The importance of having an IT savvy independent non-executive director

Many companies that operate within the South African market and who follow business practices that display their commitment to corporate governance (such as King III) and who have come to realize that information technology (IT) has become an integral part of doing business today as it is fundamental to the support, sustainability and growth of their enterprise, have also come to appreciate that an active consideration of IT governance is an essential component in ensuring the efficient and secure operation of their business.


However, as well as being a strategic asset to the company, IT also presents businesses with significant risks.


As IT cuts across all aspects, components and processes of business and is therefore not only an operational enabler for a company, but an important strategic asset which can be leveraged to create opportunities and to gain competitive advantage, good corporate governance practices dictate that in exercising their duty of care, directors should ensure that prudent and reasonable steps have been taken in respect of IT governance to avoid significant risks.


The importance then of having an independent non-executive director with significant executive IT experience to help guide and oversee a businesses IT function cannot be underestimated and can be the difference between success and failure.


An independent non-executive director focusing on IT will be asking the following questions:

  • Does the board understand how IT decisions are taken and who is accountable?
  • Does the business have an IT governance framework in place which defines and supports decision models and governance structures as well as accountability and governance processes?
  • Is the technology function involved in strategic business decisions and planning?
  • Is the businesses investment in IT understood?
  • Is all intellectual property, company and client information (see POPI act) properly protected?
  • How does the business ensure IT compliance with laws, rules, codes, standards and regulations?
  • How is the value delivered by IT being measured, have standards been set and is this measurement ongoing?
  • Is the approach towards IT risks facing the business clear in terms of risk avoidance vs. risk taking?
  • Are the executive and board regularly briefed on IT risks to which the enterprise is exposed?
  • Is IT a regular item on the agenda of the board and is it addressed in a structured manner?
  • Does the board have a clear view on the major IT investments from a risk and return perspective?
  • Does the board obtain regular progress reports on major IT projects?
  • Is the board getting independent assurance on the achievement of IT objectives and the containment of IT risks via additional sources (for instance from its audit and risk committees)?


The requirement to disclose how the board and the executive has satisfied itself that IT governance is effective will need to be positively evidenced.


Due care and diligence will need to be exercised and disclosed and this can be achieved through an IT governance framework which includes:

  • Decision making structures and processes for IT related decisions
  • An accountability structure for IT management
  • IT governance processes and reporting structures
  • IT policies, standards and measures of compliance (see Appendix)
  • IT controls and risk mitigation procedures
  • Information security management practices
  • Business and disaster recovery planning, processes and practices
  • Including information technology strategy requirements and input as part of the strategic business planning process
  • Project management practices
  • The application of consistent IT benefits realisation processes
  • Discipline in applying IT value and performance measurement processes
  • Well understood and consistently applied IT acquisition and disposal processes
  • Gaining an understanding of the current state of IT governance and determining improvements required in an IT governance plan
  • Ensuring the implementation and the ongoing use of effective IT governance practices through the application of recognised frameworks and methodologies managed by continuous assessment and monitoring
  • Reporting on the state and initiatives of IT governance and IT in general to the board
  • Ensuring that the board receives adequate assurance on the efficiency and effectiveness of the IT and IT governance processes and on the management of specific IT-related issues
  • Disclosing how satisfied the board is with the effectiveness of IT governance


An IT savvy non-executive board member can provide a valuable external perspective and ensure that executive members of management are supported and constructively challenged in their role and as such provide valuable additional input in terms of:

  • Clarified decision-making and accountability
  • Improved understanding of overall IT costs and their input to ROI cases
  • Improved risk management, security, efficiency and effectiveness of IT and making this visible (i.e. how and where IT will deliver value)
  • Enhancement and protection of reputation and image
  • Positioning of IT as a business partner and clarifying IT’s role in the business
  • Assisting with improved and more professional relationships with key IT partners (vendors and suppliers)
  • Improved responsiveness to market challenges and opportunities
  • Clear identification of whether an IT service or project supports ‘business as usual’ or is intended to provide future added value
  • A focus on performance improvement that will lead to the attainment of applicable best practices
  • Avoidance of unnecessary expenditure as spending can be demonstrably matched to business goals
  • Enabling an integrated approach to meeting external legal and regulatory requirements


[Download this article as a PDF] [Return]


Appendix


Commonly accepted policies and procedures include (but are not limited to):

  • Backup and Backup Retention Policies
  • Blog and Personal Web Site Policies
  • Incident Communication Policy
  • Internet, Email, Social Networking, Mobile Device, and Electronic Communication Policies
  • Mobile Device Access and Use Policy
  • Outsourcing Policy
  • Patch Management Policy
  • Record Management, Retention, and Disposal Policy (see POPI act)
  • Sensitive Information Policy
  • Service Level Agreement Policy
  • Social Networking Policy
  • Telecommuting Policy
  • Travel, Laptop, PDA and Off-Site Meeting Policy


Staff should as a result of these policies, then be required to sign-off on one or more of the following (where applicable):

  • Blog Policy Compliance Agreement
  • Bring your own device (BYOD) Access and Use Agreement
  • Company Asset Employee Control Logs
  • Email Employee Agreements
  • Internet Access Requests
  • Internet and Electronic Communication Employee Agreements
  • Internet Use Approval
  • Mobile Device Access and Use Agreements
  • Sensitive Information Policy Compliance
  • Security Access Applications


Credits

http://www.pwc.co.za/en/assets/pdf/SteeringPoint-KingIII-it-governance-14.pdf
http://www.pwc.co.za/en/king3/the-governance-of-information-technology/index.jhtml