and assumes responsibility for the governance of IT. In line with the expectations of King III, it has become necessary to place IT governance on the board agenda. This is easier said than done, however.
Providing an effective and integrated IT report is not that simple, as any such report needs to answer the questions that are relevant to the board. For example, the board may require assurance over IT risks. This would require the report to cover the process followed to identify the IT risks, the top IT risks, and how these are being mitigated. All of this must be done within the context of a clear understanding of the IT environment and how it connects with the strategic and operational elements of the business.
In addition, such a report needs to be ‘business understandable’ – it cannot be overly technical. In line with King III demands for integrated reporting, it also cannot be a stand-alone report. For example, while it may be important for a portfolio manager to be made aware of which IT projects are behind schedule, the CEO would more likely want to know about the performance of specific mission-critical projects.
Another aspect to keep in mind when preparing the IT governance report for the board is the specific relevance of IT to the business. In a not-for-profit company, for instance, IT may only be seen as a support function, meaning that the board only needs to know if the systems are functioning effectively. On the other hand, in a financial services organisation, where IT is a genuine innovator for the business, the board may have other concerns. These could include system availability, the development of new online products, and the mission-critical projects that can deliver a competitive advantage.
In addition, it should be noted that boards should not only look at the IT report once a year. They should be given regular reports covering all major aspects of the IT environment at various intervals, culminating in an integrated report at year end.
In order to develop an effective governance report, a four-step programme could be followed: diagnose; design and develop; implement and deploy; and sustain and enhance.
Creating an effective report is an ongoing process that can be expected to take significant time. In order to understand exactly what the board requires in terms of an effective IT report, it will be necessary to enter into discussions with the board about what its members believe they need to know about IT within the business.
Additionally, it is crucial to understand the maturity of your company’s IT governance environment (‘diagnose phase’), in order to identify areas for improvement. Once these are identified, you can move on to the next step, which is ‘design and develop’.
IT governance must always follow business governance; it is not something that can be done in isolation. Obtaining the relevant information for the report is dependent on a number of factors – there is no ‘one size fits all’ answer. While a business in the financial services sector will likely be very formal and structured – and therefore obtaining relevant information will be reasonably simple – in a more informal entity there may be less structure and the information will not be so readily available.
In designing and developing the report, one must always respect the chain of command and the various governance structures that the information needs to be taken through. Also, not all the relevant information will necessarily be available from the outset. Nonetheless, start with what there is and be aware that it is a long-term iterative process to develop the ideal report.
Developing the process should be treated like any other project: milestones must be set, an owner who is responsible for the report named, and it should form part of routine reporting structures. In other words, IT board reporting should never be viewed as something that is just tacked on after the fact.
UNDERSTANDING AND ALIGNMENT
It is crucial to remember that part of the aim of this report is to help to overcome some of the implicit trust issues that tend to exist between business and IT, in order to reach a point where the two areas are closely and effectively aligned. It is also about ensuring that the board is kept aware – technology-wise – of what is coming down the line and what it will take to remain with the technology curve. After all, no board likes being told out of the blue that a multimillion rand capex project suddenly needs to be implemented.
When it comes to the ‘implement stage’, it is always important to remember to align the emphasis of the report with the key overall agenda themes of board meetings. For example, for a board meeting held at the beginning of the financial year, the report should perhaps focus on emphasising the alignment between business and IT and strategic matters. For the end of year meeting, it could rather focus on IT’s performance compared to the goals that it was set together with some forward-looking information.
Finally, the ‘sustain and enhance’ stage requires a continuous process to improve performance management and IT reporting. The compiler must also regularly account for new circumstances and has to remain focused on striking the balance between historical, proactive and predictive reporting.
MINIMUM IT BOARD REPORTING
Compiling an effective board report is more of an art than a science, since it is a dynamic and ever-changing thing that one needs to improve continuously. Bearing this in mind, along with the fact that every organisation is required to apply the King III code, board reporting should initially address the following areas as a minimum:
- IT governance framework: The board needs assurances that there is a framework in place that is used to guide and track the implementation of IT governance. Such a framework could be used to highlight maturity levels of IT governance within the organisation as well as demonstrate progress or changes in desired maturity levels over time. There are multiple IT governance frameworks in use and not one will be a perfect fit for your organisation. Choose an existing framework and adapt it to your needs.
- Strategic alignment and IT’s ability to transform the business: Obtaining optimal IT and business alignment is arguably one of the most challenging tasks for the chief information officer (CIO) to achieve. The IT function can play an important role in helping organisations adapt and thrive. By aligning their teams with the needs of the business, CIOs can provide strong strategic and operational support. To exert such influence, CIOs may have to reach board-level positions and develop a wider set of skills, including spending time outside IT. In addition, IT also has to consider its most appropriate role. In some cases – particularly for larger, global organisations – senior management may expect IT to provide innovation and transformation, whereas in certain smaller organisations the emphasis could be on a more basic service, to keep costs down and serve daily operational needs efficiently. Typically, IT fits into one of four broad categories:
- Utility: Where its main purpose is to keep the business running
- Protector: Where it is primarily concerned with managing the IT estate
- Performer: Where it is expected to deliver tangible value to the business, and
- Transformer: Where the function transcends day-to-day operational needs to help bring real change
To advance from a more basic utility/protector function to that of a transformer/performer, IT should better understand the needs of the leadership team and work with senior management to help the business gain a competitive edge. The board should understand the role IT is expected to play and how effectively IT and business is aligned.
