ACCA - The global body for professional accountants

This article raises the question of what the board's oversight role is regarding information technology. There is no one right answer to this question, it can even be said the short answer is, 'it depends'

Studying this technical article and answering the related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We'd suggest that you use this as a guide when allocating yourself CPD units.

This article was first published in the September 2008 edition of Accounting and Business magazine.                

Traditionally, and properly, a company's board of directors has focused on governing the organisation; that is, the board ensures that the right CEO is in place, that the right business strategies have been developed, that performance is reported regularly and trending properly, and that the right questions are being asked of management.

The board's agenda is truly endless, and it is absolutely critical that the board not micromanage the CEO, attempt to 'manage' the organisation, or have items on its agenda that are not focused on the long-term success of the organisation. The board should revisit its mandate periodically, reconfirming its roles and responsibilities.

This article raises the question of what the board's oversight role is regarding information technology. There is no one right answer to this question, it can even be said the short answer is, 'It depends.'

Indeed, many believe it is not the purview of the board to discuss IT strategy; the board is there to provide oversight to management's efforts, and since IT is only a 'tool' in achieving those business strategies, in general it should not be on the board's agenda. At the other end of the spectrum there are those who maintain that IT is the business for most organisations today, and that as IT goes, so goes the company. Therefore, the board needs to be informed and participate in discussions about IT investments, including the organisation's IT strategies, plans, and processes.

Finally, there are others who believe IT or IT security will be the source of our next Enron-style corporate malfeasance, so the board needs to be much more active with IT and IT security efforts.

Revisit, review, reconsider

My recommendation is that the board should review and define its oversight role regarding IT. That is, the board should understand how important the IT activities are to the organisation's implementation of business strategies, what IT initiatives are critical to the organisation's success, what the strengths and weaknesses of the IT management team are, and what, if any, changes should be instituted regarding the board oversight of IT.

A basic focus of the board is ensuring corporate viability, and protecting and increasing shareholder value. If IT is so critical today to the long-term success of the company, then the board should provide oversight of IT. The board should not get involved in day-to-day management, but it must maintain active oversight. IT is a key contributor to the organisation's results, including the always visible financial reporting and disclosure effort - and we all know what happens with incorrect financial reporting.

A fundamental question for each organisation to investigate and answer is whether board oversight of IT is a 'missing piece to the puzzle' in its board governance or if it is a non-issue for that organisation. While the answer is most likely somewhere in the middle of these two extremes, it is up to the board to decide its mandate including its roles, responsibilities, and various oversight processes.

The industry involved can be a factor regarding the degree of oversight needed. Obviously an IT company and others in the technology sector should consider having a few board directors with IT expertise. Such companies probably need greater board oversight over IT strategy and investments than others, with some even having a board-level technology committee. There are actually few industries today where IT governance is not significant, although the financial, health, and technology sectors certainly require more oversight than others.

Defining the board's IT oversight role

And why is board oversight of IT so important today? Consider:

  • The growing extent that corporate productivity is now related to 'intellectual capital.' With IT so essential to creating organisational value, boards need to understand IT better. That isn't captured through monitoring other, more traditional areas.
  • Productivity growth statistics, and estimates of how much of that growth is caused by smart use of IT. Everyone is in a competitive business, and IT can give companies a competitive advantage.

Just because the board has not taken an active role in IT in the past or put IT on the board agenda very frequently, that does not mean there isn't a place for the board regarding IT.

It's always better to decide the board's role going forward than to have it dictated by the next Enron that occurs. I also believe that periodically revisiting the board's mandate and its various committees' terms of reference is a productive activity in this never-ending effort to improve governance and organisational performance. And at the end of the day, isn't that what it is all about?

The board's governance of the company as it relates to IT will depend on the nature of the organisation and also of risks, both strategic and tactical. The board's involvement is likely to vary over time. The board's involvement in IT should be driven in the same way as it gets involved in marketing, personnel, legal, and other departments - in that is there is no 'automatic' involvement in IT. You must decide your board's involvement and then act to achieve it.

Governance is fundamentally about identifying and managing strategic risk to the organisation, whether that's the risk of the CEO turning out to be a crook, or the business strategy itself being flawed. If the organisation doesn't use IT, there's obviously no risk. If the organisation has enterprise-level investment in (and dependence on) information and IT, then there is risk. It is the scale of the risk that determines whether or not board oversight is necessary. Small risk, who cares? Big risk - think betting the farm on a technology project - then the board had better oversee it.
We don't need to oversee day-to-day management of IT (other than perhaps agreeing the criteria for recruiting the CIO), but we might think that there are half a dozen key performance indicators that we want to see on a regular basis that tells us how well this part of the business is being managed. There is no hard and fast rule beyond managing risk; which board wants to be on duty when an IT project leads to the company going down? Crying, 'We left it to management!' will be just another way of saying, 'Please sue us, because we took our fees but we just weren't paying attention.'

In my view, board oversight of IT is essential. For an ever-wider range of industries, IT is too important to be left to technologists alone. That said, the board must limit the nature of its involvement to strategic issues. The board should not be involved in where to draw the line in each case, but it should be sure that management is aware of the need to weigh the pros and cons and make an explicit decision in each case. The decision is basically one to be made on business grounds with a proper understanding of the potential, the risks and the constraints of available technology. Too often the business dimension will not even be considered if these decisions are left to technology experts alone.

Further significant insights are provided in the resources identified, has your organisation reached its tipping point?

Dan Swanson is a columnist with Compliance Week

Last updated: 16 Jul 2014