If you think that some directors’ eyes glaze over when CEOs misbehave, you are right, but only partially so. According to these co-authors, many directors could care less or don’t even care a little about information technology. The consequences could be serious. Fortunately, a new breed of directors is emerging, one that recognizes the need to know about IT and how to leverage it to sustain competitive advantage and protect the company.
Powerful global forces are redefining the rules, responsibilities and activities of corporate boards. Corporate scandals and accusations of board dereliction have pressured securities regulators in many countries to focus more strongly on compliance-related issues. Boards and management have little choice but to respond to these new demands. Restoring and maintaining investor confidence through compliance trumps all other cards, at least in the near future.
But directors also need to remember the TSX’s March 2001 report which argues that establishing a value-adding culture, along with compliance, is critical in attending to shareholder interests. The report states that for boards to become truly valueadding, directors must be meaningfully engaged in both improving strategic options and bringing to the table ideas not considered by management. The value-adding culture implies that boards are no longer the oft-criticized passive sounding boards for management, but that directors must move to a higher level of intellectual engagement with the challenges facing the company.
In this new culture, directors are expected to more rigorously apply their attention to the various functional aspects of their business as they strive to add value-in other words, have less concern for “thinking outside the box” and perhaps greater concern for understanding what actually happens inside the box. In the opinion of some management gurus such as Don Tapscott, the management of information and its related technologies offers the greatest potential for companies to differentiate their products and services. For many boards, the “lowhanging fruit” exists in the realm of information systems and technology. But how prepared are boards to exploit this opportunity? Are boards properly positioned to add value, gain competitive advantage, or even use IT defensively to fend off nimble adversaries? What is the status of IT in today’s board?
To investigate these important questions, we interviewed board chairs and CIOs in 17 mediumto-large companies. Eight of these are in the financial services sector (including several major banks), and nine are in the primary resources sector (including forestry, oil and gas exploration, mining, and gas transmission companies). The firms selected are all based in Canada, and most have global operations.
The focal points of our study were:
- the board’s general level of attention to IT,
- the board’s attention to the vision, governance, plans and leadership of the IT function,
- the board’s view of IT’s potential for competitive positioning, and
- the board’s interest in risk, exposure and business continuance as it relates to IT.
We feel that these points serve as a useful barometer for boards that expect to add value through IT.
What we discovered
Board attention to IT
We were mildly surprised to discover that over half of the boards pay at least some attention to IT, however modest. That is, in reply to an open-ended question regarding IT issues that the board had reviewed, over half of the board chairs were able to recount such discussions. But broadly speaking, our interviews suggest that boards of directors — even in information-intensive companies in the financial services sector — spend remarkably little time exercising their oversight or providing their wisdom with respect to IT-related challenges. In spite of the fact that some companies spend half or more of their capital budgets on IT, considerations of IT rarely make it onto the full board’s agenda, formally or informally.
A board’s attention to the IT function
The information systems and technology function needs to have someone develop a proper vision of its role in the company. Does IT see itself as an important provider of competitive products? Does IT focus on information security or minimizing risk exposure? Or is the role of IT to minimize costs, employ proven technologies and deliver highly reliable operational services? An IT vision consistent with the overall corporate strategic directions is essential. Yet in spite of the significant investment in IT in some companies, and the vital concern of many boards for the company’s overall strategic vision, very few of the boards in either the financial services or primary resources sectors ever discuss or debate or even hear brief presentations on their company’s IT vision. In fact, only two of the boards among the 17 companies we visited had had any specific discussions regarding the IT vision in recent years. This is perhaps not surprising in companies where capital expenditures on IT are modest in relation to the total capital budget. Nor is this surprising in companies in which there is a low level of operational dependence on IT. But in the financial services sector in particular, where products are exclusively information-based and annual IT investments are substantial, we had expected that a periodic review of the IT vision — perhaps every two or three years — would be the norm.
We were also interested to determine the nature of the IT governance mechanism, if any? Do boards employ any formal or informal oversight function? Our interest was due, in part, to the fact that companies such as FedEx, Hewlett-Packard and American Airlines have determined that their information systems and technology are so important that they deserve a dedicated governance mechanism. These and other firms have established IT governance committees of the board. We found that none of our 17 boards had established such a committee, and only one had ever even considered the idea. To the extent that there is board-level IT governance, we found that it resides in the board’s audit committee in all but two of the firms we studied. The focus within audit committees is normally on issues such as internal auditing, financial processes, internal controls and financial statement preparation. Our respondents indicate that their audit committee agendas are generally very full, leaving little or no time for consideration of IT governance issues other than those that may impact the main financial auditing function. In effect, in most cases board members, even those on the audit committee, seldom come to grips with issues or opportunities that are created within IT.
Thus far we have seen that most boards never review the IT vision and that IT governance, such as it exists, is commonly relegated to the audit committee.
We were also interested in determining whether boards ever consider their company’s strategic plans for information systems, and specifically, whether they discuss the alignment of the systems strategic plan with that of the overall organization. Our interviews revealed that in most cases, neither of these issues is ever expressly considered by the board. More commonly, however, elements of the IT plan emerge in the context of a discussion of the overall strategic plan, and in particular during the presentation of plans by other company units. In fact, in a number of cases it was stressed that the board thinks only in terms of the overall strategy for the organization and not that of its individual components.
