The Changing Role of Governance Over Technology

By Brian Friedrich, CPA, FCGA, and Laura Friedrich, CPA, FCGA; published in CPABC in Focus
Published: June/Summer 2014

Big data. Cloud computing. Engaging customers through social networks. Mobile apps and location-based marketing. Data analytics. The scope, scale, and pace of IT change within organizations are intense to say the least. To call this wave of change a fad may be perilous: International Data Corporation (IDC), the large US-based technology research firm, has predicted that these “third-platform” technologies will drive about 90% of IT market growth between now and 2020.[1] Furthermore, IT is now being seen less as an internal toolset, and more as an external force—in IBM’s 2012 Global CEO Study,[2] technology topped the list of external forces affecting organizations, for the first time since this study series began in 2004. Although IT was once thought of as primarily a support function, it has moved out of the server closet and into mainstream of business and competitive strategy.

Since the passage of SOX, and the related CSA National Instruments, boards and senior management teams have revised their consideration of IT functions and processes to meet the heightened requirements of regulatory change. For many, the focus was on controls and compliance, but given the technical nature, boards frequently delegated security-related IT oversight to a small minority of tech-savvy individuals, whereas non-IT governance professionals concentrated largely on ensuring that the organization’s IT strategy fell into general alignment with its overall business strategy.

Now, clearly controls and security have not lost their importance, and reliance on experts is still necessary, but another shift in technology governance is underway, to parallel the changing role of technology itself. IT oversight can no longer be directed principally at an operational level. The terms “IT risk” and “IT governance” are, in fact, criticized by some as being too narrow; terms like “technology risk” and “enterprise business technology governance” are finding their way into governance vocabulary and giving rise to broader-based discussions. As social media and mobile computing continue to change the way we engage with our business partners, customers, and suppliers, we’ve moved from an “IT risk = data security risk” mentality, to what Deloitte refers to as a more “risk intelligent” approach, where we recognize risk as including not only threats, but also opportunities.[3] Having this maturity in perspective can significantly differentiate your organization’s governance plan.

In line with the risk intelligent approach, Australian researcher Elizabeth Valentine presents the concept of enterprise business technology governance (EBTG) as a set of three, inter-related competencies. Using this type of broad competency framework goes beyond the issues of control and compliance, and places high expectations on directors, including:

  • Overseeing the strategic use of technology for competitive advantage and enterprise performance;
  • Integrating, rather than merely aligning, technology strategy within the business strategy;
  • Ensuring that the organization assess the risks of technology breaches or failures and take a proactive approach, rather than governing by exception or waiting for an issue to arise;
  • Measuring and monitoring the return on investment generated by investment in technology, rather than delegating its oversight to management as a cost centre; and
  • Recognizing that effectively harnessing the benefits of technology in an ever-changing business environment may be the key not only to success, but also to survival.

This perspective of technology governance may once again increase governance requirements overall, and if your board and/or senior management team has been having a hard enough time keeping up with its growing responsibilities, more change can seem daunting. However, this breath of perspective allows for more governance professionals to find a place where they can make a meaningful difference. Rather than delegating IT governance to the “techies” and then hoping nothing happens (in the form of IT failures), frameworks such as Valentine’s will allow those responsible for governance to take a more active role in an area that better aligns with their own competence—such as measuring ROI or debating strategies for competitive advantage. In this way, the increasing scope should be seen as empowering, rather than oppressive. And for today’s governance teams, perspective is key.

Enterprise Business Technology Governance
Australian researcher Elizabeth Valentine’s concept of enterprise business technology governance (EBTG) consists of a set of three, inter-related competencies:

EBTG Competency One
This competency highlights the skills, knowledge, and experience needed to “govern technology for competitive advantage and business performance.” This competency is about understanding advantages and value creation (positive performance results) achievable through the strategic investment in, and smart business use of, technology as appropriate to the type and size of the organization—no matter how large or small.

EBTG Competency Two
Whether it’s the risk of systems failures, cyber-attack, or loss of data, there are regular reports of the threats posed to organizations through computer and mobile networks and the Internet. Directors with this competency can demonstrate the skills, knowledge, and experience to make quality judgments and decisions in relation to business technology and data use, and to oversee technology risk.

EBTG Competency Three
The requirement to derive returns and build business value from technology investment is obvious. Directors with this competency can demonstrate the skills, knowledge, and experience to understand and provide oversight of technology-enabled product and service development, business process efficiency, and stakeholder engagement.

 

Tools for Effective Technology Governance

Define and frame the issue appropriately: Recognize that effective technology governance encapsulates the full spectrum of strategic management and risk mitigation. Each facet must be addressed, and the result must be the enterprise-wide integration of IT governance.

Attract, retain, and train: Ensure that the governance team has the competence needed to accurately assess risk and make sound decisions. Digitally-savvy directors are needed to ensure that once the right questions are asked, the answers are understood and challenged as appropriate. All directors and senior management need to be versed in technology’s role in compliance, risk management, and strategy. If your team doesn’t have all of the skills needed, hire experts to assist. As with any external resource, ensure that your reliance on their opinions is well reasoned.

Divide and conquer: Assign responsibility for each facet of IT governance to a specific committee, team, or individual, recognizing that different levels—and perspectives—of technology knowledge and skill are needed to oversee the different facets. Make sure, though, that if an individual is solely tasked with a meaningful portion of accountability, they are given the support, authority, and resources to make it happen; otherwise, they may end up as a lone, and lonely, voice.

Ask the right questions: Use publications from the usual “go-to” resources (for example, the CPA Canada “20 Questions” series, the Institute of Internal Auditors’ publications, and so on) to source out relevant questions for your organization. Bring these questions into the boardroom or senior management meetings and ensure that there’s a plan to determine acceptable answers where there are current gaps.

Expect expertise: When you hire consultants, legal counsel, and external auditors, ensure that they have the necessary expertise in the technology that drives your business so that they can fulfil the roles for which you’re paying them.

Resources:
Elizabeth Valentine, Enterprise Business Technology Governance blog: www.enterprisegovernance.com.au

CPA Canada, 20 Questions Directors Should Ask About IT, Second Edition, December 2012. www.cpacanada.ca/en/business-and-accounting-resources/other-general-business-topics/information-management-and-technology/publications/20-questions-on-information-technology

Paul Willmott (McKinsey & Company), The Do-Or-Die Questions Boards Should Ask About Technology, June 2013.
www.mckinsey.com/insights/business_technology/the_do-or-die_questions_boards_should_ask_about_technology

 

Brian Friedrich and Laura Friedrich are principals with friedrich & friedrich, a professional research, standards, and education consultancy firm in Surrey. Brian is the vice-chair of CGA-BC and serves on the CPABC Transitional Steering Committee. He also represents BC on the CPA Canada Public Trust Committee. Brian recently won the 2014 Gil Bennett Gold Standard Governance Award from the Directors College. Laura provides research and development of educational, assessment, and corporate training materials for numerous organizations and programs, including the CPA program. Together, they have facilitated a broad range of PD seminars, including CGA-BC’s mandatory ethics program.

Footnotes

  1. Frank Gens, Top 10 Predictions - IDC Predictions 2013: Competing on the 3rd Platform, November 2012.
  2. IBM, Leading Through Connections: Insights from the IBM Global CEO Study, May 2012. (https://www-935.ibm.com/services/multimedia/anz_ceo_study_2012.pdf)
  3. Deloitte, IT Governance: Risk Intelligent Questions for Directors