Board Oversight of Information Technology

One of the most significant issues for the board of directors is oversight of the company information technology (“IT”) activities; however, until recently directors paid relatively little attention to IT even though their companies often were spending significant amounts of money on IT, information was becoming an essential strategic asset and the financial and reputational risks of breaches of information security were becoming more and more apparent.  In many cases the directors were content to leave IT issues to management, particularly the chief information officer, and devoted a limited amount of time to discussions of IT at board meetings.  Since the beginning of the 2000s the situation has changed dramatically as larger companies began to invest heavily in IT assets in order to comply with new requirements regarding the integrity of the internal controls within their financial reporting systems.  Directors and senior executives also became more aware of the role that IT systems played in creating a competitive advantage and adding value to the business.  As a result, companies gradually began to establish board-level committees that focused, in whole or in part, on IT risks and opportunities.  Many companies limit the duties and responsibilities of their board-level technology committee to oversight of the companies with IT activities, with management being responsible for day-to-day management, monitoring and reporting.  In those cases, the duties of the technology committee with respect to its oversight role might be limited to the following functions and responsibilities:

• Reviewing at least annually the company’s IT and operational strategies, costs and planning, including the financial, tactical and strategic benefits of proposed major IT and operational related initiatives
• Approving major IT and operational initiatives and the IT and operational budget for each calendar year
• Receiving a quarterly report from management that provides information on management’s progress in executing on major IT initiatives, technology architecture decisions (as applicable) and IT priorities as well as overall IT performance, including metrics concerning technology investments, talent management, and system availability, integrity, capacity and performance
• Reviewing at least annually the adequacy of the company’s management of information security risks
• Approving all material changes to written policies related to the management of information security risks and recommending such changes to the board for approval
• Receiving reports from management that provide information on the effectiveness of the management of information security risks and the company’s crisis management plan
• Monitoring and assess the overall adequacy of the company’s IT and operational control environment, including the implementation of key controls in response to regulatory requirements

Similar to the caveat above, a technology committee’s review of information security risks will generally be a shared activity with the board-level risk management committee.
In 2015 Lankton and Price compiled a list of companies with board-level IT committees by searching the web sites of all Fortune 500 companies and reviewing the charters of each committee containing the word “technology” in its name.  After setting aside committees that were primarily focused on research and development within the company rather than on IT, Lankton and Price settled on IT committees of 23 companies for further analysis.  Lankton and Price reviewed the roles and responsibilities of the committees as listed in their charters and coded them into five primary governance domains: strategic alignment; value delivery; resource management; risk management; and performance measurement.  Most of the companies did not include roles and responsibilities for all five domains.  They found that “strategic alignment” was clearly the most often cited role for board-level IT committees, a topic which included:

• Verifying that IT strategy is aligned with business strategy
• Making decisions about priorities and the focus of IT resources
• Clarifying the role of IT
• Monitoring the impact of IT infrastructure and applications
• Evaluating benefits delivered by IT projects
• Communicating goals and objectives through policies
• Issuing high-level policy guidance
• Enabling business strategy
• Monitoring industry trends

At the other end of the spectrum, “value delivery” roles and responsibilities (e.g., optimizing expenses and proving the value of IT, monitoring the return and competitive aspects of IT and balancing the risks and benefits of IT) were mentioned least often overall and by the fewest companies.  The IT committees of 20 of the 23 companies analyzed by Lankton and Price had roles and responsibilities relating to “resource management”, which included oversight of IT expenditures; providing staff development and recruiting and retaining skilled IT staff; overseeing IT asset deployment; and ensuring that IT had competent, sufficient and efficient applications, information, infrastructure and people. 78% of the charters included at least one role relating to performance measurement, which included activities such as tracking project delivery and resource usage, monitoring IT services and establishing a balanced scorecard for IT and measuring IT performance and the contribution of IT to the business.  Finally, just over two-thirds of the charters required committees to address risk management and issues relating to IT security, internal controls, audits and disaster recovery plans.
Sources for this article included N. Lankton and J. Price, “Board-level Information Technology Committees”, ISACA Journal, 2016(2). (citing R. Nolan and F. McFarlan; “Information Technology and the Board of Directors”, Harvard Business Review (October 2005).

This article is adapted from material in Sustainability and Corporate Governance: A Handbook for Sustainable Entrepreneurs, which is prepared and distributed by the Sustainable Entrepreneurship Project and can be downloaded here.
Alan Gutterman is the Founding Director of the Sustainable Entrepreneurship Project, which engages in and promotes research, education and training activities relating to entrepreneurial ventures launched with the aspiration to create sustainable enterprises that achieve significant growth in scale and value creation through the development of innovative products or services which form the basis for a successful international business.  Visit the Project’s Library of Resources for Sustainable Entrepreneurs to download handbooks, guides, articles and other materials relating to sustainable entrepreneurship and keep up with the Project’s activities by following Alan on LinkedIn, Twitter and Facebook.