Selecting and grooming senior executives is often a concern of the board or perhaps a human resources committee. We were interested in whether the boards in our two industry sectors were involved in either the hiring or career development of the chief information officer (CIO). We learned that most boards do not feel it is necessary for them to become directly involved with the CIO unless that CIO is a vice-president. In the case of one major financial institution, the board was directly involved in hiring an individual referred to as a “top gun.” In fact, the apparent lack of time spent by this board on IT issues led us to infer that hiring a highly experienced IT professional was the board’s solution to governing this critical function: recruit someone in whom you have a lot of confidence and let that individual run it. Overall, the boards in both sectors gave no special attention to selecting the senior IT executive, nor were they particularly concerned with the issue of IT succession.
The board and IT’s potential to affect competitive positioning
While we had not expected to find that directors would normally be concerned about “bread and butter” operational aspects of the company’s information systems, we had expected that some boards would be interested in the potential for information systems to enhance the company’s competitive position. To our surprise, only two of the boards in our study had ever discussed the competitive advantage conferred by their technology or systems, even where their entire product line was entirely information-based. One director commented that IT is very much like accounting in the sense that, while it is very important to the smooth running of the organization, board members do not regard IT as a strategic weapon. Another commented that “you can’t create competitive advantage with IT, but you can use IT to avoid competitive disadvantage.” In other words, boards are not asking the question, “How can we become more competitive using IT?” but rather, “What do we need to do to avoid falling behind?” These boards are focused more on tracking their competitors and maintaining a capability for quick reaction, rather than seeking to innovate and push boundaries, essentially being reactive rather than proactive.
The board’s attention to risk, exposure and business continuance
In IT, risks come in many different forms, including virus infections, system outages, hackers and cost overruns. We wondered whether boards would perceive such risks as sufficiently important to warrant spending board time on them. We found that, generally, the full board is highly unlikely to discuss IT risks specifically, though such risks are often a concern of audit committees, especially in the financial sector. The challenge for boards of directors is not so much to prevent accidents as it is to ensure that management has enabled the company to operate if disaster occurs. In board parlance, this is often referred to as the challenge of “business continuance.” In general, the financial services companies expressed a far stronger concern about business continuance in the face of IT disasters than did the primary industry companies. Nevertheless, in both sectors this challenge is most likely dealt with by the audit committee rather than by the full board.
What’s wrong with this picture?
Our study led us to conclude that boards in general today are poorly positioned to embrace a “valueadding” role for IT. Boards generally do not have a lively interest in IT, they do not demonstrate a focused interest in IT, nor do they see IT as playing a significant part in assisting in the competitive positioning of their organization. In fact, most boards lack even a superficial understanding of technology. For example, a director on a financial services board commented that “(our company) is a highly technical operation but no one on the board is technically knowledgeable.” We were also somewhat taken aback by the almost defensive attitude exhibited by a few board members with regard to IT. One director commented that IT “frightens” board members who have not acquired computer literacy or competence. The interest of many boards in IT is best characterized by the question: “Why discuss IT unless it blows up?” The IT function remains an unconquered frontier.
In the short run, we feel that by adopting a few important measures, boards can significantly improve their effectiveness and performance regarding IT issues. These include having the CIO attend board meetings on a regular basis, and having the CIO called upon once a year to provide a brief presentation regarding the IT vision and IT strategic plans. The CIO should also be periodically called upon to provide brief information sessions to increase the level of IT understanding of the board. These sessions should emphasize the business implications of particular technologies and stay away from technical detail. The purpose here is to provide a nurturing milieu in which board members develop the confidence to raise and discuss new ideas. A board might also institute some specific steps to educate directors regarding IT. For example, one board member described a directors’ education program which involves having the board visit various corporate departments, including IT.
But what of the longer term? Interestingly, our interviews with prominent board chairs, directors and CEOs suggest that many boards are adding members with greater breadth and depth than those in the past. We predict that this newer generation of directors will have computer literacy and understanding of the important role of IT. As the IT industry itself matures, more ex-IT CEOs, CIOs and other senior systems professionals will take their place on the boards of tomorrow, lending even greater insight and expertise. Overall, the comfort level with technology on most boards will be far higher than it is today, and tech-savvy directors will begin to push the IT envelope, pressing for more board attention to IT issues.
To provide a context in which to exploit this coming wave of board IT talent — that is, to “add value” — boards need to consider changes in several areas. As a start, IT experience should become an important criterion for a board appointment instead of the present practice in which IT experience is seldom a concern. Boards in the financial sector may wish to consider establishing an IT committee, but failing this, they should designate at least one individual as the “point person” for IT issues. Such an individual can also play a valuable role on the board’s audit and risk committee, where issues of IT risk are often examined. Boards also need to ensure that a new CEO has some level of IT competence and experience. As one prominent board chair stated, “There is nothing worse than a CEO who is five to ten years out of date with regard to technology.” Last, the board chair must develop an understanding of the role of information in the company and appropriately promote IT issues as being worthy of board consideration.