By the late 1980s, a major IT project under way at the Society of Worldwide Interbank Financial Telecommunication (SWIFTsc) was beginning to drain significant resources, with the well quickly running dry. The project, according to former SWIFTsc security adviser Erik Guldentops, now a management consultant and executive professor at the Management School of Antwerp University, suffered from "moving goalposts" for requirements, budgets and objectives. Business, IT and audit management began sparring over who should take the blame. Tensions escalated to the point where hostility and friction were close to paralysing the project.
It is a scenario familiar to many organisations attempting to undertake wide-scale IT reform, but for SWIFTsc, which provides secure global communication to more than 7000 financial institutions in more than 190 countries, the consequences could have been catastrophic. Eventually the board was forced to step in, becoming by doing so one of the earliest boards of directors to intervene and implement basic IT governance practices. Belatedly, that is a fashion more companies look set to emulate.
Intent on protecting the organisation as it navigated technological change, SWIFTsc's board of directors and executive management: set clear IT strategy through a dedicated board committee; relied on measurable and controllable performance indicators initiated by the audit department and further developed with - and agreed to by - IT management; and, monitored progress against the performance indicators, again leveraging the dedicated board committee. It was a highly successful intervention, Guldentops says.
Historically, boards have seldom been involved in IT issues, intervening mainly when IT problems threatened the viability of the business. Boards rushed to intervene in some of the online retail companies, including Amazon, when fulfilment problems threatened the credibility of the company and buyers were still skittish about online buying. Boards have also intervened in some companies in which IT was seen as integral to the business model. Otherwise, it has been rare for an IT issue to attract the attention of a board of directors. As leading global businesses increasingly recognise the imperative for strong IT governance, some boards are stepping up to adopt a much stronger oversight role, and leading institutions are proposing those organisations as role models for the rest of the business world.
"It's crucial that board members provide oversight regarding IT issues," Guldentops says. "IT is key to the continued existence of the world's largest enterprises. Boards and executives must ensure that IT delivers appropriate value to the business, IT risks are mitigated and IT practices are aligned with business objectives." Guldentops was commenting at the launch last year of two new high-level documents from the IT Governance Institute, together designed to help enterprise board members and executive managers focus their attention on vital and complex IT governance and security issues.
The IT Governance Executive Summary and a related publication, IT Strategy Committee, address the roles and responsibilities of boards and management regarding IT. Both publications are available as open standards and complimentary downloads via the IT Governance Institute's Web site at www.ITgovernance.org. Guldentops says the key message of these publications is that board members do not need to be technology experts, but they do need to understand their changing roles regarding oversight.
A not-for-profit organisation dedicated to sharing better practices for IT governance, the institute, founded in 1998 by the Information Systems Audit and Control Association (ISACA - founded in 1969), has also developed a comprehensive framework for IT governance implementation, known as Control Objectives for Information and Related Technology (CobiT).
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.