SIDEBAR: Governance: It's Comply or Die

The Corporate Law Economic Reform Program Act 1999 (CLERP) introduced a range of provisions designed to improve corporate governance practices, BearingPoint's Geoff Stalley says. The changes reflect a new reality where responsibility for corporate activities extends beyond the board of directors to individual directors, executives, officers and employees of a corporation.

Moreover, companies with US head offices, and even many of those who just do business with the US, must now heed the Sarbanes-Oxley Act signed into law last year by President George W Bush. The legislation aims to strengthen accounting oversight and corporate accountability by enhancing disclosure requirements, increasing accounting and auditor regulation, creating new US federal crimes and increasing penalties for existing federal crimes.

At the same time boards are increasingly no longer prepared to rubber-stamp requests for IT capital spend, but are instead forming subcommittees to examine such proposals inside out.

"That whole blurring of the management and governance means that IT now has to think of another stakeholder being the board of directors," Stalley says. "The directors are effectively responsible now, under this new wave of governance, and as a result I imagine that they are trying to hold CIOs a lot more accountable for the accuracy of business cases and financial spends and all that sort of stuff."

The lessons for CIOs are plain and simple, according to Stalley. One is that CIOs more than ever now have to be true business managers. They have to understand the impact of what they are doing in technology, and how that drives the business result for the organisation. The other is that CIOs who might never have had much to do with most of the directors before now should be looking on them as stakeholders in anything they plan to do.

"They shouldn't expect that if the MD or CEO says they're taking it to the board, that they shouldn't have responsibility to at least try and understand the positions that the board or individual board members might be taking on this, because as things go forward the board is going to be looking at IT spend in much more detail than they have looked before," Stalley says. "So I think CIOs need to realise the Nick Greiner is not a scary guy that only turns up once a month, he's actually someone they ought to get to know and they ought to try to figure out what's going on in his head, because he actually might be more important than the CEO in getting a particular expenditure across the line."

The bad news, Stalley says, is that while some larger companies are doing well, there are probably scores of smaller companies where CIOs have yet to take these concepts to heart, even though significant numbers of them will need to comply with Sarbanes-Oxley. "They are going to be grilled by the parent company or by people looking at them from that Sarbanes-Oxley viewpoint, which is very much around the director's need to be right across what's happening there. And that small to medium company grouping is really quite behind the picture on how IT is positioned. It is still typical for IT to report to the finance director or finance manager," Stalley says.

"Now in the bigger companies, I think most of them understand it, some of them are a bit slower than others in progressing along the Telstra progression, but I think they generally understand what they are supposed to do. A number of them are turning over CIOs at the moment, and I think it's probably got something to do with getting a different calibre of person into that role."

Another lesson - which applies as much to CFOs and other C-suite executives as much as to CIOs - is the need to check the validity of any information you sign off on. In his 2003 Royal Commission report, Commissioner Justice Neville Owen found HIH directors tended to sign anything put in front of them, says e-Law director Allison Stanfield, who was closely involved in the HIH commission's hearings. She warns no executive or director should sign any document unless they are familiar with its underlying rationale.

And Stanfield believes there should be legal penalties against those who make decisions recklessly or without knowing the facts of the situation. I think there definitely should be penalties there because the consequences are far-reaching, particularly for public entities for which the management are responsible for moneys that are in fact other people's moneys," she says.