Corporate Governance and the role of IT





Corporate Governance and the role of IT Date: Thursday , June 11, 2009 It's a fact: today corporate governance and IT governance are inextricably linked. However, while it is obvious senior executives cannot properly govern without relying on information from IT systems and external data sources, many senior management teams do not view IT or IT leaders as critical components of their corporate governance strategy. In fact, in many companies, CIOs do not even report to their CEOs, but rather to the CFO – leaving not only the financial risk, but also the risk of IT failure (failure to secure, to comply, and the inexcusable failure to innovate) up to one person. Where does the CIO report? Going forward, CIOs and IT executives must have a seat at the CEOs table. CIOs have been asking for this kind of access and influence for years, with varying degrees of success. CIOs reporting to the CFO often do not fully understand the importance of ITs role in the business, but instead view IT as a utility. This typically means that ITs mission is to keep the lights on at the lowest possible cost to the business and make certain laptops and email are up and running. In contrast, CIOs who report to the chief business executive are often responsible for not only ‘keeping the lights on,’ but also have an important role in moving the business forward as the force behind driving innovation. In such companies there is an acknowledgement that IT underpins everything a company does … and that not properly governing IT imposes dire risk. That risk could include both short and long-term survival of the business. Today, IT is more important to the survival of your business than ever before Despite claims from authors such as Nicholas Carr that IT doesn’t matter, IT matters more today than ever before, and will matter more tomorrow than it does today. As we move into the age of technology democratization and social networking, the role of the CIO and the criticality of IT governance are further elevated and infinitely more complex. Not only are CIOs responsible for ‘keeping the lights on,’ IT innovation, data security, compliance and customer service, but also they must determine how to govern and manage new technologies now resident in every company, on every desktop or laptop. IT employees are no longer ‘just in the IT department,’ they are in every department and every employee with internet access is an IT employee. Risks of Social Networking and Technology Democratization If rules and processes are not put in place to accommodate these new IT employees and control their activities, the risks to the business are potentially catastrophic. As employees join social and business networks, business risks increase and include situations that most corporate executives never considered. A prime example would be if your company signed a non-disclosure agreement (NDA) with one of its clients. An employee, with no understanding of the contract between your company and the client on whose account he works, innocently posts that he works on that account on his favorite social networking site. The client, routinely monitoring the most popular sites, finds his company name prominently displayed. In the worst case scenario, the situation escalates, the client sues for breach of contract, your company winds up paying untold damages, as well as losing at least one client (not to mention the adverse publicity generated by the litigation). IT executives have to make business executives aware of potential risks and put technology and processes in place to protect against risks associated with business and social networking. These risks could include (but are certainly not limited to): * Exposure of competitive secrets; i.e., internal systems * Corporate liability due to violating NDAs when employees name customers or discuss proprietary customer information giving their competitors a marketplace advantage * Naming individuals / providing contact information breaching their internal privacy. Lost Opportunities: Risks of NOT Exploiting Social Networking and Technology Democratization Just as IT executives must protect their companies from the risks of social and business networking, so too they must figure out how to capitalize on these new technologies and connections. And they need to work with business executives (in most cases, the Chief Marketing Officers of their respective companies), to help them deploy strategies and to use business and social networking to their advantage. In order to make a business case for allowing use of social and business networking, here are some questions CIOs are asking: * What is Twitter®? Can my company ‘tweet’ to improve our business? Can we use Twitter to sell more products to different audiences or to improve customer service? * When you use Twitter, remember it is a publishing medium. In many cases, tweets can be picked up by Google. So be careful what you say, especially if you talk business using Twitter (as many people do). What you say can affect your business, boss, clients, competitors, just about anyone. You need to remember, it’s publishing, and the whole Web can read what you tweet. * How can YouTube or Orkut or Google help my company recruit employees? Are the risks associated with using these sites superseded by the potential benefit of finding great employees at a reduced cost? * How do I control use of my employee’s time when they are on a networking site? * Can my company find innovation outside our four walls? Does mass collaboration really work and what are the risks and benefits? Since Proctor and Gamble improved its business through mass collaboration, does this mean my company can? * What do I want our corporate participation/acquiescence to accomplish? * Lead / Idea Generation * Converse with Customers * Build Excitement * Create & Reward Loyalty * Stimulate a Passion by Creating Enthusiasm * Build & Maintain ‘Buzz’ re New Product or Service What should you do? Findings and Recommendations Obviously, the days of the CIO being a pure techie operating on an island with limited access to the business are over. Indeed, in most industries, the CIO is perhaps the most pivotal member of the executive team. Unfortunately, some business executives and corporate governance teams have yet to realize that the CIO may hold the keys to the future. In addition, IT governance is not a nice “to have” it is a “must have.” It is impossible to have strong corporate governance without strong IT governance. With today’s technology environment and availability, organizational threats (and opportunities) can come from inside the walls of the business or outside. The IT organization is required to secure the business through the use of procedures, policies and technical safe guards. This governance should ultimately secure the business while at the same time allow it take advantage of knowledge capital and innovation available internally and externally. Recommendations for the CIO CIOs need to pick their battles. What are their critical priorities, what are their companies’ core competencies? Where should their focus really be? Can CIOs know enough about social and business networking and IP laws and paths to innovation if they are fully engaged in making sure batches are processed properly overnight or whether their direct reports have thoroughly reviewed time cards before they sign off on them? Certainly outsourcing has grown in popularity over the last decade, not just because it saves companies millions of dollars every year, but because it allows CIOs and the internal IT organizations to focus on what is really strategic to their business. Perhaps the answer to the CIO is to outsource the tactics based upon his company’s strategic direction. Recommendations for the CEO CEOs need to redouble their efforts to understand the benefit / risk ratio of technology democratization while at the same time considering exploiting its benefits. They need to make sure that their IT governance strategies are subsets of their corporate governance strategy and that their CIOs are capable of developing and executing an appropriate IT governance strategy. Further, corporate leaders need to ensure their technology executives are focused on social networking issues and are able to understand, articulate and advise the corporation about strategies for each. However, in order for corporate and IT governance to be conjoined, your CIO must be capable of being both strategic and tactical with a firm grasp of IT governance requirements. CIOs who are more comfortable talking about batch windows and middleware are not going to be comfortable mapping their IT expertise to your business strategies or, better yet, helping you create business strategies based on their IT expertise. They are certainly not likely to understand best practices in IT and corporate governance and help you combine the two. As the Chief Executive Officer, be certain your CIO is a direct report. Too often, the CFO filter causes CEOs and their companies to focus only on tactical cost savings opportunities, resulting in innovation being lost in the translation. CEOs need to brainstorm with their top IT executives to figure out how to protect the business and leapfrog their competition by making innovation part of everyone’s job description. When this occurs when IT governance becomes part of corporate governance, the company will find itself on a path to accept and use the technology of the present to develop tomorrow’s innovations! Author is CMO at UST Global Inc