Corporate boards are failing to understand the value of IT to their organisation and accordingly have inadequate governance, experts have warned. Research has revealed that only 12% of companies have adequate IT governance.
Companies now have to comply with Sarbanes-Oxley, the UK Combined Code and HIPAA regulations, yet in a survey carried out by IT Governance, a specialist consultancy, training and publishing company on the subject, it was found that corporate boards are failing to implement the required IT governance. Fewer than half of the 100 companies surveyed were using governance frameworks such as CoBIT and ISO27001.
The survey was targeted at a mix of IT workers and found that under 7% said their board understood the risks business operations faced from IT. Directors failed to understand that ageing IT systems require maintenance and that the business would be affected in over 57% of respondent’s opinions. An IT governance framework was part of the company risk management plans in less than 37% of the organisation polled.
Alan Calder, chief executive of IT Governance said company boards need to view the governance issue in the same way as they would an audit committee to independently assess the organisation’s finances.
“Governance is the board’s job, governance of the whole organisation and IT is now its biggest asset,” he said. He called on boards to set up IT oversight committees as a sub-committee to the board. “This must be chaired by someone who has good recent IT experience and the members must hold the board to account on IT issues.
“We need to see more boards recognising that there is no dividing line between IT and the rest of the business, and that they consequently need to exercise the same governance as they would over finance or marketing.”
Calder said oversight committees should be looking at the sign-off for new IT projects and be prepared to “pull the plug” on projects that are failing to deliver. He said IT workers had “a more realistic view than the CIO,” but admitted that they also tended to be more negative. “An IT oversight committee means they feel good decisions are being made.”
According to the survey results, only 12% said that a board level IT oversight committee existed, and in 50% of cases no progress towards a committee was being instigated. “These findings are a startling insight into the excessively relaxed attitudes that many boards have towards their governance obligations,” Calder said. “It seems that almost every day we read a new story about lost customer data or expensively failed IT investments.”
IT’s heritage is partly to blame. “In a way it is not surprising, IT was an automated way of doing the books,” Calder said, adding that many boards were failing to recognise how IT has changed into now being an asset to the organisation.