Published on CIO.co.uk at http://www.cio.co.uk/concern/compliance/news/index.cfm?articleid=2583&pagtype=allchandate
5 February 2008
Corporate boards are failing to understand the value of IT to their organisation and therefore have inadequate governance, experts have revealed. Research has revealed that only 12 per cent of companies have adequate IT governance.
Companies now have to comply with Sarbanes-Oxley, the UK Combined Code and HIPAA regulations, yet in a survey carried out by IT Governance, a specialist consultancy, training and publishing company on the subject, found corporate boards to be failing to implement the IT governance required. Less than 50 per cent of the companies surveyed were using governance frameworks such as CoBIT and ISO27001. IT Governance interviewed 100 technology and compliance professionals for its survey.
The survey was targeted at a mix of IT workers and found that under seven per cent said their board understood the risks business operations faced from IT. Directors failed to understand that aging IT systems require maintenance and that the business would be affected in over 57 per cent of respondent’s opinions. An IT governance framework was part of the company risk management plans in less than 37 per cent of the organisation polled.
Alan Calder, chief executive of IT Governance said company boards need to view IT Governance in the same way as they have an audit committee to independently assess the organisation’s finances. “Governance is the board’s job, governance of the whole organisation and IT is now its biggest asset,” he said. He called on boards to set up IT Oversight Committees as a sub-committee to the board. “This must be chaired by someone who has good recent IT experience and the members must hold the board to account on IT issues.
“We need to see more boards recognising that there is no dividing line between IT and the rest of the business, and that they consequently need to exercise the same governance as they would over finance or marketing.”
He said Oversight Committees should be looking at the sign off for new IT projects and be prepared to “pull the plug” on projects that are failing to deliver. Calder said IT workers have “a more realistic view than the CIO,” but admitted that they also tend to be more negative. “An IT Oversight Committee means they feel good decisions are being made.”
Calder believes CIO surveys tend to be very positive, “they believe their board is doing the right thing”. In some organisations the CIO is reporting to a finance director, which Calder said means the IT governance message pressed by the CIO is not reaching the board.
According to the survey results, only 12 per cent said that a board level IT oversight committee existed, and in 50 per cent of cases, no progress towards a committee was being instigated. “These findings are a startling insight into the excessively relaxed attitudes that many boards have towards their governance obligations,” Calder said. “It seems that almost every day we read a new story about lost customer data or expensively failed IT investments.”
IT’s heritage is partly to blame. “In a way it is not surprising, IT was an automated way of doing the books,” Calder said, adding that many boards were failing to recognise how IT has changed into now being an asset to the organisation. “The success of organisations like Tesco is its use of IT. Those organisations that treat IT as a purely a function, don’t have a handle on its value.”