"The only reason for time is so that everything doesn't happen at once" - Albert Einstein
In today's fast changing world of technology, every individual, organisation and industry is impacted by technology in a number ways. You have a choice to either adopt and use the new technologies to survive, or harness it to thrive. Either way doing nothing and hoping to continue business as usual is not an option.
New technologies present both opportunities and risks. The risk of being left behind has such dire consequences that might in result in the ultimate demise of your organisation. The risk of inappropriate use of technology has the potential to result in hefty penalties or falling victim to cyber attacks with dire consequences. This implies that organisations need to be very circumspect about their choice of technologies and their strategy on how to harness them for business benefit while adhering to all applicable regulations and taking the necessary pre-cautions. This is only achieved through proper governance undertaken by competent, determined and ethical individuals. The question is who are these individuals in your organisation?
What is IT Governance?
Before delving further into the topic, we need to first make sure that we are on the same page regarding some key concepts. First let's define IT governance. I define IT governance as a critical and embedded practice that directs the organisation to ensure that information and technology investments, risks, and resources are aligned in the best interests of the organisation and produce business value. It is an integral part and a subset of corporate governance.
This definition highlights the fact that expenditure on IT must be looked at as investment which must yield returns. Also, you need to know and appreciate the interests of the organisation to be able to direct its IT acquisition and use appropriately.
The Prevailing IT Governance practice
Organisations have structures and individuals that carry out technology and information governance activities at various levels of operations, management and leadership. Often these activities are not well-coordinated, overlaps exist and roles and responsibilities are not clearly defined, leading to confusion and pointing of fingers. Considering the criticality of Information and Technology in organisations as alluded to above, these issues cannot be left unresolved. Organisations need to be clear about who should have the final say in IT decision-making.
Some people maintain that the IT Head in the organisation is the ultimate IT decision-maker. However, the heads of other functional areas might (and usually do) argue that they must have the final say because IT is merely an enabler or supporter not the driver of business operations. Some organisations establish IT steering and similar committees to govern IT. Often the problem with IT steering committees is that they are usually constituted by lower ranking individuals who have no proper authority to make critical and strategic technology decisions. In cases where the committee is made up of senior executives, these do not function as the executives are often too busy to attend meetings and review IT proposals, policies, etc.
Where the committee is constituted by executives and actually does function, it ends up being a special EXCO that still requires the full EXCO to endorse their decisions - a duplicate of effort if you ask me. The same can be said about other "IT governance" structures that get setup in organisations, including the IT strategy committee, Data governance committee, Information Security Committee, Enterprise Architecture Board, etc.
The Purpose and Outcomes of IT Governance
Who then should govern IT? To answer this question we need to first understand the purpose, roles and responsibilities of governance in an organisation. The diagram below depicts the outcomes of IT governance. First I need to clarify that I move from the premise that IT governance is an integral part of corporate governance. With this in mind I selected to use the approach from ISO 38500, a globally accepted IT governance standard links IT governance to corporate governance. Below is a diagram that summarises the expected outcomes of IT governance in an organisation from the ISO 385000 point of view:
Responsible Stewardship
This refers to the responsible use of IT, driven by the fiduciary duty of care of every member of a governing body. A governing body is the highest decision-making structure in an organisation responsible for the entity's overall governance. In this era of the boom of Artificial Intelligence (AI), responsible use of technology cannot be over-emphasised as we witness almost on a daily basis, cases of data confidentiality breaches, violation of data rights, decision-making based on biased algorithms.
Ethical Behaviour
Good IT governance will result in the organisation acting with integrity and transparency in fulfilling its obligations and commitments. Again this is more relevant in today's world of artificial intelligence where the scramble for algorithms training data is rife and companies sometimes resort to unethical behaviour to beat the competition.
Effective Performance
This is performance that yields the intended results in line with the organisation's vision, mission, goals and values. The performance should satisfy not only the board or governing body, but all the organisation's stakeholders including strategic partners, customers or beneficiaries (in the case of non-profit organisations), regulators, employees and management.
In this era of the boom of Artificial Intelligence (AI), responsible use of technology cannot be over-emphasised.
Management vs Governance
It is important to clarify the difference between management and governance roles because confusing them leads to inefficiencies and governance failures. The diagram below shows the distinction between the two.
Management processes on the right of the diagram, involve planning, building or designing technology solutions and services, execution and performance monitoring. On the left of the diagram you can see that governance processes are different. They involve the evaluation of management reports, policies and strategies, making decisions to give direction to the organisation and monitoring the execution of the mandate given to management.
For governance to adequately fulfil its role, some governance activities need to be delegated to management while the governing body remains accountable. Structures such as the internal audit unit, risk management committee and others, play a critical role in enabling governance success. However, the success of these structures hinges on adequate constitution, authority and competence. The level of authority assigned to the member of the committee should align with his/her seniority in the organisation. The skillset or knowledge of IT - not necessarily at the level of practitioner or specialist, is important for the individuals ability to make IT decisions for the business.
