Board IT Governance: A must for transformation of the corporate sector in Sri Lanka

ITG is multidimensional, from setting strategy and expectations to obtaining and providing ‘assurance’ of the use of IT in the organisation 

In today’s rapidly changing world, businesses are increasingly dependent on IT and digital processes which impacts Return on Investment (ROI). “As the Board’s IT expertise increases, it facilitates better Board IT Governance, and in turn better ROI”, this is a salient finding in the ‘Board IT Governance: Sri Lanka Survey 2022’.

IT Governance (ITG) provides a framework and a structure for organisations to ensure that IT investments support business objectives, addressing internal and external requirements. ITG is multidimensional, from setting strategy and expectations to obtaining and providing ‘assurance’ of the use of IT in the organisation. This includes business/IT strategic alignment, IT value delivery, IT resource management, IT risk management and IT performance management.

Companies having effective ITG, in addition to having greater ROI and other financial indicators, also have:

•  Greater CIO/CTO competency
•  Greater ‘Director’ and Board level IT expertise
•  Better IT management practices

The best-in-class companies in terms of ITG actively pursue and implement globally recognised best practices and next generation technologies and is distinguished by higher financial returns, customer satisfaction, operational efficiency, competitive advantage and innovative ITG.

It is important that Board composition should be reviewed regularly to ensure that the right people in the right numbers are present to provide effective ITG. Expertise in IT management – specifically competency – is perhaps the most important thing to get right. Substantial IT expertise on the Board is critical, familiarity with the subject is not sufficient. It is also important to note that an organisation’s strategic versus operational reliance on IT is substantially different and implies different skill sets, expertise and mechanisms at a Board level. In this regard, training and mentorship programs on best practice ITG are important for Directors.

The Board IT Governance: Sri Lanka Survey 2022 suggests the following in relation to Board practices on ITG:

•  The Board must have oversight on IT activities of the company.
•  If the IT requirement is only to ensure cost-effective, uninterrupted, secure, smoothly operating technology systems, then technology governance may be a routine matter focusing on managing IT risk and to ensure the completeness, quality, security, reliability and maintenance of existing IT investments that support day-to-day business processes which can be handled by the existing audit/risk committee having the required IT expertise.
•  If the IT requirement extends to ensuring the company relies on IT for its competitive edge through systems that provide new value-added services and products or high responsiveness to customers, then it is a vital area that requires intense Board-level scrutiny and assistance through a separate IT Steering Committee.
•  There should be a Board member with clear ownership and accountability for monitoring, reporting on, and guiding IT governance either within the audit/risk committee or leading the IT Steering Committee. Someone with enough time and experience to execute the task appropriately.
•  The CTO/CIO at the C-Level should be held accountable to the Board.
•  There should be a reasonable budget for the IT Board members to visit/interact with peers, mentors – as it relates to the firm’s business.
•  The Board IT Steering Committee should:
•  Act as mentors to the operational CTO/CIO and as appropriate to the CEO
•  Have at least one audit/risk committee member monitoring the IT Steering committee to establish a close relationship with the audit committee (as IT issues can affect economic and regulatory matters) and to link up in relation to conducting IT risk assessments and audits
•  Prepare policies for periodic IT risk assessments (e.g., penetration, threats, security, privacy, robustness)
•  Conduct yearly reviews/audits given the rapidly changing landscape
•  Prepare policies and advise on appropriate funding for periodic system reviews and upgrades – in keeping with industrial norms
•  Oversee a yearly review/audit of the firm’s competitive sector – what are the industry leaders doing, using, etc.
•  Oversee a long-range IT projection exercise – where the firm might be in the next 3-5 years, the industry, key competitors
•  Provide short overview/seminar to the Board members on IT governance, best practice, etc. whenever the Board members change and landscape of industry changes
•  Provide short overview/seminar on any key IT aspects, assumptions, risks, issues to the rest of the Board
•  Oversee a yearly capability review/audit – does the firm have the resources and capabilities to do what it is being asked to do? What is the gap? How to address it?
•  Review the CEO/CIO/CTO performance/activities with respect to IT management – strategic, tactical, operational

There is no doubt that advances in technology are revolutionising the industry. These advances are rapid and causing significant disruptions, opportunities and risks to businesses. The Boards must strengthen the framework, structure, and processes to help them anticipate change and be able to quickly respond to emerging opportunities and risks arising from rapid advances in technology.

The writer is former Senior Partner and Consulting Leader, Ernst & Young Sri Lanka and the Maldives.You may contact him through the 

Sri Lanka Institute of Directors 

076 738 3050.