Blog

Some boards are confused about their role in tech governance

I've been talking to a wide range of directors about why boards and executives are confused about technology governance roles and responsibilities.

The thing that stands out for me is that most definitions talk about IT governance and could easily be confused with the operational role and tools of management rather than the distinct governance accountabilities of boards.

For example, the SFIA5 and ISO/IEC 38500 frameworks have been used by some consultants and boards as indicators of the competency set digital directors need. However,  there are quite significant gaps and challenges with both. It is very important to make clear distinctions between board and management roles and responsibilities when it comes to governing technology-related strategy and risk.

SFIA5 focuses on management up to senior executive. The ISO/IEC standard 38500 is focused on boards and their role in IT governance. The challenge with the standard is that it is largely comprised of principles and task descriptions. While SFIA5 references 38500, the two frameworks are quite differnt. To become better informed, last week I attended a two day workshop on Digital Leadership based on the 38500 standard. It was run by Mark Toomey (www.infonomics.com.au) and was excellent – practical and case-study based. The workshop highlighted for me how complimentary the Enterprise Technology Governance (ETG) competency set developed in Elizabeth's doctoral research is with the standard. It is complimentary because 38500 is a standard. To obtain best value from implementing and using the standard, boards need a basic level of ETG competency.  

Boards must be competent to lead in a digital economy, and to leverage value from frameworks and standards. They must be competent to critically analyze the operating environment, and evaluate the technology and business information they receive in board papers and proposals, and the responses to their questions.

In acting competently boards are, in part, meeting the requirements of their duty of care. A lack of knowledge, skills or experience a.k.a ignorance, is never a defense.