Everand Logo

Welcome to Everand!

  • Discover millions of ebooks, audiobooks, and so much more with a free trial

    Only $11.99/month after trial. Cancel anytime.

    IT Governance: Guidelines for Directors
    IT Governance: Guidelines for Directors
    IT Governance: Guidelines for Directors
    Ebook298 pages3 hours

    IT Governance: Guidelines for Directors

    By Alan Calder

    ()

    Read preview

    About this ebook

    Aligning IT with the business is a key board objective. Better shareholder returns, greater competitiveness and fewer compliance issues are typical benefits of an IT governance framework.

    This is not a technology book.It has been written specifically for those directors, managers and their professional advisers who want to leverage IT more effectively to compete in our information economy.

    It argues that getting real value from IT is about leadership and shows how the board and CEO can take that lead - and avoid security breaches, project failure, compliance exposure, reputation damage, job loss and jail time. It’s a book for business leaders of today - and tomorrow.

    LanguageEnglish
    Publisheritgovernance
    Release dateApr 28, 2005
    ISBN9781849281058
    IT Governance: Guidelines for Directors
    Author

    Alan Calder

    Alan Calder is a leading author on IT governance and information security issues. He is the CEO of GRC International Group plc, the AIM-listed company that owns IT Governance Ltd. Alan is an acknowledged international cyber security guru. He has been involved in the development of a wide range of information security management training courses that have been accredited by the International Board for IT Governance Qualifications (IBITGQ). He is a frequent media commentator on information security and IT governance issues, and has contributed articles and expert comment to a wide range of trade, national and online news outlets.

    Read more from Alan Calder

    Related to IT Governance

    Related ebooks

    Computers For You

    View More
    View More

    Related podcast episodes

    Related articles

    • Article

      Cyber Security IS A SHARED RESPONSIBILITY AT THE C-LEVEL

      Sep 21, 2016

      Data breaches can have far-reaching repercussions; protecting against them is a companywide mandate

      2 min read

    • Article

      Approaching Risk from The Boardroom

      Dec 2, 2022

      Looking into risk from the perspective of the boardroom demands a note on the concept of corporate governance itself and the resulting implications. Shareholders are the principals and need to have their rights protected; management is nominated and

      7 min read

    • Article

      Managing the Risks of Digital Lending

      Feb 18, 2022

      TECHNOLOGY HAS BEEN the crux of the Indian banking system and the advent of Covid-19 has fuelled the shift of business models from ‘physical’ to ‘digital’. The journey of innovation, which started with internet banking and digital means of payments,

      6 min read

    • Article

      The Need To Rethink Risk Governance

      Jul 26, 2021

      The Need To Rethink Risk Governance
      5 min read

    • Article

      A Framework For Risk Governance

      Oct 2, 2023

      A Framework For Risk Governance
      11 min read

    • Article

      Creating And Leading A Future Ready Enterprise

      Apr 3, 2019

      As we head deeper into the year ahead, we strive to highlight the essential strategies and latest research studies that will enlighten and equip companies and their leaders to keep abreast with the advancements and stay ahead of the curve amongst dis

      2 min read

    • Article

      The Million Dollar Question

      May 22, 2018

      More than a decade ago, the metaphor “data is the new oil” shook the world and left organisations scrambling for ways on how they could translate it into tangible value for their business. While others already reaped and are reaping the benefits emer

      2 min read

    • Article

      How Do You Know You Are Okay?

      May 27, 2019

      How Do You Know You Are Okay?
      2 min read

    • Article

      Privacy: The Price Of Trust

      Aug 17, 2021

      How will cybersecurity and data privacy evolve over the next decade? We’re hearing from our customers that cybersecurity and data privacy are increasingly becoming board-level conversations. Companies will start to think about privacy, security, vend

      1 min read

    • Article

      How To Keep Data Safe

      Feb 3, 2023

      How To Keep Data Safe
      2 min read

    • Article

      What Are The New Tech Stocks Of 2018 And Beyond?

