Getting The IT You Deserve

IT Governance – A Matter For The Board

Mr Gordon Perchthold and Ms Jenny Sutton are
Principals with ABeam Consulting. They have assisted
insurance companies and banks across Asia, Oceania,
North America, Europe and Africa in realising positive
business outcomes as a result of providing strategy/
operations and business technology solutions. In this
article, the authors discuss the key components of
Information Technology Governance, and the need for
Boards to give IT the attention it deserves.

F
inancial restatements, excessive executive compensa-
tion, and a perceived disregard for management ethics
have been consistent themes in the media, politics
and academia since the Enron/Arthur Andersen meltdown
in 2002 brought to prominence a series of high-profile cor-
porate scandals, resulting in the loss of billions of dollars
in shareholder value and the decline of public trust in the
execution of fiduciary responsibilities by corporate manage-
ment and the Board.
Significant debate has ensued as to the composition
and duties of the company Board in exercising its fiduciary
responsibilities. These governance duties clearly include
providing perspectives on strategic direction, seeing that
business objectives are achieved, ascertaining that risks have
been identified and managed appropriately, verifying that
business resources are used responsibly and ensuring that
company affairs, particularly value and risks, are portrayed
accurately to stakeholders. Emphasis in the debate has pre-
dominately been on financial oversight, available financial
expertise and independence of the audit committee. Much
restructuring of the Board has already taken place in publicly
listed companies.
Has IT Governance Been Neglected?
However, the case can be made that governance has been
neglected in another crucial area of a company’s supporting
infrastructure – information technology (IT). Given that IT
can have such a profound impact on value creation in infor-
mation industries such as insurance, banking and securities,
while at the same time exposing the business to a broad range
of significant operational risks, it is perplexing that IT has
historically received so little attention in the boardroom.
Although there are no significant publicised examples
(yet) where an IT failure has brought about the collapse
of a company, there are many examples where shareholder
value has been eroded as a result of hundreds of million-dol-
lar write offs on cancelled or failed projects. In addition, an
organisation’s IT assets can deliver significant strategic value
only if they are effectively utilised. As the dependency on
IT increases, so does the business risk. IT has the power to
create – as well as destroy – value depending on how well it
is managed. Thus, this is a Board-level issue.
What Is IT Governance?
IT Governance is not just a fancy term for management of
IT. It has broader implications. IT Governance, if taken
seriously, requires the Board to take ownership and inter-
est in ensuring that IT is being managed in an effective,
transparent and accountable manner. Board duties relative
to IT Governance run parallel to those stated earlier for the
broader business, namely:
• Is IT in alignment with the strategic direction of the busi-
ness?
• Is the IT infrastructure and the investment in IT realising
the stated objectives and delivering value?
• Have IT risks been identified and managed appropri-
ately?
• Are business, IT and vendor resources being used respon-
sibly and cost effectively?
Sufficient Technical Knowledge Must Be Available
IT Governance is a responsibility that should not simply be
delegated to the Chief Information Officer (or otherwise
titled person responsible for IT). The lack of Board attention
to IT may be partly attributable to the technical nature and
complexity of the application of technology, particularly in
an extended enterprise (such as insurance) that operates in a
networked information and transaction-processing environ-
ment with agents, third-party distributors (eg. banks, brokers),
billing and collection agencies, information suppliers (eg.
medical doctors, auto repair shops) and, of course, corporate
and individual customers.
Typically, Board membership requires a basic understand-
ing of finance and the inclusion of members with appropriate
specialist knowledge. In a similar manner, the Board should
discharge its duties related to IT.
An IT Committee Facilitates Governance
The Board needs to be prepared to ask the pertinent tough
questions (and understand the answers) to satisfy itself that
value is created and risks are managed. An emerging best
practice in the US, although much less prevalent in Asia,
is the establishment within the Board of an IT Committee
similar to the Audit Committee to assess in more depth

