Enterprise Technology Governance
Leading strategy & performance Meeting fiduciary responsibility Directing value creation
Governing risk & compliance
Competency Two Direct and govern business technology investment and risk.
EGC
Enterprise Governance Consulting
Direct and govern business technology investment and risk. This is the second of three Enterprise Technology Governance (ETG) papers based on Elizabeth Valentine’s doctoral research (Valentine, 2015). This thesis developed three competencies that experienced industry and governance practitioners considered boards of directors need to effectively govern technology in a digital world. Competency paper two also provides practical examples for boards to use. The first paper covered the board’s competency to strategically govern technology for competitive advantage and business performance. This second paper looks at technology-related competencies around investment and risk decision-making within the board.
Background Whether it’s the risk of systems failures, cyber-attack or loss of data, everyday the media reports the threats posed to organisations through computer and mobile networks and the Internet. What is unfathomable is evidence that the predominant board technology governance approach is either non-existent or delegated to management. Some boards provide ETG via a sub-committee, but 85% of boards fall short of demonstrating full digital leadership and governance capabilities (Fitzgerald, Kruschwitz, Bonnet, & Welch, 2014). There’s a small but vocal slice of the population convinced that technology governance isn’t any different from other technical domains such as talent management or marketing. I suggest, having worked in HR and in close association with marketing, these domains differ markedly from technology, especially in the area of risk. It’s the explosion of computer-based technology over the last 40 years, its pervasiveness and game-changing impact on society and how businesses operate, that makes technology different. The reality is that a technology failure or foul-up in any industry can take out a business (Kodak comes to mind) or kill people (think transport). A failure or breech can cause a disastrous ripple effect, and potentially in seconds. In aviation, for example if the the navigation, auto-pilot, freight, reservation or passenger checkin systems go down for a few minutes or even hours, the impact could be potentially disastrous. System downtime or even failure could compromise the organisation’s reputation, cause a knockon effect that could ripple across multiple areas of the community such as the tourism, business, fast-moving-consumables or export sectors. Effects can cost millions within seconds.
2
Copyright © 2012- 2015. Elizabeth Valentine and Enterprise Governance Consulting. All Rights Reserved.
Competency Two Governing Risk and Compliance
Yet in 2015, most boards are still governing technology risk by exception, i.e., receiving risk notification via board papers and usually after an incident or breech, rather than as an integrated part of their overall strategizing and risk oversight. Technology is a major factor in the competitive, strategic, security, risk and investment decisions they should now be leading and directing as part of their board accountability. ETG is part of a board’s fiduciary duty of care whether they realize it or not.
Competency Two Definition Directors with competency two are able to demonstrate the following skills, knowledge and experience: • make quality judgments and decisions in relation to strategically relevant, prioritised technology investments • demonstrate capability to oversee technology risk- especially as it relates to data security.
Competency Two Organisation Capability Statement As leaders, these boards expect data and information to underpin strategy development, investment prioritisation, performance planning, monitoring and board reporting, and to drive quality decisionmaking at all organisational levels. This organisation understands how information and data flows can be used for innovation and business improvement as well as for risk monitoring. The board expects people at all levels of the organisation to use data to monitor and analyse opportunities and risk, especially in areas of vulnerability such as high cost IT projects, and the business use of mobile technology, the internet, social media and the internet of things. This board and its directors understand and use information and data to evaluate, direct, monitor and analyse the information provided by management, supply partners and advisors. They are capable of asking probing questions and contributing to discussion to ensure that decisions about technology-related performance and risk oversight meet governance performance and compliance requirements.
Copyright © 2012- 2015. Elizabeth Valentine and Enterprise Governance Consulting. All Rights Reserved.
3
Key areas of enterprise technology governance to consider. This section presents each of the seven descriptors from competency two, asks a key question and provides a little more information.
Descriptor 1 Able to lead the strategic use of business technologies, and data and information use for decision-making. This competency is mindful of the board’s role in strategic oversight and how their attitudes and beliefs about technology play an important role in the use of information and data for decision making throughout the organisation
Question What is the board’s current shared attitude towards technology and its governance? Understanding this ensures that board attitudes, beliefs and culture, especially in long established more traditional boards, is not a barrier to technological opportunity or a source of added risk. When demonstrating this competency, these boards: • Can evaluate, prioritise and champion technology-related projects because they under- stand how the system will assist in improving performance and creating value • Continue to ask questions and measure technology integration, effectiveness and usage after major technology investment projects have been implemented. They lead value creation • They have critically evaluated the role and position of the CIO or CTO and have made a judgment call on the strategic positioning of this role within the executive structure.
4
Copyright © 2012- 2015. Elizabeth Valentine and Enterprise Governance Consulting. All Rights Reserved.
Competency Two Governing Risk and Compliance
Descriptor 2 Demonstrates an understanding of technologies for identifying, tracking, mining and exploiting the data and information relevant to the organisation’s needs.
Question How does this board ensure that data informs decision-making at all levels of the organisation? To ask about and understand the implications of this competency, directors and senior executives need to have a good knowledge of: • The types of data and information critical to good decision-making its various sources, including big data, and its currency • How, after the implementation of a new business technology system, expected value will/ is being derived through the use of the new technology • The extent to which cross-organisational data sharing occurs and how this facilitates timely risk identification and decision quality.
