Blog

A majority of chairmen, directors, senior executives, management and consultants in our July 2013 survey agree. Boards of directors must give serious consideration to whether they are courting increased financial, reputational, compliance and competitive risk if they do not include directors with IT governance knowledge, skills and experience among their ranks. To not have the right competencies so that directors can not only ask the right questions of management and advisors, but also analyze the responses, make judgments or raise further questions if necessary increases risk. This short paper provides a summary of the latest results from my research to date. A literature review and ‘temperature check’ survey were used to establish the strength of opinion about the need for board directors to have enterprise technology governance competencies.

Our research and who has participated?
This mixed methods doctoral research started with a comprehensive literature review. The findings from the initial review have been extended by interviewing directors and executives from a major Australian company (6000FTE). Further, a short ‘temperature check’ quantitative and qualitative survey involving 93 participants, as well as online forum discussions with a further 82 participants via a dedicated research website and via two LinkedIn governance forums, have been conducted and analyzed. This brings total director, chief executive, senior executive, manager and consultant participant numbers to date, to 183. Participants come from 14 different industries with the largest number coming from the Telecommunications and Technology sector (19%). Organization size ranged from one to 150,000 FTE with 85.86% of respondents coming from small to medium enterprises with between one and 2499 FTE. Most responses are from Australia and New Zealand (70%), but there are also contributions from the USA, Canada, UK, Europe, Asia and Africa.

The majority say yes (survey)
While the complete temperature check results are reported elsewhere, results show 56.99% (n53) of respondents have held board positions, with the largest survey respondent group having held chairmen roles 32.26% (n30). 74.42% participants (n93) agreed (19.77%) or strongly agreed (54.65%) with the statement ‘it is now very important that boards include directors with IT governance knowledge, skills and experience among their ranks, so that they can ask the right questions of management and advisors’. 10.47% were undecided, 9.30% disagreed and 5.81% strongly disagreed.

Characteristics of those who say outright ‘no’ (survey)
The results also appear to reveal a relationship between those who disagreed or strongly disagreed and an older age group with 10/13 respondents born between 1940 and 1959 reporting disagreement with the importance of ETG. Within this same group, 11/13 had no IT-related education or qualifications, which possibly indicates a relationship between perceptions of importance, age and having knowledge and skills in the strategic use of technology. All 13 participants had held board roles, perhaps reflecting Lebland and Gillies (2005) observations of entrenched thinking and beliefs within traditional boards. While the ITGI (2011) Global Survey found that 16% of boards have directors with technology knowledge and skills, there appears to have been a significant shift over a two year period with 36.47% of our survey respondent boards now having one or more directors with board level IT governance knowledge skills and experience or are currently recruiting. However the largest industry group represented in the survey being in the telecommunication and IT industry, might explain this.

Risk: the top area of concern (forums and survey)
One of the key duties of a board is risk oversight. In relation to technology, competitive, reputational and compliance risk increase. We found that there are now widely held views that board risk oversight cannot be confined to financial and legal risk. ‘Today, rapidly changing technology is opening up opportunities and risks not encountered before. To be blind to this must surely be negligent’ (B&A: R6). 
Here is a summary using reputational and compliance risk.

Reputational risk
‘With today’s widespread
use of social media and other sources of instant news and communication, a company’s reputation has never been more vulnerable’ (1). Reputational risk covers the possibility that an enterprise will lose potential or existing business because customers or stakeholders have cause to doubt your organization’s trustworthiness. Whether founded on fact or not with the advent of social media and near instant global communications, it can take weeks, months or years to recover from reputational damage. For example participants in the Ponemon Institute’s recent study placed economic values ranging from less than US$1 million to more than US$10 billion, with the average coming in at US$1.56 billion (2) on brand and reputational risk.

Compliance risk
As reflected in ISO/IEC Standard 38500 (3) oversight of conformance and performance (including risk) of the organization is central to the board’s duty of care responsibilities. Our research suggests that boards that continue to ignore or delegate enterprise technology governance may be in breach of their fiduciary duty of care, whether they realize it or not. Risk increases when the combined board lacks the competence to not only question management, but to evaluate what they’re presented with and make appropriate judgments. Risk is also contained in assumptions that compliance risk can be mitigated by using advisors. As one experienced chairman reflects: ‘Remember they are only advisors; the final responsibility lies with the board. (IOD:P7)’

However, ‘part of the problem is that much of the guidance offered in the marketplace under the heading ‘IT Governance’ is in fact focused on ‘IT Management’. This fuels the boardroom view that IT is a management issue, since when directors read the guidance they see management guidance (B&A:P11). Shareholders or government owners need to evaluate what balance and level of knowledge skills and experience are required so that they appoint a group of ‘directors who collectively have the various skills and experience to be able to add real shareholder value and wealth…. [where] ‘collectively’… implies a mix of skills and experience matched to the company’s prime activities and future ambitions. (IOD:P7)’

That ‘directors should ensure that management is doing its job properly… is immensely useful, and it helps us establish a workable proposition for directors in respect of IT. To govern IT, directors don't need to know a vast amount about the technology itself, but they should know a lot about how management should be dealing with technology (B&A:P11).

Conclusions
That boards of directors may need to review whether the sector that they operate in and the organization that they are responsible for governing is increasingly at risk if they do not have knowledge, skills or experience in technology governance appropriate to their board meeting conformance and performance standards. While the number of boards with ‘technology-savvy’ directors appear to have increased dramatically over the past two years a majority of people involved in my research, across all chairmen, directors, executives and consultants who have participated believe that such competency is now very important. Participants have provided some very practical advice, amongst which is to use business language instead of technology language to reduce the fear factor in those with limited knowledge and experience.

Engaging with management in discussions about technology in relation to strategy, risk and performance including compliance are not new concepts for directors. ‘We need to focus on the role and oversight responsibilities of the board and consider where technology might fit it rather than the other way around….Further if these discussions are focused on the business and what are the enabling and supporting functions, then conversations on technology in these domains will naturally arise (B&A:P9).

++++++++++++++++++++++++++++

This research was conducted in conjunction with Queensland University of Technology as part of a Doctor of Information Technology degree. 
Ethics approval 1300000276.

References

1: IBM (2013). Six Keys to Effective Reputational and IT Risk Management — 2013 IBM Global Reputational Risk and IT Study, IBM USA.

2: Ponemon Institute (2011). Reputation Impact of a Data Breach: U.S. Study of Executives & Managers. Sponsored by Experian® Data Breach Resolution Ponemon Institute, November 2011.

3: Calder, A. (2008). Iso/Iec 38500: The It Governance Standard. IT Governance Ltd.

Leblanc, R., & Gillies J. (2005) Inside the boardroom. Ontario: Wiley & Sons

ITGI. (2011) Global Status Report on the Governance of Enterp;rise IT (GEIT) - 2011. It Governance Institute, Rolling Meadows, Il.