Chairman's Network - Oct 2004 - The Current Status of IT Governance

Post Enron, Parmalat and Sarbanes-Oxley, IT governance is an increasingly important issue for the boards of all larger companies and, in the UK, for public sector organisations as well.  IT governance is a key component of Corporate Governance and this article describes the current state of affairs in the field. 

Evidence of systemic corporate failure (Maxwell, Marconi, Enron, Worldcom, Parmalat, Royal Ahold, Tyco, etc), the ruthlessly competitive environment of the global information economy, and the convergence of global capital markets are driving corporate boards and regulators toward a common understanding of effective governance

The UK’s Combined Code on Corporate Governance, revised in 2003, the OECD’s “Principles of Corporate Governance” (1999), the Bank of International Settlements’ “Enhancing Corporate Governance in Banking Organisations” (also 1999) and the USA’s Sarbanes Oxley Act of 2002, together with OECD privacy regulations plus HIPAA and GLBA in the US, provide the framework and structure for all this activity.  The key governance principles – the specific responsibilities for the governing board of an organisation - are: setting strategic aims, providing strategic leadership, overseeing and monitoring the performance of executive management, and reporting to shareholders on their stewardship of the organisation.

Information and information technology is critical to the success of almost every organisation in the world today, particularly in the shift from a tangible, asset based valuation to an intangible, intellectual capital based one.  Information and IT provide organisations with competitive advantage and support a substantial part of their operational capability.  ICT, in particular, is critical to managing information, improving productivity and reducing costs which, in turn, contribute to competitive advantage.  ICT is fundamental to strategic success. 

ICT is not, however, a low-cost, low-impact, static technology.  Innovation is common and the speed of innovation is a critical issue for many organisations, usually related to developing or maintaining competitive advantage.  Speed of innovation and speed of deployment can, depending on the company and its environment, either create or destroy competitive advantage.  The pace of change is a stimulus to which organisations must respond positively or see their competitive positions eroded.

Organisations of all sizes face strategic risks – both external and internal - in dealing with information and information technology.  Decision-making around such risks clearly should – but all too often doesn’t - take place within a coherent governance framework.  The failure of many IT projects to deliver the value expected of them, the frustrations experienced by users of IT systems, and the daily security breaches of IT systems worldwide are all symptoms of inadequate IT governance. 

IT governance is defined as “a framework for the leadership, organisational structures and business processes, standards and compliance to these standards, which ensures that the organisation’s IT supports and enables the achievement of its strategies and objectives.”

1. the requirements of the Combined Code (including the Turnbull Report) and Sarbanes-Oxley

2. the need to align technology projects more completely with strategic organisational goals, ensuring they deliver planned value

3. the proliferation of threats to information and information technology

4. the increase in information related legislation

3.0 CORPORATE GOVERNANCE REQUIREMENTS

The UK’s Combined Code consolidated the earlier Cadbury and Greenbury reports and incorporates the Higgs and Smith committee findings.  It is a non-statutory, “comply or explain” code. A large number of UK listed companies have still to confirm progress in addressing its requirements.

While organisations had long concentrated primarily on deploying effective financial controls, the Combined Code for the first time emphasised that all controls were important, and required listed companies to annually review "all controls, including financial, operational, compliance and risk management.”

The Turnbull Report, now incorporated into the Code, took this a step further.  The key principle is that the “Board should maintain a sound system of internal control to safeguard shareholders’ investment and the company’s assets”[1].  The “Directors should, at least annually, conduct a review of the effectiveness of the group’s system of internal control and should report to shareholders that they have done so.”[2] 

The Turnbull report is explicit[3] that a company’s “internal control system encompasses the policies, processes, tasks, behaviours and other aspects of a company that, taken together, facilitate its effective and efficient operation by enabling it to respond appropriately to significant business, operational, financial, compliance and other risks to achieving the company’s objectives.”

It recognises that “a company’s system of internal control …will include…information and communications processes”[4] and that “internal controls…should include all types of controls including those of an operational and compliance nature.”[5]  It goes on to say that, in determining its policies, the board should consider “the extent and categories of risk which it regards as acceptable for the company to bear, [and] the likelihood of the risks concerned materialising.”[6]  

There isn’t much wiggle room here.  If the organisation depends on information and/or information technology, it is necessary for boards to formally consider their information risks (in the areas of software development, IT project governance, information security, IT Platforms, compliance, etc).  Equally, directors must assess the data interdependence risks associated with their supply chains. 

Risk assessment, where information and IT is concerned, is particularly complex.  Every organisation needs a structured approach to risk assessment, based on a risk treatment plan (in which risks are accepted, controlled, eliminated or contracted out) that is appropriate for the company’s strategic objectives.

The US response to its corporate scandals was the passage of the Sarbanes-Oxley Act of 2002.  This made auditor independence and management accountability statutory for US listed companies.  It has additional sections, of which 404 (management to report on Internal Control over Financial Reporting) and 409 (management to monitor operational risks and file with the SEC details of material events within 4 business days) are the most important.  Foreign companies with US listings have to comply by June 2005

The sheer size of the US capital markets and the percentage of the global market taken by US listed businesses will tend to drive compliance in non-US markets in the US direction.

The EU’s draft directive on statutory audit (2004) is currently subject to consultation; it aims to force all EU listed companies into a standard external audit regime.  At the same time, all EU companies are being driven toward implementation of International Accounting Standards.  How the statutory Operating and Financial Review (“OFR”) will affect UK listed companies is still not clear, but it is clear that transatlantic regulatory co-operation on corporate governance issues will increase. 

4.0 Strategic Alignment of Technology with Corporate Goals, and Value Delivery

Technology should be a business enabler, contributing to improved productivity, better customer service, better supply chain management, better cost control, better shareholder information, etc.  However, many organisations have an information management and IT infrastructure that is inadequate for its business model and strategy. 

Effective IT governance ensures that organisations establish adequate technology building blocks, identify and manage technology risks, and maximise the return on individual technology investments.  

Organisations make substantial investments every year in new technology projects.  The level of investment may – or, more often, may not – be objectively related to the business strategy.  As much as 40% of new technology projects do not deliver the benefits expected of them, as well as being both late and over budget. 

5.0 Proliferation of Threats to Information and Information TECHNOLOGY

Cyber crime is a growth industry: virus writers and hackers are increasingly collaborating with spammers and organised crime to systematically exploit the wide range of vulnerabilities in most commercially available software and information security systems.  The theft – or digital leakage - of Intellectual Property is becoming an equally grave issue.

More information security incidents, however, originate inside the organisation than outside it.  Most companies do not report these incidents either to their shareholders or to the various authorities.  Those that are reported increase geometrically each year, as does their average direct value.   The indirect cost, especially that of management and staff time, usually far exceeds the direct costs, and the reputational damage can be even greater.

The problem for business managers is that the information at risk, and the systems in which it resides, are of critical importance to the day to day effectiveness of the organisation.  Usually, this means that business managers should be involved in deciding how information risks should be dealt with but, only too often, these decisions are made by technologically competent IT managers who are not involved in, nor responsible for, the strategic management of the business.  The result is often that the investment in information security technology fails to deliver optimum ROI and hampers, rather than enables, the business.

Information is also increasingly subject to legislation.  Companies have to ensure that they are able to demonstrate, usually in a tribunal or law court, that they have complied.  Relevant UK legislation now includes

                   Regulation of Investigatory Powers Act 2000

                   Copyright, Designs and Patent Act 1988

                   Telecommunications Regulations 2003

          In the US, the most high profile legislation is Sarbanes Oxley, HIPAA and GLBA, but there is also FRCA, CAN-SPAM, and other legislation dealing with privacy, record retention and telecoms.  Money laundering regulations on their own have created a significant range of information privacy issues.

In addition, there is much international (eg from the OECD, Basel and other Financial Authorities), European, company and sector specific legislation and regulation and codes of practice.

Each of these acts and regulatory frameworks gives rise to specific compliance risks and requirements, some of which are common to all organisations. This web of national and international information-related legislation creates new challenges for all organisations; there is still not a body of court cases to interpret much of this legislation, which means that organisations have to make and implement compliance decisions without a clear idea of whether their solutions will be adequate.

IT governance, as a concept, is becoming more important to organisations throughout the OECD.  Over the next two to four years, Sarbanes Oxley, The Revised Combined Code, cyber-threats, the web of privacy, data protection and freedom of information legislation, and the OFR will drive organisations to more systematically manage, monitor and oversee their investments in ICT.

In the absence of any other formal, detailed guidance, organisations must increasingly deploy the only available, externally validated, best practice information security framework: BS 7799/ISO 17799.     

BS 15000 (ITIL) and TickIT must also, logically, see an increase in deployments but the most critical step over the next two years will be greater representation on corporate boards of the IT function, a greater board level understanding of Total Cost of Ownership (TCO) of information systems, a drive toward real ICT performance metrics and the implementation, top down, of formal ICT project governance processes. 

Organisations are being forced to take a more responsible approach to information, information systems and information security.  The highly fragmented information security industry will have to take an equally mature approach to meeting their clients’ needs and recognise that an integrated “whole company” solution is the only one that can meet those needs.