- Significant projects (business cases, benefits realisation and risk): The Standish Group has performed research on system implementations since 1994 and publishes an annual report on the results of these surveys, called the Chaos Report. More than 60 000 projects were tracked. Projects were classified as either successful, being challenged or failed. The Chaos Report for 2012 highlights that 18% of all projects fail, 43% are challenged, and only 39% succeed. Even more disturbing is that, on average, 59% of the projects experience cost overruns, 74% time overruns and only 69% deliver on the originally scoped functionality.Project success therefore is rare. Large, complex and high-risk programmes should have board visibility and can benefit from independent programme assurance and oversight.
- Value of IT (value for money, value add, value creation): The continued spend on IT, despite the economic slowdown, suggests that organisations acknowledge the IT function’s potential to bring value beyond a more utilitarian role. As companies move from simple cost reduction (the value for money mind-set) to cost optimisation, IT can help create a permanently lower-cost business model (value add). One valuable contribution is to provide accurate, up-to-date data and analysis. This enables sales and marketing teams to identify and focus on higher margin brands and customers (value creation). To achieve these gains, IT needs to engage closely with the various business areas to obtain a broad picture of costs across the business and the value it provides should be tracked and reported on.
- Performance of IT and resource management: It is very difficult, if not impossible, to measure or improve performance if there are no measurement criteria in place. IT functions should identify measures that are appropriate given the nature of the function. Different teams will have their own dashboards, and the CIO’s dashboard will roll up the performance measures that directly link to the CIO’s goals for the organisation. Feedback should be provided periodically to the board on the performance of the IT function and the management of its resources, but more specifically, boards are not interested in the operational detail. Rather, they need to know that the structures and processes are in place to effectively manage the performance of the IT function.
- Business continuity planning (BCP): BCP is working out how to stay in business in the event of disaster. Typical incidents include local events like building fires, regional incidents like earthquakes or floods, or national incidents like pandemic illnesses. Any event that could cause the potential for loss of business should be considered, such as loss of source of supply, loss of critical infrastructure, or the results of theft or vandalism. As such, risk must be incorporated as part of BCP. Periodic feedback should be provided to the board as to the existence and effectiveness of the organisation’s business continuity and disaster recovery capabilities.
- Mitigation of IT risks, including information security: Traditional security models focus on keeping external attackers out. The reality is that there are as many risks inside an organisation as outside, including mobile technology, external storage devices, cloud computing, social media, and employee sabotage.
Information security should be strategically aligned with the broader business agenda and based on an organisation’s risk tolerance. Advances in technology have created access to information that is far too broad for barricades. Instead, companies need to learn how to embrace change securely. An integrated security approach can help organisations build a programme that enhances trust with customers, vendors, business partners and employees – in a way that is cost-effective and sustainable.
Boards should have visibility of the organisation’s respective IT risk and information security profiles, and the strategies to mitigate these.
In recent years, the role of IT has been changing – in some cases radically. Rather than being seen merely as a utility, the function is increasingly expected to come up with innovative business improvements. Post-recession organisations inhabit a very different global economy and IT has a vital part to play in supporting change and growth. With competition increasingly being shaped by a number of macro-economic factors, IT leaders have to understand the dynamics of this ‘new normal’ and work closely with business to address the challenges and ensure that IT, as such a critical business asset, is governed effectively.
In this article, I have explored the aspects of IT board reporting that will ensure that boards are provided with the comfort that IT is governed effectively. I have also stressed the incremental journey and the importance of speed.
This can be summed up in the following fable: ‘Every morning in Africa, a gazelle wakes up. It knows it must outrun the fastest lion or it will be killed. Every morning in Africa, a lion wakes up. It knows it must run faster than the slowest gazelle, or it will starve. It doesn’t matter whether you’re a lion or gazelle – when the sun comes up in Africa, you’d better be running.’
What is the status of IT governance in your organisation? Are you running yet?
Carr, Nicholas G. IT doesn’t matter. Harvard Business Review, May 2003.
Ernst & Young. Innovating for growth: IT’s role in the new global economy, 2011.
Ernst and Young. Borderless security: global information security survey, 2013.
Ernst and Young. Information security in a borderless world: time for a rethink, 2011.
The state of IT governance, Q4 2010. Available at https://www.forrester.com/The+State+Of+IT+Governance+Q4+2010/fulltext/-/E-res57510.
Forrester. The business contribution of IT: metrics that matter. Available at www.forrester.com.
Gartner. South Africa’s King III report sets a new standard for IT governance. Available at https://www.gartner.com/doc/1283623/south-africas-king-iii-report.
Institute of Directors in Southern Africa. King report on corporate governance in South Africa (King III report). Available at http://www.iodsa.co.za/?page=KingIII.
IT Governance Institute. Board briefing on IT governance, 2nd edition. Available at http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Board-Briefing-on-IT-Governance-2nd-Edition.aspx.
IT Governance Institute. Global status report on the governance of enterprise IT (GEIT), 2011.
IT Governance Institute. Measuring and demonstrating the value of IT. (IT Governance Domain Practices and Competencies Series.) Available at http://www.isaca.org/Knowledge-Center/Research/Documents/Measuring-and-Demonstrating-Value-of-IT_res_Eng_0310.pdf.www.isaca.org.
Kearney, A T. The 7 habits of highly effective IT governance: powerful lessons in transforming business and information technology, 2008.
Sward, Dawid S. Measuring the business value of information technology: practical strategies for IT and business managers. Intel Press, 2006.
The Standish International Group. Extreme chaos report 2012. Available at https://secure.standishgroup.com/reports/reports.php
Weill, P and Ross, J W. IT governance: how top performers manage IT decision rights for superior results. Boston, Mass: Harvard Business School Publishing, 2004.
Weill, P and Ross, J W. IT savvy: what top executives must know to go from pain to gain. Boston, Mass: Harvard Business School Publishing, 2009.
The article has been adapted from an article that first appeared in the Juta Corporate Report, Journal 1 Issue 2.
Author: Marius van den Berg (CA)SA is director at EY