Now a new Information Technology (IT) Governance Standard can demand more accountability from corporate boards and keep company directors on tenterhooks. New technologies are today embraced enthusiastically to gain that competitive edge in the market. This passion for technology has always made the objective review of IT a difficult task to perform especially given the risks involved.
Today, IT is used by many entities to efficiently run parts of their sophistated businesses. In some instances IT has become the very kernel for the successes of certain industries. It is doubtful if companies are today applying the same level of attention to IT matters that they are required to devote to financial and regulatory aspects of their businesses. The new standard does not want that responsibility to be a bottom up approach and squarely wants the directors to be providing the leadership and assume the accountability for its appropriate use.
Directors can become liable for a variety of IT centric issues such as security, business continuity, disaster recovery, privacy, data protection, record retention, intellectual properties, information governance, financial and regulatory reporting, and many other aspects covered by cyber related legislation. The board will do well to enquire and ensure that management is fully aware of what information resources exist, their condition and the role they play in helping the enterprise to be successful.
The new IT Governance Standard – ISO/IEC 38500- issued by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) sets out a framework for making IT Governance a critical component of corporate governance. The standard brings to forefront the ethical, legal and regulatory obligations of the corporate board with regard to the use of IT. This standard is reported to be largely triggered by the Australian Standard AS 8015 and also inspired by established governance conventions like the Cadbury Report and OECD principles of corporate governance.
So what is IT Governance? Different people define it differently. However, a simple definition could be to ensure that an effective structure is laid for organisations to align their IT and business strategies. It should ensure that IT functions sustain the business plans and there are means to evaluate and measure its performance similar to a balanced score card approach.
The ISO/IEC 38500 issued in June 2008 has just fifteen pages and is available at www.iso.org for a price of about one hundred dollars. This first ever international standard for IT Governance provides guiding principles for directors on the successful and acceptable use of IT within their organisations. Some of the key actions, namely “evaluating, directing and monitoring” of IT governance are now the responsibilities of the board besides aligning IT to organisational strategies. The standard aims to give assurance to all stakeholders that if it is adopted and followed, then they could have confidence in the governance of IT in that organisation. Like all ISO Standards, this is also not a mandatory one, but its compliance by some of the better governed companies can put pressure on the rest to gain market visibility to the adherence of a higher standard of governance. It is also possible that regulators can require conformance to ISO Standards like how some of the ISO standards have become mandatory in some countries particularly in the areas of health, safety and environment.
The IT profession itself is now driving convergence of various aspects of standalone activities in the areas of Governance, Risk and Compliance, now collectively referred to as GRC. Experts believe that CobiT (Control Objectives for Information and related Technology) which is acknowledged to be the leading management framework for information technology providing guidance for policies, processes, structures and controls will still be a useful tool to help implement the new ISO 38500.
Convergence is surely taking place more constructively and with greater speed than ever before. As someone said, the reward of one duty done is the power to fulfil another. The regulatory and independent standard setting bodies are keen to be uniformly aligned when targeting directors on the board of companies in the name of better governance and responsibility. The UK Companies Act for the first time codified seven path breaking statutory duties for directors many of which came into effect from October 2007. It is no more a matter of interpretation through case laws. The duties are now hardwired into the statue. This new ISO standard on IT governance also seems to have graphically captured this new responsibility of directors on paper.