Do Boards Need a Technology Audit Committee?
What does FedEx, Pfizer, Wachovia, 3Com, Mellon Financial, Shurgard Storage, Sempra Energy and Proctor & Gamble have in common? What board committee exists for only 10% of publicly traded companies but generates 6.5% greater returns for those companies? What is the single largest budget item after salaries and manufacturing equipment?
Technology decisions will outlive the tenure of the management team making those decisions. While the current fast pace of technological change means that corporate technology decisions are frequent and far-reaching, the consequences of the decisions-both good and bad-will stay with the firm for a long time. Usually technology decisions are made unilaterally within the Information Technology (IT) group, over which senior management chose to have no input or oversight. For the Board of a business to perform its duty to exercise business judgment over key decisions, the Board must have a mechanism for reviewing and guiding technology decisions.
A recent example where this sort of oversight would have helped was the Enterprise Resource Planning (ERP) mania of the mid-1990’s. At the time, many companies were investing tens of millions of dollars (and sometimes hundreds of millions) on ERP systems from SAP and Oracle. Often these purchases were justified by executives in Finance, HR, or Operations strongly advocating their purchase as a way of keeping up with their competitors, who were also installing such systems. CIO’s and line executives often did not give enough thought to the problem of how to make a successful transition to these very complex systems. Alignment of corporate resources and management of organizational change brought by these new systems was overlooked, often resulting in a crisis. Many billions of dollars were spent on systems that either should not have been bought at all or were bought before the client companies were prepared.
Certainly, no successful medium or large business can be run today without computers and the software that makes them useful. Technology also represents one of the single largest capital and operating line item for business expenditures, outside of labor and manufacturing equipment. For both of these reasons, Board-level oversight of technology is appropriate at some level.
Can the Board of Directors continue to leave these fundamental decisions solely to the current management team? Most large technology decisions are inherently risky (studies have shown less than half deliver on promises), while poor decisions take years to be repaired or replaced. Over half of the technology investments are not returning anticipated gains in business performance; Boards are consequently becoming involved in technology decisions. It is surprising that only ten percent of the publicly traded corporations have IT Audit Committees as part of their boards. However, those companies enjoy a clear competitive advantage in the form of a compounded annual return 6.5% greater than their competitors.
Tectonic shifts are under way in how technology is being supplied, which the Board needs to understand. IT industry consolidation seriously decreases strategic flexibility by undercutting management’s ability to consider competitive options, and it creates potentially dangerous reliance on only a few key suppliers.
The core asset of flourishing and lasting business is the ability to respond or even anticipate the impact of outside forces. Technology has become a barrier to organizational agility for a number of reasons:
- Core legacy systems have calcified
- IT infrastructure has failed to keep pace with changes in the business
- Inflexible IT architecture results in a high percentage of IT expenditure on maintenance of existing systems and not enough on new capabilities
- Short term operational decisions infringe on business’s long term capability to remain competitive
Traditional Boards lack the skills to ask the right questions to ensure that technology is considered in the context of regulatory requirements, risk and agility. This is because technology is a relatively new and fast-growing profession. CEOs have been around since the beginning of time, and financial counselors have been evolving over the past century. But technology is so new, and its cost to deploy changes dramatically, that the technology profession is still maturing. Technologists have worked on how the systems are designed and used to solve problems facing the business. Recently, they recognized a need to understand and be involved in the business strategy. The business leader and the financial leader neither have history nor experience utilizing technology and making key technology decisions. The Board needs to be involved with the executives making technology decisions, just as the technology leader needs Board support and guidance in making those decisions.
Recent regulatory mandates such as Sarbanes-Oxley have changed the relationship of the business leader and financial leader. They in turn are asking for similar assurances from the technology leader. The business leader and financial leader have professional advisors to guide their decisions, such as lawyers, accountants and investment bankers. The technologist has relied upon the vendor community or consultants who have their own perspective, and who might not always be able to provide recommendations in the best interests of the company. The IT Audit Committee of the Board can and should fill this gap.
What role should the IT Audit Committee play in the organization? The IT Audit function in the Board should contribute toward:
- Bringing technology strategy into alignment with business strategy.
- Ensuring that technology decisions are in the best interests of shareholders.
- Fostering organizational development and alignment between business units.
- Increasing the Board’s overall understanding of technological issues and consequences within the company. This type of understanding cannot come from financial analysis alone.
- Effective communication between the technologist and the Committee members.
The IT Audit Committee does not require additional board members. Existing board members can be assigned the responsibility, and use consultants to help them understand the issues sufficiently to provide guidance to the technology leader. A review of existing IT Audit Committee Charters shows the following common characteristics:
- Review, evaluate and make recommendations on technology-based issues of importance to the business.
o Appraise and critically review the financial, tactical and strategic benefits of proposed major technology related projects and technology architecture alternatives.
o Oversee and critically review the progress of major technology related projects and technology architecture decisions.
- Advise the senior technology management team at the firm
- Monitor the quality and effectiveness of technology systems and processes that relate to or affect the firm’s internal control systems.
Fundamentally, the Board’s role in IT Governance is to ensure alignment between IT initiatives and business objectives, monitor actions taken by the technology steering committee, and validate that technology processes and practices are delivering value to the business. Strategic alignment between IT and the business is fundamental to building a technology architectural foundation that creates agile organizations. Boards should be aware of technological risk exposures, management’s assessment of those risks, and mitigation strategies considered and adopted.
There are no new principles here-only affirmation of existing governance charters. The execution of technology decisions falls upon the management of the organization. The oversight of management is the responsibility of the Board. The Board needs to take appropriate ownership and become proactive in governance of the technology.
Do Boards need a Technology Audit committee? Yes, a Technology Audit Committee within the Board is warranted because it will lead to technology/business alignment. It is more than simply the right thing to do; it is a best practice with real bottom-line benefits.