Copyright © 2012- 2015. Elizabeth Valentine and Enterprise Governance Consulting. All Rights Reserved.
5
Descriptor 3 Knowledgeable about the unique issues associated with competitive advantage and IT user experience.
Question In what ways can our organisation use technology to add value to its stakeholders? To fully understand this question this board understands that a crisis averted means minimization of loss (including reputational) as well as maximization of resources (people, money and time). This board has: • A comprehensive overview of all major stakeholders (shareholders, supply and alliance partners, regulators, management and staff) and the ways in which technology can enhance communication and engagement with them • A current understanding of the strengths and weaknesses of current technological engagement with stakeholders (and preferably each stakeholder group’s views on this) • A good understanding of how current and emerging technology can be used to improve or add value to stakeholder engagement.
6
Copyright © 2012- 2015. Elizabeth Valentine and Enterprise Governance Consulting. All Rights Reserved.
Competency Two Governing Risk and Compliance
Descriptor 4 Able to evaluate technology risk to ensure the continued operation of the business. This board understands that governing technology risk consists of a series of linked, interdependent, iterative and ongoing actions conducted as part of the board’s overall governance accountabilities.
Question What types of technology risks does our organisation face and what are our current and future mitigation approaches? This board develops and requires reporting on all key areas of technology risk relating to: • Whether the board and senior executives have the right technology competencies to derive value and manage risk • The security of the organisation’s data and information and how privacy is maintained • The effective design, integration and implementation of technology projects • The current and future integrity of technology hardware and systems and how this effects business continuity • The effectiveness of current board-level approaches to technology risk oversight.
Copyright © 2012- 2015. Elizabeth Valentine and Enterprise Governance Consulting. All Rights Reserved.
7
Descriptor 5 Able to oversee the governance of IT acquisition, implementation, maintenance and disposal to balance risk with opportunity and to support retention of intellectual property and organisational memory.
Question How effective is our current governance of the technology systems life-cycle from proposal to disposal? This board understands its role in: • The oversight of all phases of technology project life-cycle from inception to measuring post-implementation value • Ensuring that operational IT governance and IT governance frameworks (e.g., ValIT, Cobit, ITIL, TOGAF) form an integral part of the organisation’s business planning and performance monitoring and reporting (including board reporting) system.
8
Copyright © 2012- 2015. Elizabeth Valentine and Enterprise Governance Consulting. All Rights Reserved.
Competency Two Governing Risk and Compliance
Descriptor 6 Knowledgeable about how to glean intelligence from big data and translate the findings into business advantage.
Question What new sources of data can provide the board with better competitive and risk insights? Again this question should stimulate debate within the board about the role and responsibilities of the CIO and how the organisation is making best use of new data and analytics for strategizing and decision making. It’s essential that director have good knowledge of: • Current mega-trends affecting their industry sector and the sources of current information relating to this • Whether they have the right competencies to analyse new types of big data and how to use this information to keep up competitively.
Copyright © 2012- 2015. Elizabeth Valentine and Enterprise Governance Consulting. All Rights Reserved.
9
Descriptor 7 Skilled in the design and use of technology performance scorecard measures. Knows what to measure and how to interpret performance data.
Question To derive expected returns and glean business advantage from technology investments, what type of customer/stakeholder, financial, employee and operational measures should be in place and reported on in board papers? This competency should tie all three ETG competencies together such that the board measures the effectiveness of technology strategy, integration, investment, implementation and use for innovation, improvement, advantage, efficiency and effectiveness as appropriate to the sector it operates in, and the organisation’s type and size. Directors need a good knowledge of: • Where to focus customer / stakeholder engagement activity and investment • How to demonstrate financial returns on technology investments to our shareholders / stakeholders • What the business must excel at to remain fresh and competitive, and how technology can support that through information and communication system design • How technology supports management, staff and stakeholders in learning, growing and innovating.
10
Copyright © 2012- 2015. Elizabeth Valentine and Enterprise Governance Consulting. All Rights Reserved.
Competency Two Governing Risk and Compliance
Discussion Board effectiveness in overseeing IT investment and use is not so much concerned with the details of technology but in a better understanding of business technology governance. Boards need to provide clear guidance on how management should be dealing with technology investment, risk and value creation and how they report on the same. ETG- focused boards can ask the right questions, challenge responses in relation to the businesses they govern and are much more likely to ensure that technology- related strategic and risk information makes it onto the board agenda. They understand that there is risk in delegating ETG as well as their wider governance responsibilities down to management without competent oversight.
Competency three Competency three looks at directing innovation and value creation
References Fitzgerald, M., Kruschwitz, N., Bonnet, D., & Welch, M. (2014). Embracing digital technology: A new strategic imperative. MIT Sloan Management Review, 55(2), 1-12. Valentine, E. (2015). Enterprise Business Technology Governance: new core competencies for boards of directors in digital leadership. (Doctor of Information Technology Monograph), Queensland University of Technology, Brisbane, Australia.
Copyright Š 2012- 2015. Elizabeth Valentine and Enterprise Governance Consulting. All Rights Reserved.
11