Article for TickIT International, 4Q04

Post Enron, Parmalat and Sarbanes-Oxley, IT governance is an increasingly important issue for the boards of all listed companies and, in the UK, for public sector organisations as well.  IT governance is a key component of Corporate Governance and this article describes the current state of affairs in the field. 

The early 21^st century is seeing a “firestorm” of corporate governance activity.  Evidence of systemic corporate failure (Maxwell, Marconi, Enron, Worldcom, Parmalat, Royal Ahold, Tyco, etc), the ruthlessly competitive environment of the global information economy, and the convergence of global capital markets are driving corporate boards and regulators toward a common understanding of effective governance

The UK’s Combined Code on Corporate Governance (1998), the OECD’s “Principles of Corporate Governance” (1999), the Bank of International Settlements’ “Enhancing Corporate Governance in Banking Organisations” (also 1999) and the USA’s Sarbanes Oxley Act of 2002 provide the framework and structure for all this activity.  The key governance principles – the specific responsibilities for the governing board of an organisation - are: setting strategic aims, providing strategic leadership, overseeing and monitoring the performance of executive management, and reporting to shareholders on their stewardship of the organisation.

Information and information technology is critical to the success of almost every organisation in the world today, particularly as they move from a tangible, asset based valuation to an intangible, intellectual capital based one.  Information and IT provide organisations with competitive advantage and support a substantial part of their operational capability.  IT, in particular, is critical to managing information, improving productivity and reducing costs which, in turn, contribute to competitive advantage.  IT is fundamental to strategic success. 

IT is not, however, a low-cost, low-impact, static technology.  Innovation is common and the speed of innovation is a critical issue for many organisations, usually related to developing or maintaining competitive advantage.  Speed of innovation and speed of deployment can, depending on the company and its environment, either create or destroy competitive advantage.  The pace of change is a stimulus to which organisations must respond positively or see their competitive positions eroded.

Organisations of all sizes face strategic risks – both external and internal - in dealing with information and information technology.  Decision-making around such risks clearly should – but all too often doesn’t - take place within a coherent governance framework.  The failure of many IT projects to deliver the value expected of them, the frustrations experienced by users of IT systems, and the daily security breaches of IT systems worldwide are all symptoms of inadequate IT governance. 

IT governance is defined as “a framework for the leadership, organisational structures and business processes, standards and compliance to these standards, which ensures that the organisation’s IT supports and enables the achievement of its strategies and objectives.”

The five major issues that, in this context, boards (listed and unlisted, public and private) must consider are:

1. the requirements of the Combined Code (including the Turnbull Report) and Sarbanes-Oxley

2. the Intellectual Capital Value that the organisation has at risk

3. the need to align technology projects more completely with strategic organisational goals, ensuring they deliver planned value

4. the proliferation of threats to information and information technology

5. the increase in information related legislation

3.0 CORPORATE GOVERNANCE REQUIREMENTS

The UK’s 1998 Combined Code consolidated the earlier Cadbury and Greenbury reports and has since been revised to incorporate the Higgs and Smith committee findings.  It is a non-statutory, “comply or explain” code.

While organisations had long concentrated primarily on deploying effective financial controls, the Combined Code for the first time emphasised that all controls were important, and required listed companies to annually review "all controls, including financial, operational, compliance and risk management.”

The Turnbull Report – “Internal Control: Guidance for Directors on the Combined Code – took this a step further.  The London Stock Exchange said that compliance with the Turnbull guidance would constitute full compliance with the Combined Code and Listing Rule requirements.

The key principle is that the “Board should maintain a sound system of internal control to safeguard shareholders’ investment and the company’s assets”[1].  The “Directors should, at least annually, conduct a review of the effectiveness of the group’s system of internal control and should report to shareholders that they have done so.”[2] 

While listed companies are not legally required to comply with the provisions of the Combined Code, the London Stock Exchange requires[3] any UK incorporated, UK listed company to describe, in its annual report and accounts, how it has applied the principles of the code.  The company’s auditors must verify this statement.

The Turnbull report is explicit[4] that a company’s “internal control system encompasses the policies, processes, tasks, behaviours and other aspects of a company that, taken together, facilitate its effective and efficient operation by enabling it to respond appropriately to significant business, operational, financial, compliance and other risks to achieving the company’s objectives.”

It recognises that “a company’s system of internal control …will include…information and communications processes”[5] and that “internal controls…should include all types of controls including those of an operational and compliance nature.”[6]  It goes on to say that, in determining its policies, the board should consider “the extent and categories of risk which it regards as acceptable for the company to bear, [and] the likelihood of the risks concerned materialising.”[7]  

There isn’t much wiggle room here.  If the organisation depends on information and/or information technology, it is necessary for boards to formally consider their information risks (in the areas of software development, IT project governance, information security, IT Platforms, compliance, etc).  Equally, directors must assess the data interdependence risks associated with their supply chains. 

Risk assessment, where information and IT is concerned, is particularly complex.  Every organisation needs a structured approach to risk assessment, based on a risk treatment plan (in which risks are accepted, controlled, eliminated or contracted out) that is appropriate for the company’s strategic objectives.

The US response to its corporate scandals was the passage of the Sarbanes-Oxley Act of 2002.  This made auditor independence and management accountability statutory for US listed companies.  It has additional sections, with staggered implementation dates: 

– Section 404: Management to report on Internal Control over Financial Reporting – with Auditor’s opinion – August 2004

– Section 409: Management to monitor operational risks and file with the SEC details of material events within 4 business days –– August 2004

– Foreign companies with US listings to comply by June 2005

The sheer size of the US capital markets and the percentage of the global market taken by US listed businesses will tend to drive compliance in non-US markets in the US direction.