      Jun 13, 2018

      What are the new tech stocks of 2018 and beyond? Guess what -- no one knows! If I was asked to pick a single technology stock a year ago, it would have been like finding a needle in a haystack. And I'm the CEO of an ETF company! Instead, there's a b

      4 min read

    • Article

      IBM Boss: Big Companies Were Not Prepared For The Pandemic

      Sep 4, 2020

      Sreeram Visvanathan is the new chief executive of IBM UK and Ireland. The 53 year-old is from Bangalore in India and previously led IBM’s global Public Sector team. In the middle of London Tech Week, he talked to the Evening Standard about the future

      4 min read

    • Article

      Arnab PANDEY

      Apr 1, 2021

      Arnab PANDEY
      11 min read

    • Article

      It As The Whipping Boy: Mistakenly Confusing ‘Enterprise It’ With ‘Consumer It’

      Jul 31, 2020

      As users of digital technologies in their personal lives, many executives pine for their internal IT systems to give them a similar experience and to be just like IT is in their daily lives. They point to the simplicity, ease of use and hassle free n

      9 min read

    Related categories

    Reviews for IT Governance

    0 ratings

    0 ratings0 reviews

    What did you think?

    Tap to rate

    Review must be at least 10 words

      Book preview

      IT Governance - Alan Calder

      978-1-849281-05-8

      About the author

      Alan Calder is the founder director of IT Governance Ltd (www.itgovernance.co.uk), a information, advice and consultancy firm that helps company boards tackles governance, risk management, compliance and information security issues. He has many years of senior management experience in the private and public sectors.

      The company’s website also provides access to a range of unique books, tools and other publication on governance, risk management, compliance and information security.

      Other books by Alan Calder:

      IT Governance: a Manager’s Guide to Data Security and BS7799/ISO17799, 3rd edition, with Steve Watkins (Kogan Page, June 2005)

      IT Governance Today: a Practitioner’s Handbook (IT Governance Publishing, May 2005)

      The Case for 7799 (IT Governance Publishing, May 2005)

      Nine Steps to 7799 Success (IT Governance Publishing, June 2005)

      For homeowners and home-based businesses:

      The NON-Geek Guide™ to Wireless Security (IT Governance Publishing, 2005)

      The Internet Highway Code (IT Governance Publishing, 2005)

      Other books by Alan Calder are planned for publication during 2005 and 2006; see the website for details.

      CONTENTS

      INTRODUCTION

      ‘Can IT align with the business?’¹

      Your immediate response to this question gives a sense of the adequacy or otherwise of your IT governance arrangements. If you think it’s a good question, one worth pursuing, then you’ve just identified the first, and most critical, symptom of inadequate IT governance: a disjunct between your most important business enabler and the business itself.

      If you find the question incomprehensible – because, to you, it’s axiomatic that IT aligns with the business – you may not need this book. However, before putting it aside, consider this: a late-2004 global study² of North American and European businesses found that only one-quarter of the respondents considered their business and IT strategies to be ‘fully integrated and developed simultaneously’ – which is a backward step from the findings of the same study in 2002, in which one-third of respondents considered these processes to be fully aligned.

      Symptoms of inadequate IT governance

      1. How does your board assess (measure) the real contribution made by any of your IT systems to improving the organization’s competitiveness?

      2. What divergence is there between the views that your sales/operational management has of the benefits of IT systems and projects and those of the IT management? Who is right and how do you find out? Are you getting maximum value (maximum business benefit for minimum actual total cost) for each of your IT investments? How would you know? How

      ¹ Computer Business Review, March 2005

      ² ‘Why Today’s IT Organization Won’t Work Tomorrow,’ AT Kearney, 2005

      would you know if your IT spending is putting your company at a cost disadvantage?

      3. What is your board’s process for comparing the (fully costed) ROI on your technology projects to those of any other strategic options, including acquisitions, and how does this affect strategic planning?

      4. What is your board’s view on the relationship, in your organization, between the potential impact of a compliance or information security failure (in financial terms) and the (fully absorbed) cost of meeting the compliance and security objectives? What is the total actual (direct and indirect) cost of all the compliance and information security incidents in your organization in the last twelve months?

      5. What is the real, financial value to your organization of its information and intellectual capital and how are you leveraging it?