ASIA INSURANCE REVIEW ▲

FEBRUARY 2005 ▲
1
 Getting The IT You Deserve
the integrity of the IT foundations of the companies they
govern. A recent survey of Fortune 500 companies by the
IT Governance Institute identified that almost 31.8% of
companies have established an IT Strategy Committee; and
in a further 29.3%, the Board actively reviews and approves
IT strategy.
The IT Committee should include at least two Board
members, outside members with strong IT knowledge, key
business executives, and the CIO. The key areas that the IT
Committee typically considers are IT alignment, IT delivery
of value, IT resource usage, and management of IT risk.
Is IT Aligned With The Business?
Realising value from IT can only be achieved if there is
strategic alignment between the business and IT. As the
Board provides input and approves the strategic direction
of the business, the explicit role that IT plays in relation to
each strategic initiative needs to be
clearly articulated. All IT initiatives Board Governance of IT in
and expenditures thereafter need to US Fortune 500 Companies
relate back to how they will contrib-
ute to the realisation of a strategic
direction, and on what basis and Board
occasionally
within what timeframe they will asks questions
be measured. (9.6%)
Is IT Delivering Value?
Assuming that IT is aligned with
the business, the Board must ensure
Board is
that IT value is effectively derived informed
from two sources: realising the ben- (25.5%)
efits from the new investments in IT
that (cost-effectively) enables the
broader business model; and mini-
mising the cost of IT operations.
The Board should ensure that a process is in place so that
no material IT investments can be made unless a business
executive is sponsoring, actively involved and held account-
able along with IT management, for the realisation of the
benefits from the IT investment. A concise business case with
explicit measurable objectives must exist for each initiative,
and be actively monitored (and rolled up for Board-level
review where appropriate) in terms of performance relative
to stated promises.
In order to ensure that business value is delivered, the
Board must set meaningful, measurable, business value-
related objectives to be met by IT. Objectives can include
items such as application to policy issuance conversion rate
in the case of a new agent desktop application, or customer
retention/conversion rates in the case of a CRM system
implementation.
In terms of ongoing IT operations, it is surprising how little
management scrutiny is applied to this area, given that IT
application maintenance and platform infrastructure typically
consumes the majority of any IT budget, thereby drawing
funds away from profits or new IT investments to support
a changing business. The Board must satisfy itself that IT
management is continuously driving down the costs of IT
operations, both in terms of the approaches used for applica-
2 ▲
ASIA INSURANCE REVIEW ▲
FEBRUARY 2005
tion support and maintenance, as well as in the provisioning
of the hardware and telecommunications infrastructure.
Is IT Using Resources Effectively?
The Board should be involved in key decisions regarding
the allocation of IT resources, be they financial, human or
technology resources. This requires the Board to understand
the process for project prioritisation and provide input when
material decisions are being made. The Board must be com-
fortable that the appropriate management structure and skills
are in place to effectively manage the resources that are as-
signed. Finally, given the large sums of money often involved
with IT investments, the Board should satisfy itself of the
integrity of the procurement process for vendor services,
and that vendor selection is not gamed through omission of
qualified vendors, issuance of RFPs (request for proposals)
with unreasonably short turnaround time frames, or biased
selection criteria designed to fa-
vour a pre-selected, but possibly
more expensive or less qualified,
vendor.
Board does
not address Is IT Identifying, Managing Risks?
IT (3.8%)
The Board should be aware of all
Board has an
IT Strategy possible project and operational
Committee risks, and make deliberate choices
(31.8%)
on whether to mitigate, transfer or
accept risks. Risks cover all areas
of IT operations as well as IT
investments. Business Continu-
ity Planning, Disaster Recovery,
Board
approves System Security, Transaction and
IT Strategy Data Integrity all fall into this
(29.3%)
domain. Based on observations
of many insurance companies in
Asia, this is an area with significant potential for improve-
ment. Given the very nature of insurance, it is surprising that
insurers are not better at recognising the risks in their own
businesses, particularly IT-related ones.
Independent Assurance On IT Performance
The expectations being placed on the Board have increased
dramatically. Effective IT governance can be a challenging
proposition, particularly given the limited time that Board
members commit to Board duties. Given the complexity of
IT, it is often advisable to leverage an objective perspective of
an independent third party with the necessary broad expertise
to assess the performance of IT relative to Board expectations
in terms of IT alignment, value, resources and risks.
IT is no longer a low-level tool but a fundamental business
component that can directly impact the success and failure of
any enterprise. It is time for the Board to bring IT out of the
basement and give it the level of attention it deserves.
Next month’s column will discuss the Role of the CIO.
The authors can be reached at
goperchthold@ABeam.com and
jsutton@ABeam.com.
www.abeam.com