The EU’s draft directive on statutory audit (2004) is currently subject to consultation; it aims to force all EU listed companies into a standard external audit regime.  At the same time, EU companies are being driven toward implementation of International Accounting Standards.  The two steps are designed to increase the transparency of international financial reporting.

4.0 Intellectual Capital

A definition of Intellectual Capital is “an intangible asset that is usually not included on an organisation’s balance sheet and which is approximately equal in value to the difference between the market capitalisation of a company and its tangible (or net asset or book) value.” 

Intellectual Capital consists of human, structural and market capital.  There is a high-level of interdependence between these components and they all fundamentally depend on information, knowledge and information technology.  Organisations need to take appropriate steps to identify, manage and protect their intellectual capital, since so much of the shareholder value of the company depends on its maintenance.  From a governance perspective, this issue is fundamental to the protection of shareholder value.

5.0 Strategic Alignment of Technology with Corporate Goals, and Value Delivery

Technology should be a business enabler, contributing to improved productivity, better customer service, better supply chain management, better cost control, better shareholder information, etc.  However, many organisations have an information management and IT infrastructure that is inadequate for the Intellectual Capital that it has at risk. 

Effective IT governance ensures that organisations establish adequate technology building blocks, identify and manage technology risks, and maximise the return on individual technology investments.  

Organisations make substantial investments every year in new technology projects.  The level of investment may – or, more often, may not – be objectively related to the business strategy.  As much as 40% of new technology projects do not deliver the key benefits expected of them, as well as being both late and over budget.  The decision to invest in any specific IT project exposes an organisation to significant financial, operational and competitive risk.  Such decisions should be subject to a formal process which enhances the organisation’s competitive advantage.

6.0 Proliferation of Threats to Information and Information TECHNOLOGY

While cyber war and cyber terrorism win newspaper headlines, neither is a real immediate threat.  The proliferation of viruses, “worms” and Trojan code “in the wild” and of automated “hacking scripts”, combined with a wide range of vulnerabilities in most commercially available software, renders most information systems unsafe, unless systematically locked down.

More information security incidents, however, originate inside the organisation than outside it.  Most companies do not report these incidents either to their shareholders or to the various authorities.  Those incidents that are reported increase geometrically in number each year, as does their average direct value.   The indirect cost, especially that of management and staff time, usually far exceeds the direct costs of an incident, and the reputational damage, which affects the Intellectual Capital of the organisation, can be even greater.

Of course, the problem for business managers is that the information at risk, and the systems in which it resides, are of critical importance to the day to day effectiveness of the organisation.  Usually, this means that business managers should be involved in deciding how information risks should be dealt with but, only too often, these decisions are made by technologically competent IT managers who are not involved in, nor responsible for, the strategic management of the business.  The result is often that the investment in information security technology fails to deliver optimum ROI and hampers, rather than enables, the business.

Information is also increasingly subject to legislation.  Companies have to ensure that they are able to demonstrate, usually in a tribunal or law court, that they have complied.  Key UK (and most countries have equivalents) legislation now includes

                   Regulation of Investigatory Powers Act 2000

                   Copyright, Designs and Patent Act 1988

                   Telecommunications Regulations 2003

In addition, there is much international (eg from the OECD, Basel and other Financial Authorities), foreign (eg Sarbanes Oxley, GLBA, HIPAA), European, company and sector specific legislation and regulation and codes of practice and, for the UK public sector, there is also the Freedom of Information Act 2000.

Each of these acts and regulatory frameworks gives rise to specific risks and requirements, some of which are common to all organisations.  Boards need to assess the specific risks in each area to determine appropriate controls, and this approach should be co-ordinated with all other components of the strategic management of information and information technology. 

The organisation’s board (sometimes operating through an IT steering committee, one or more members of which should have appropriate technical expertise, recruited – if necessary – for this purpose, and which should work closely with the audit committee to ensure that risk management, audit and quality processes are closely integrated) needs to understand the information and IT components of its strategy and the way in which they are intended to drive the company’s value proposition.  The board needs to identify all the critical dependencies and inter-relationships between the components of its IT infrastructure and ensure that it is appropriate for its Intellectual Capital value.

It should also ensure that all information and technology related risks have been identified and that an appropriate risk treatment plan has been developed and acted on.  For information security and (IT) business continuity risks, this should lead to the deployment of a structured Information Security Management System (“ISMS”), usually one which is capable of accreditation to BS 7799-2:2002 and which follows the guidance of ISO 17799.

There is also, for any organisation developing software, a clear governance role for TickIT, issue 5.0 of which was developed to reflect ISO 9000:2000 and which, therefore, can be effectively deployed alongside BS 7799.  There is a strong governance imperative that software be fit for purpose, without readily exploitable vulnerabilities.

The deployment of TickIT and BS 7799 is still, I believe, inadequate to meet the governance obligations of private and public sector organisations throughout the OECD.  Legislation around privacy (data protection) and computer misuse will drive organisations to improve their performance, but the speed of technological innovation (particularly around what is now called the “porous perimeter”) will continue to challenge organisations to find a balance between effective security and responsive flexibility. 

IT governance is all about ensuring that those decisions are made intelligently and in a way that reflects the best interests of all the stakeholders in the organisation.  Implementation of an effective IT governance framework is now as important to organisational survival as a robust audit approach.