      6. How are you driving up the intellectual capital/headcount ratio? What’s the relationship between this ratio and the IT intensity (IT investment to headcount) ratio?

      7. Do all your IT projects come in on time, to budget and to specification?

      8. How does your D&O insurance deal with the personal consequences for directors of IT failures arising from inadequate board oversight of core business processes and significant financial transactions?

      If you organization has a clear, widely understood set of answers to these questions, complete with meaningful metrics, then you probably have an effective IT governance framework in place. The fact is, very few organizations do. There are a number of reasons for this.

      Competitiveness

      The first is that IT and IT governance simply don’t feature on the CEO’s top 10 list of challenges. Tighter cost control makes it in at number seven; transferring knowledge/ideas/practices within the company (which could, arguably, be linked to using IT as an enabler), makes it on to the list at number 10.

      What are the top three challenges?

      Not surprisingly, they are all related to competitiveness as measured by revenue growth. The Conference Board’s annual survey for 2004³ listed the top three challenges identified by CEOs worldwide:

      1. Sustained and steady top-line growth

      2. Speed, flexibility, adaptability to change

      3. Customer loyalty, retention

      This focus on top-line revenue growth is as much a challenge in the public, voluntary and not-for-profit sectors as it is the private one. Information technology is, surprisingly, only a subsidiary issue in responding to this challenge, as is evidenced by the IT Governance Institute’s ‘IT Governance Global Status Report 2004’⁴, which found that:

      1. 93 percent of business leaders recognize that IT is important for delivering the organization’s strategy, yet

      2. 93 percent of respondents experienced IT problems in the previous year; 40 percent of respondents identified operational failures, incidents and an ‘inadequate view on how IT is performing’;

      3. 75 percent of the IT community recognize that IT has problems that need resolving;

      4. More than 80 percent of the IT community thinks that IT governance has some part to play in resolving these issues.

      In the AT Kearney survey⁵, only 28 percent of IT leaders ranked IT as a top 10 percent issue; only 37 percent of ALL the executives surveyed ranked IT as being this important.

      ³ ‘Conference Board CEO Challenge 2004’, Executive Summary

      ⁴ ‘IT Governance Global Status Report, Executive Overview’, IT Governance Institute, 2004

      ⁵ ‘Why Today’s IT Organization Won’t Work Tomorrow’, AT Kearney, 2005

      Historically, therefore, the CEO community has not rated the importance of IT governance nearly as highly as does the IT community. However, while shareholder and regulatory pressures have been driving IT governance up the board agenda, the over-arching reason for IT to become a key board room issue in the 21st Century is the extent to which information and information technology is now driving and shaping the competitive environment.

      Shareholder accountability

      Institutional investors carry part of the blame for the fact that IT has not historically been on the CEO’s agenda. ‘One of the key problems with IT is that the City just doesn’t get it. When analysts sit down with CEOs and finance directors, attention is focused on the financial performance of the business and its strategy moving forward. As a key driver of the competitive profile of the business, IT systems and plans should be rigorously studied. But very few analysts know the right questions to ask to assess how IT will support the business goals.’

      Institutional shareholders are becoming more muscular. Technology is as significant a component of the organization’s cost base as its headcount, but usually consumes substantially more capital. Driven, in part, by the changing corporate governance climate and, in equal part, by the poor record of IT projects, stakeholders and institutional shareholders increasingly seek transparency around IT. This is hardly surprising, when you consider the extent of project disaster made possible by the historic culture of opaqueness around IT governance.

      For instance, the Standish Group’s research on IT project failure⁷ found that:

      • 16.2 percent of software projects completed on time and on budget;

      • 31 percent of projects were cancelled before completion; and

      ⁶ Justin Urquhart-Stewart, HP IT Governance Roundtable, November 2002

      ⁷ ‘The Chaos Report’, the Standish Group, 1995

      • 53 percent of projects would cost over 189 percent of their original estimates.

