When it comes to views about the role boards need to play in governing technology, it has been an interesting and telling few months. PWC published their ‘Annual Corporate Director’s Survey’(PWC, 2013). The Information Age announced that the UK government was going to provide FTSE 350 companies with the opportunity to evaluate their cyber-security risk (Swabey, 2013). The Guardian has published a piece about how the ‘Abandoned NHS IT system has cost £10bn so far’ (Syal, 2013) And multiple consulting and research firms and governance peak bodies are publishing or re-publishing editorial about the questions boards need to ask about IT.
What’s the thread that runs through these articles and publications? Enterprise Technology Governance (ETG): the urgent need for boards to better understand risk and opportunity when it comes to their role in technology governance.
Unfathomably, over many years of studying boards in a digital world it seems to me that too many company directors still honestly believe that boards have no business ‘meddling’ in enterprise technology governance. They skirt around the issue with comments such as ‘It’s about better governance not better technology’ or ‘We’re not in a high-tech industry’. But what if their dogged adherence to pre-digital models of corporate governance and their failure to act, is putting their organizations at risk?
Technology risk - Infrastructure risk; IT project risk; business continuity risk; information and security risk; and IT competence risk (Parent & Reich, 2009) could easily blind-side a board because the directors simply weren’t able to ask the right questions of management, supply partners or advisors.I suggest that the evidence is staring us all in the face, and not just from the large government IT project failures. ITGI (2011) reported 21% of IT projects worldwide are terminated before completion. How come we continue to see billions in tax payer and investor funds wasted when more than 90% and as many as 100% of company directors and senior directors surveyed since 2011 have consistently rated technology as critical to their businesses? These are first world businesses. Technology underpins how they do business, their operational effectiveness, their cost saving as well as their capital investment plans; their engagement with stakeholders. Even in the current technology saturated business and economic environment of today relevant technology governance competency (knowledge, skills and experience) is only present in between 16 and 20% of boards, globally and around 30% if your company is in a high tech industry (Eisener-Ampler, 2012; ITGI, 2011).
Clearly the UK government and the Department of Business and Innovation believe there is a problem. They and another government backer have invested £3.8m in offering the chairmen of the FTSE 350, a cyber-governance health check to help their companies ‘understand and manage risks that have the potential to cause major damage to [their] business’. In return for completing a survey administered by the company’s audit firms they will receive a report on how they compare to their peers.
Malcolm Marshall, KPMG's global head of information protection and resilience is quoted as saying ‘It is no exaggeration to suggest that data central to national security and economic growth is at risk of exposure, meaning that boardrooms – not the IT team - must take responsibility for their cyber security levels. … It may be tempting to delegate cyber strategy to IT, but to do so is to delegate responsibility for the business’s whole security, as well as that of every customer and supplier’ (Swabey, 2013). Van Grembergen and De Haes (2009. 2012) have been making this point for years.
As one highly regarded, senior company director and chairman reflected to me recently, a board delegating IT strategy and risk to the IT department is about as fool hardy as delegating financial strategy and risk oversight to the finance department. The latter is unthinkable, yet too many boards are still delegating all types of technology risk to the IT department. They then wonder what happened when projects go belly up!
My question is: at what point will the tide turn and when will directors be held accountable for incompetent project and contract oversight? Will this happen in both the purchasing organization as well as within the vendor organization?
Board ethics and performance commentator Dr Karen Martyn (2013) refers to Bayles’ (1989) seven fiduciary obligations, one of which is the obligation of competency. These professional obligations are applicable to board governance. They refer to the how a board or individual director is seen to behave in trustworthy ways such that stakeholders can be assured that they are performing at a level that promotes the investor or funder’s interests. ‘Although it is not a moral virtue, competence is probably the most crucial of a professional’s characteristics. Professionals have an ethical responsibility not to hold themselves out to do or accept work [such as the work of governing] they are not competent to handle. No matter how honest, candid, diligent, loyal, fair and discreet professionals are, if they are incompetent, they are unworthy of trust, for they cannot do well the job for which they are hired’ (Martyn, 2013, p. 4)
Finally we come to the article about the abandoned NHS IT system having cost £10bn so far. Back in 2011 I read an independent review of this particular project when the blow out was a mere £4.2bn. This was right about the time when I started to think about studying the board’s role and their competency to govern technology.
It seriously irks me that ordinary people’s tax contributions are squandered in the many catastrophic IT project failures and that there seems to be no consequences. I looked closely for any articulation of the governance structures and mechanisms at play in the 2011 report. All I found was two lines stating that there appeared to be a failure of governance – presumably they mean operational IT governance. The recent Guardian article suggests that ‘successive ministers and civil servants have been blamed by committee members for the NHS project, which has been described as the biggest IT failure ever seen... [with] the NHS's particular problems stemming from the original contracts signed before 2002’ (Swabey, 2013). Blame is usually mere political posturing or butt covering. To date there have been no apparent consequences or even mention of the high level governance accountability of this monumental failure.
Boards be warned.
In an era where big data connects previously unconnected dots relating to all types of performance and where social media is the platform for ever increasing transparency and critique, there may be a very different road ahead. Being competent in the role of company or advisory board director is a fiduciary obligation. Ignorance is no defence.
ABOUT THE AUTHOR
Elizabeth Valentine is a doctoral candidate at Queensland University of Technology. Her research and thesis focuses on, ‘Enterprise Technology Governance: a core competency for boards of directors in a digital world’.
Email: firstname.lastname@example.org Mobile: +61 468 392302.
Bayles, M. D. (1989). Professional Ethics (Wadsworth, Belmont CA).
Eisener-Ampler. (2012). Concerns about risks confronting boards: third annual board of directors survey 2012. In M. Breit & S. Kreit (Eds.). NY, NY, USA: Eisener Ampler.
ITGI. (2011). Global status report on the governance of enterprise IT (GEIT) - 2011. Rolling Meadows, IL: IT Governance Institute.
Martyn, K. (2013, September 2013). [Notes from Professional Ethics Seminar].
Parent, M., & Reich, B. H. (2009). Governing information technology risk. California Management Review, 51(3), 134-152.
PWC. (2013). Annual Corporate Director Survey. New York, USA: Price Waterhouse Coopers
Swabey, P. (2013, 25 July 2013). FTSE 350 firms offered free "cyber governance" health check Information Age.
Syal, R. (2013, 18-09-13). Abandoned NHS IT system has cost £10bn so far, The Guardian. Retrieved from Guardian News and Media Limited