A discussion of information technology rarely makes it on to a board meeting agenda. While the reasons for this may be understandable, these authors argue that directors need to grasp IT’s role in their company’s success and to discuss that role as they would general strategy or a merger or an acquisition. In this article, they develop several suggestions for how directors can understand and discuss IT’s critical importance.
Businesses today are very dependent on information systems and technologies because of the growth of electronic business and IT-based supply chain management, as well as the fact that firms have to juggle a complex mix of in-house and outsourced projects.
In light of this, IT risks ought to be a critical concern for boards of directors- for example, the risk associated with higher levels of IT-related fraud and error; competitive issues relating to IT applications that the organization needs to stay ahead in the marketplace; and IT disaster recovery and business continuity. There is even the added risk of personal liability for directors who are found to be too passive in their oversight of IT.
Professional bodies such as the Canadian Institute of Chartered Accountants, the New Zealand Securities Commission and the IT Governance Institute maintain that boards of directors and management are adequately equipped to handle IT governance. They point out that IT governance requires the same skills that board members exercise in dealing with other forms of oversight: a strategic perspective, sound decision making, clear process formulation and leadership, along with the ability to ask the right questions.
The risks and opportunities IT presents, however, may require a level of technical insight that is often absent from the boardroom. A parallel condition often exists among senior management, especially in the case of extended companies operating in an increasingly networked economy. The net effect is that many boards are reluctant to deal with IT governance issues.
In order to better understand the relationship between boards and IT governance, we conducted interviews in 17 medium-to-large companies in 2003. To provide a sharp contrast, we selected eight corporations from the financial services sector (including several major banks) and nine from the primary resources sector (including forestry, oil and gas exploration, mining, and gas transmission companies). Our basic assumption was that the “information intensity” of financial services companies made it more likely that boards in this sector would exhibit more extensive IT oversight than boards in the basic resources sector. In each company, we interviewed the board chair (or a senior board member) and the most senior information systems executive (often, but not always, the chief information officer). The firms we studied were all based in Canada, and most have global operations.
Boards and Information Technology
Risk is the number one concern of all the boards in our study. This concern was strongest among boards in the financial services sector, where IT risks are typically handled by a risk and audit committee, and are occasionally tabled at full-board meetings. Issues such as serious outages, virus threats, hacker attacks, data integrity, catastrophic failure, business continuity, information security, the risk profiles of new investments, and even rogue-trader threats, are regularly reported to the full board.
In the primary resource sector, however, IT governance resides at the audit committee level. The resource companies in our study had never discussed the corporate IT vision (if their company even has one), or the planning, organizational structure or operational effectiveness of their information systems. Generally speaking, the full boards of these companies seldom, if ever, discuss IT, even though many of them have large IS departments and significant IT capital investments.
Boards in the resource sector reasoned that their comparatively low level of concern for IT governance resulted from their modest IT budgets in comparison to their corporate budgets and revenues. More importantly, they perceived their companies as having only a modest degree of operational dependence on IT. As one chairman commented, “If IT was completely out of commission for weeks, we would still be digging coal out of the ground, and we could probably keep track of things manually with a simple spreadsheet.” In effect, if IT collapsed, the inconvenience might be great, but basic operations would continue. Only IT investments of a very large magnitude (e.g., the decision to invest in an energy resource planning system) make the cut, and often on an information basis only. Said one CIO: “From my perspective, this is largely a defensive measure. If anything goes wrong with a very large project, I want the board to have heard about it from me first.” In this situation, the board is not being consulted for its input, but is simply being reassured that management is “on top of things.”
By contrast, financial services companies in our study are much more actively involved in IT governance. In these firms, IT capital investments often exceed 50 percent of their capital stock, and IT spending relative to revenues is higher than in the primary industry companies. Concern about IT risk exposure is universal in the financial services sector. For this reason, we expected that some of the companies, especially the large banks, would have established IT committees of the board. However, none had done so, and only one had even discussed the possibility.
Most financial services boards are concerned with making sure the company’s IT vision and IS plan are aligned with corporate strategic directions. A majority of these boards have also discussed the IT development portfolio, IT leadership, and such subjects as the structure and effectiveness of IT operations. Some of these boards have instigated IT benchmarking by outside consultants. On the other hand, board scrutiny seldom reaches the level of individual project governance, and then only when the investment is sizable and the application is critical to operations.
Still, even in the financial services area, some boards are surprisingly inattentive to IT governance. In such cases, boards often cede their oversight responsibilities to management, by hiring an IT “top gun.” This allows the board to feel confident that IT is in safe hands, and relieves it from further concern about the IT function.