Besides delegating IT governance activities to management, governing bodies often establish committees within their ranks comprising of individuals with the knowledge and experience in IT. Although there are issues sometimes with this approach, such as committee members tending to perform management tasks, the practice works to a large extent. One other problem with this practice though is that some non-committee members within the governing body tend to "switch-off" during technology discussions thus neglecting their fiduciary duty of care.
Responsibilities of the Governing Body
The following picture shows the key responsibilities of members of a governing body:
The implication of these responsibilities on Information and Technology governance are briefly explained below:
Set Strategic Direction
The governing body must direct management to develop an Information and Technology strategy that is aligned with the organisation’s mission, vision, values goals and strategic objectives. It must therefore demand that management demonstrates this alignment before approving the strategy.
Oversee and monitor performance
Governing body members review management reports and conduct necessary due diligence to gather critical information before making key decisions. This is to ensure that policies and strategies are being implemented as intended and key risks are identified, monitored, and mitigated.
They conduct oversight to ensure management accountability for organisational performance, evaluating feedback and reports in line with the organisation's strategic direction. They also approve policies and plans that give effect to the organisations strategic direction.
Protecting Stakeholder Interests
Driven by the duty of loyalty to act in the best interests of the organisation at all times, governing body members are required to promote efforts that maximise stakeholder value. They need to satisfy themselves that clear business benefits are identified and monitored for each key technology and information initiative.
Examples of IT governance failure
Although there are many such incidents, it seems as if not many organisations are keen to be proactive about properly optimising their IT governance. They would rather start taking action after they have fallen victim of IT governance failure, which in some cases could be too late as the organisation might cease to exist.
Here are a few examples of consequences of IT governance failure.
Blockbuster
Blockbuster was once a dominant player in the home movie and video rental market. However, soon came a new entrant in the market, Netflix arrived on the scene and offered home movies and video streaming in the comfort of one's home using internet streaming.
Blockbuster failed to see the threat and could not adapt its business model to the new trend of digital stream. They instead introduced a new service where video cassettes would be delivered directly to people's homes. This did not work either as the change in the industry was driven by technology and required a technology-driven response.
Driven by the duty of loyalty to act in the best interests of the organisation at all times, governing body members are required to promote efforts that maximise stakeholder value.
Meanwhile Netflix, which provided video stream directly to people's devices, including PCs, TVs, phones, through the internet was growing at fast pace and eventually dominated the market.
The Blockbuster failure story is a classic case of IT governance failure. At the heart of it, the board should have understood the technology trends and their implications to their business. Mind you, it is not the CIO/IT Head that was blamed for failure to lead the organisation to respond properly. It the governing body, i,.e., the board that failed to take the decision. This shows the importance of authority when it comes to IT governance.
TransUnion South Africa
In 2022, TransUnion South Africa admitted to have fallen victim to ransomware attack. The attackers claimed to have access to people's credit records, personal ID's and banking details. The Information Regulator issued the credit bureau with an Enforcement Notice which detailed steps the organisation must take to ensure the security of its customers data.
The company suffered a huge damage to its reputation and were at pains to try and re-assure its customers. It claimed not have paid the ransom demanded by the hackers, but we will never know it this is true because ransomeware victims never admit to paying the ransom even if they did.
The lesson here is that the IT governance outcome of "Responsible Stewardship" was not achieved. In particular, the governing body failed to ensure the appropriate protection and use of stakeholder data and information.
Volkswagen
The case of Volkswagen involves the company's engagement in emissions cheating by installing software in its diesel cars to cheat emissions tests. It is said that the company's executives were aware of the cheating.
However, the board failed to provide adequate oversight. As a result the company faced billions of dollars in fines and law suits. It also suffered immense damage to its reputation.
This relates to the ethical aspect of governance, where technology was used to cheat regulators. The company demonstrated lack of integrity and transparency in fulfilling obligations and commitments as well as failure to comply with regulations.
Conclusion
At first glance, the answer to the question "Who should govern IT?" seems obvious and straight forward. However, in practice there is a lot of confusion that lead to governance failure with dire consequences to the organisation. The following are key take-aways:
- The impact of IT in organisations has never been this high. Without proper IT governance, including role clarification and effective performance, many organisations will not live to see the next fiscal year.
- The governing body - board (in the case of businesses, state entities and non-profit organisations), council (in the case of tertiary academic institutions and municipalities), is responsible and ultimately accountable for IT governance.
- Every member of the governing body, even if they are not part of the IT committee, have the fiduciary duty to make informed judgements about IT.
- Where the governing body delegates some of its responsibilities to management committees, these must comprise individuals with the right knowledge, skillset and level of authority.
- It is a necessary and a good practice for the governing body to appoint an IT governance advisor to provide the necessary insight to help make the right technology decisions and judgements for the organisation.
Bafana Nkosi is the Managing Director and Principal Consultant at GINELI Business Services, an IT Consulting firm. For more information, insights and help with optimising IT governance in your organisation, contact him by completing the form below:
