Published on Director of Finance Online at http://dofonline.co.uk/governance/boards-careless-about-it-governance3255.html
7 February 2008
Only 12 per cent of businesses take technology seriously enough to operate full board-level oversight of their IT resources, according to research from IT Governance Limited.
Despite increasing compliance pressures under Sarbanes-Oxley, the UK Combined Code, HIPAA and other regulatory regimes, boards still appear to be lagging badly in implementing appropriate IT governance measures.
IT governance frameworks, such as ITIL, CoBIT and ISO27001, also appear to be used in less than 50 per cent of organisations.
IT Governance polled opinions of almost 100 technology and compliance professionals on a range of IT governance issues.
Despite the critical importance of technology to most organisations, only 12 per cent said that IT governance was important in their organisations and that board-level IT oversight committees existed.
While a further 16.5 per cent reported that progress was being made towards achieving this, more than 50 per cent indicated that this was far from the case.
Respondents were similarly sceptical about the grasp that board members have of technology’s importance.
Less than 7 per cent said that board members understood the risks posed to business operations by information and IT systems.
In contrast, 49 per cent said this was not the case, with over 22 per cent stating this emphatically.
Over 57 per cent said that directors and officers failed to understand the age and health of the current IT portfolio and the business implications of deferring maintenance.
Risk management regime
Less than 37 per cent said that IT governance frameworks were integrated with their company’s enterprise risk management regime, with less than 7 per cent saying that this was achieved fully.
Asked if their companies used standard IT governance frameworks, such as ITIL, CoBIT, ISO17799 or PMBOK, 9 per cent said yes, and 19 per cent said that good progress was being made towards this.
Over 21 per cent said such frameworks were used only occasionally, and fully 30 per cent indicated that they were not used at all.
Alan Calder, chief executive of IT Governance, said, “The findings were a startling insight into the excessively relaxed attitudes that many boards have towards their governance obligations.”
No dividing line
He pointed out that there were new stories about lost customer data or expensively failed IT investments almost every day.
“It would seem that many board directors simply tune this out mentally, however, and think it is a problem for somebody else. This could not be further from the truth, as the costly fines meted out by regulators to an increasing number of businesses demonstrate,” Calder concluded.
He called for more boards to recognising that there is no dividing line between IT and the rest of the business, and said that they consequently need to exercise the same governance as they would over finance or marketing.