Boards Must Wake Up to IT Governance
Board directors today have extensive responsibilities to comply with the UK Combined Code, Sarbanes-Oxley and a host of other national statutes and regulations. With technology at the heart of most enterprises, there are explicit requirements for directors to ensure proper governance of IT as a part of their control of operational risk. However, despite the clear need for effective oversight, we recently discovered that take-up of IT governance remains worryingly low.
Through our provision of GRC (Governance, Risk Management and Compliance) knowledge resources and consultancy, we deal with an international customer base of professionals directly involved in many aspects of IT governance and information security. We recently surveyed the opinions of almost a hundred of these customers on a range of IT governance issues and found that much remains to be done.
The headline finding of this study was the fact that only 12% of respondents’ businesses adopted a professional approach to IT governance, with a board committee created to oversee technology investments, management and performance. While a further 16.5% reported that progress was being made towards achieving this, more than 50% indicated that this was far from the case.
The almost daily news stories of corporate data losses and mismanaged IT investments are ample proof of the vital need for IT governance. The recent advent of the first US civil lawsuits against companies losing customer data show how costly a poorly controlled IT capability can prove, not only through impaired security and competitiveness, but also as a source of litigation and reputational harm.
However, it appears that, for many organisations, this penny has yet to drop. Fewer than 7% of our respondents said their board members understood the risks posed to business operations by information and IT systems. Worryingly, 49% said this was certainly not the case.
For those businesses serious about IT governance, a range of frameworks exist to help them, including ITIL, CobIT, ISO17799 and PMBOK. However, our study indicates that only 9% of organisations use such frameworks in a concerted way. While a further 19% said that good progress was being made towards their use, the majority disagreed: over 21% reported only occasional use of IT governance frameworks, and fully 30% said they were not used at all.
Unsurprisingly, therefore, less than 37% said that IT governance frameworks were integrated with their company’s enterprise risk management regime, with fewer than 7% saying that this was achieved fully.
These findings are a startling insight into the excessively relaxed attitudes that many boards have towards their governance obligations. We need to see more boards recognising that there is no dividing line between IT and the rest of the business, and that they consequently need to exercise the same governance as they would over other corporate activities such as finance or marketing.
The author
Alan Calder is chief executive of IT Governance Limited (http://www.itgovernance.co.uk). He is co-author of the definitive guide to ISO 27001 compliance, ‘IT Governance: A Manager’s Guide to Data Security and BS7799/ISO17799’.