Overall, even among the financial services sector, most boards seem to be passive receivers of information about IT as opposed to aggressive, proactive questioners. We saw little board-level concern about the company’s return on its IT investment, for example, or the appropriate level of IT expenditures. Similarly, there was little evidence of board discussions on whether IT is best centralized or decentralized, outsourced or handled in-house.
IT: Most boards “don’t go there”
The disinclination of boards to think about IT from the standpoint of competitive advantage (e.g., cost-cutting or revenue-generating) suggests opportunities are being lost. The example of FedEx is particularly instructive in this regard.
Through insightful IT investments in its logistics and supply chain operations, FedEx has become the world’s largest overnight package carrier. FedEx understands that the management of information, and not simply prompt and reliable parcel delivery, is the critical success factor in its value chain. The lesson here is that boards need to better understand the role of information in the corporate value chain and in supply-chain management. This doesn’t necessarily mean thinking “outside the box,” but understanding a great deal better what is inside the box. To improve its understanding of IT and focus on its systems, FedEx created an IT committee of the board that oversees major IT-related projects and technology-architecture decisions, and advises FedEx’s senior IT management team.
Improving directors’ knowledge of IT
Board members are invariably so busy they have little time for becoming computer-literate. (Strangely, many board members seem to think they are not in a position to debate and discuss strategic IT issues because they do not have an abundance of detailed computer skills.) We believe that by adopting a few simple measures, boards can sharply improve their effectiveness and performance with regard to IT issues.
1. Boards should consider having the CIO or equivalent attend board meetings regularly.
This will provide the double benefit of keeping the CIO or equivalent informed about “board thinking” while providing the board with a source of IT management expertise. Board members then have a real person to deal with regarding IT issues rather than a faceless department that may seem disconnected from the revenue-generating operations of the business. One CIO of a major company also spoke of the value of getting to know board members in informal settings. She said directors are often quite reluctant to raise IT issues for fear of embarrassing themselves in the presence of their colleagues, but in one-on-one situations outside the meeting context, board members have exhibited interest and enthusiasm about IT matters.
Once a year, the CIO should do a brief presentation to the board that explains the company’s IT vision and strategic plan for development. It is the board’s job to ensure the IT strategy is properly aligned with corporate strategic plans. In the course of our interviews, we frequently heard that “IS plans emerge from the plans of the operating units,” and for that reason are not discussed separately. Unfortunately, this reinforces the notion that the IS function has little potential for contribution beyond the role of providing service to the operating units. At the same time, this encourages board members to think they have no need to consider IT opportunities.
2. The CIO should be called upon to provide occasional brief information sessions to increase the level of IT understanding on the board.
These sessions should emphasize the business implications of particular technologies, and should avoid delving too deeply into technical details. In doing this, the CIO should play to the strengths of corporate directors-that is, their business acumen and experience. The information sessions should not be expected to produce immediate and valuable insights, but rather to create the kind of environment that will generate future ideas, as well as nurture directors’ confidence to raise and debate such ideas.
There is another benefit of having the CIO attend board meetings. The CIO’s attendance gives directors a “personality” they can get to know and discuss issues with, rather than a faceless department that, in directors’ eyes, consists of techies whose work has little impact on revenue-generating operations. In fact, one CIO in our study spoke of the value of getting to know board members in informal settings. She stated that because they lacked IT knowledge, directors are often reluctant to raise IT issues at meetings for fear of embarrassing themselves in front of their peers. Yet she found that, in one-on-one meetings, certain directors were willing to discuss IT openly and enthusiastically.
3. Recruit at least one director with an IT background.
We noted that IT management experience is seldom a criterion for appointment to a board. When a prospective appointee does have experience, it is often not seen as a valuable factor in the appointment decision. We feel this is a mistake because a board member with a deep knowledge of IT issues can be a focal point for dealing with IT concerns. Such an individual can play a valuable role on the board’s audit and risk committee, or on a separate IT oversight committee.
4. The board chair must see IT issues as being “worthy” of board consideration.
Short of a major IT disaster, this is only likely to happen after other changes occur. The three steps we have identified above need to come first because they will heighten the importance of IT in the minds of the chair and other members of the board.
In summary, emerging technologies and changes in the business environment are redefining the role of corporate boards with respect to IT governance. By asking the right questions, bringing senior IT management into board discussions and recruiting IT talent at the board level, boards can become much more effective in dealing with IT issues.