      There hasn’t been a significant improvement since then. A Conference Board survey in 2001 found that:

      • 40 percent of projects failed to achieve their business case within one year of ‘live’;

      • Where benefits came through, it was six months later than expected;

      • Implementation costs were, on average, 125 percent of budget;

      • Support costs were, on average, 120 percent of budget.

      But it’s not only about project failure. 80 percent of corporate assets today are digital⁸ and, as shareholders and boards focus on the extent to which information and intellectual capital are fundamental to their competitive position and long term survival, so they recognize the fiduciary nature of their responsibility to shareholders in respect of the organization’s information assets and IT.

      Compliance

      Regulatory compliance and risk management appear to go hand in hand. The best companies have always addressed strategic risk from the boardroom; Basel 2 and today’s corporate governance regimes increasingly expect risk management to be pervasive throughout the culture of all organizations.

      Across the world, a proliferation of sometimes competing data protection, privacy and computer misuse legislation, little of which has clear implementation guidance or established case law, creates new challenges for corporate boards. Governance regimes – particularly Sarbanes Oxley - have substantial IT compliance components. Securing information against organized crime and cyber terrorism ought to be high on corporate agendas, but isn’t: just 20 percent of the respondents in a global survey strongly agreed that

      ⁸ Testimony of Jody R Westby, PwC Managing Director, to the House of Congress Committee on Government Reform, September 2004

      their organizations perceived information security as a CEO level priority.

      Is it therefore surprising that authorities are increasingly looking to regulation to force the issue up the agenda? ‘The road to information security goes through corporate governance. America cannot solve its cyber security challenges by delegating them to government officials or CIOs. The best way to strengthen US information security is to treat it as a corporate governance issue that requires the attention of boards and CEOs.’¹⁰

      Directors’ personal liability

      Historically, the outside, or non-executive, directors of companies have been personally immune – financially, if not in terms of reputation – from the legal consequences of failure of the companies on whose boards they sit. A Stanford University study, for instance, found only four US cases, by 2003, where individual defendants had been forced to contribute personally to the settlement securities class actions.

      However, in 2004, an ex-Chairman of Global Crossing made a substantial (US$30 million) personal contribution to settling a class action.

      In January 2005, substantially all of the outside directors of both WorldCom and Enron agreed to settle class actions by contributing personal funds to the settlements. Ten Enron directors agreed to contribute an aggregate US$13 million; ten WorldCom directors agreed to contribute an aggregate US$18 million, which reportedly represented approximately 20 percent of their wealth. These personal contributions were in excess of the amounts provided by Directors and Officers insurance, which was exhausted by the cases.

      While these settlements don’t constitute an admission of liability or of wrongdoing by any of the settling directors (the cases are still, at

      ⁹ Ernst & Young, ‘Global Information Security Survey 2004’

      ¹⁰ ‘Information Security Governance: a Call to Action’, US National Cyber Security Summit Task Force, April 2004

      the point of finalising this book, subject to court approval, with the WorldCom agreement in serious jeopardy), they point to significant changes in the personal exposure of outside directors. There is an argument that the WorldCom and Enron settlements are aberrations and that, once the dust has settled, courts will return to the ‘norm’.

      In the UK, Equitable Life is suing its former auditors, Ernst & Young, and its previous directors, both executive and non-executive, for professional negligence in relation to its near collapse in 2000. While hearing the £2.6 billion claim started in April 2005, the UK’s Commercial Court had already ruled in 2003 that the company could proceed with a claim that its non-executive directors were negligent over implementing a strategy which later proved to be unlawful.

      The Disney case, in which the company is taking action against its directors in respect of the hiring – and later firing – of Michael Ovitz, provoked the comment that the alleged facts in the case: ‘suggest that the defendant directors consciously and intentionally disregarded their responsibilities, adopting a we don’t care about the risks attitude concerning a material corporate decision. Knowing or deliberate indifference by a director to his or her duty to act faithfully and with appropriate care is conduct, in my opinion, that may not have been taken honestly and in good faith to advance the best interests of the company.’¹¹

      In a similar vein, the former Chief Justice of Delaware commented, in March 2005: ‘Directors are expected to act—indeed are presumed to act, unless the presumption

      Enjoying the preview?
      Page 1 of 1