If an organisation’s IT does not work, there is a real prospect that strategic objectives will not be reached. Yet how many boards spend time on IT issues? How well do they understand the IT risks they face? Two recent surveys provide some answers. Lani Bannach and Sue Copeman analyse the results.

Part I

The challenges for the board of a company are manifold. Complex regulation, new markets, pressure from competitors, and changes in the economy are all factors that need to be responded to and taken into consideration when deciding upon the best future strategy of the company.

Where does IT fit into all this? For more and more companies IT plays an increasingly important role in sustaining competitive advantage, in meeting the increasing demands from regulators, and in providing timely information about the performance of the business. These are all examples of elements which are fundamental to successful execution of corporate strategy. But is IT adequately addressed by the board, and what role does it play as part of corporate strategy?

Last year, a study was carried out by Deloitte and Corporate Board Member magazine. ‘The Board and Information Technology Strategies’ study was aimed at determining some of the key trends in IT strategies at board level.

It resulted in some interesting findings. From a risk perspective, if the information technology does not work properly, it will have a major impact on the success of the implementation of strategy. Almost a quarter (21%) of the respondents were of the view that their company had significantly failed in achieving its goals in the past five years and that the failure was attributable to shortcomings in IT.

The top three shortcomings were identified as:

1 execution of the IT strategy

2 lack of alignment between IT and the business

3 the time required to execute exceeded expectations.

If respondents considered that the cause of failure in achieving corporate targets was related to information technology, what did they think the explanation was? There was a curious anomaly here. Although one of the findings was that an overwhelming majority – 91.2% – did not discuss IT issues at board level, approximately half of respondents considered their boards to have IT knowledgeable members. This suggests that the fault may lie perhaps with lack of opportunity or lack of priority, rather than lack of knowledge.

Priorities

The study also offered answers to what the top priorities were for boards. Risk management and compliance were firmly put as two of the top three items on the board agenda. Over 96% of respondents found compliance important and 96.2% found risk management important. The only issue of greater importance was the strategic direction of the company.

Further, it was considered that if strategy, risk or compliance were mismanaged, it had the potential to cause the business to fail. So there is definitely focus and attention paid to these top issues – and IT has a significant part to play in at least two of them. For example, in the study, IT was deemed by a majority to be very important to the success of implementing efficient compliance.

The conclusion must be that IT is fundamental to meeting the key objectives of successful execution of strategy, risk management and effective compliance. And the study certainly revealed that senior management were prepared to give IT greater visibility. Almost two-thirds (61%) of CEOs said that they would like to see IT have a raised profile in the board room. And a similar (66.5%) proportion of board members were of the opinion that IT strategy was important and should be discussed at the board level.

“IT was deemed to be very important to implementing effecient compliance

Where there is a will, there is a way. It appears that there is a will, but will that provide the way? Seemingly not – only 45.2% of the respondents believed that the board would be spending more time on IT issues over the next three years than at the time of the survey .

Slightly more – 47% – of respondents had brighter expectations of the future, believing that IT would increase in priority for the board during the next three years. A smaller number of respondents predicted that there would be no change in the priority for IT at board level.

The study revealed that in 52.8% of companies the chief information officer or the chief technology officer only interacts with the board when needed. For 15.5% of companies this was frequently; for a similar proportion, it was an annual event.

Is it necessary to include IT at board level? Or, to put it another way, is it necessary to consider the performance of the engine room when deciding upon future direction? The answer has to be yes. Not only are there skills within the board room, able to evaluate the IT aspects, there is also an excellent opportunity for increasing the certainty of successful implementation of the chosen strategy, with the added advantage of having a sophisticated business intelligence engine able to produce the basis for decision making in time.

So, the message is to put IT firmly in the boardroom, keep a permanent place for it, and use the power of the engine to improve your company's strategic responsiveness.

Part II

Despite the fact that the last two years have seen a re-emergence of large scale corporate investment in IT systems, many boards lack understanding of the IT risks facing their companies. This is one of the conclusions of a new survey IT Risk – Closing the Gap.

The survey found a clear consensus that the board is spending more time considering IT matters and that IT poses major challenges to businesses. However, the results go on to paint a mixed picture of how the board is perceived to understand the IT risks that it faces, with some gaps emerging.

There was widespread agreement on the importance of IT, with 98% seeing it as strategically important to the future success of their business. In 74% of organisations, IT-related risk, in particular the potential for complex projects to fail, has risen higher up the board agenda and 87% of senior management respondents said it is a major challenge to respond to the pace of change in IT.

The majority (76%) of senior management respondents believed that the board sees IT risk as an increasingly important issue, and the same proportion felt that they understand the risks facing the organisation. However, the perceptions of heads of internal audit were somewhat different. Only 32% felt that the board understood the IT risks faced.

One head of internal audit summarised the views of a number of his colleagues, when he remarked: ‘The board has less of an understanding. This is a constant challenge, as meetings take place infrequently and the non-execs really just want to know that everything is being controlled appropriately. They don't have the time to sit through a more extensive explanation and they don't have the inherent practical experience of IT risk.’

Another head of internal audit noted a tendency for the board to focus on the business benefits that IT delivers rather than the potential risks to which it can give rise, saying: ‘IT is increasingly on the board's agenda – but the average board member sees the potential for enablement much more than the risks. They don't see the connection between the technical detail and the giant-killing issue.’

Analysis by sector revealed differences in opinion, with retail, manufacturing and the public sector seeing less understanding of IT risk than their counterparts from other industries.

The survey also highlights a lack of mutual understanding between the board and the IT professionals over how to assess risk. Over a third of senior management respondents and almost half of internal audit heads felt that IT professionals lack the ability to communicate IT risk and its potential business impact in a way that the board understands. This leads to the board having an incomplete picture of the organisation’s IT risks.

“Only IT governance is being addressed from a strategic perspective

The findings also suggest that the demand for assurance covering IT risks is not being met. More than half of the heads of internal audit surveyed said that their departments were spending less than 20% of their time on this area. This level of focus is not meeting the demand for assurance covering IT risks. In fact, around three-quarters of senior management and heads of internal audit shared the view that the board is looking for more comfort and assurance than internal audit is currently providing.

Perceptions of the focus of internal audit's work showed some interesting variations. Although at a high level 80% of heads of internal audit believed that they review IT risk from a strategic perspective, when asked to analyse work carried out on specific risks, they identified very few areas where they perform strategic level work, the response indicating that only IT governance is being addressed from a strategic perspective by a significant percentage.

Well over a third of senior management respondents believed that internal audit departments, as they currently operate, lack the appropriate capabilities to provide the board with the assurance over IT risks that it needs. Some heads of internal audit agreed, suggesting they are well aware of the obstacles they face in providing effective assurance.

In general, respondents agreed on the top six IT risks that organisations face. These were:

- IT project risk

- IT resilience and continuity

- IT governance risk

- Data security and privacy

- Business systems risk

- Data quality risk.

Senior management and heads of internal audit agreed that managing business projects with a large IT component (IT projects) is the top IT risk that organisations must deal with. This is not surprising given the levels of IT project activity across all industries. Organisations are rationalising or re-implementing ERPs and other major systems. These projects increasingly include complex outsourcing and offshoring and represent major investments.

Essentially it was believed that in-depth IT risk management, business skills and communication credentials are essential for success.

The research was carried out by PricewaterhouseCoopers LLP on behalf of the Institute of Internal Auditors – UK and Ireland.

Topics