Governance and The Board of Directors: Taking IT from the Backroom to the Boardroom BY SANJAY ANAND, founder and chairman, SOX Institute (www.soxinstitute.org); founding member, NASBA's Center for Public Trust; member, CEO Roundtable of the SOX Compliance Journal

Traditionally, IT has been a backroom function. By this I mean that IT has typically been a behind-the-scenes function of corporate America (and the world). IT achieved center-stage status for only a very brief period of time: the late 1990s. Those years were an era of technology for technology's sake, and we saw dot-coms spring up all over the map. Regardless of their revenues and/or customers, these dot-coms had sky-high valuations that were impossible to explain or even comprehend. However, there's a key distinction between IT the way we've known it for decades - and what it's returned to today - versus the late '90s dot-coms: The dot-coms were about the T in IT (technology, that is) and not about the I (information). The purpose of this article is to suggest that we need to do two things: move past the stigma associated with the '90s definition of IT and take the real IT from its traditional place in the backroom to its well-deserved, modern-day place in the boardroom.

Changing View of IT

There is a recognized need that IT no longer be just an afterthought (or a neverthought!) in business today.

Businesses are highly dependent upon IT, not just for efficiency and productivity but also to compete and be viable. Today's business strategy must include aspects from IT including, but not limited to:

• Ease of use
• Availability
• Business' reliance on information
• Productivity gains

Of course, coupled with the power of IT comes great responsibility, and IT is now increasingly required to ensure:

• Confidentiality of information
• Data integrity
• Timely availability
• Information accuracy

In this article, I'll examine these aspects of IT in the context of governance, risk and compliance (GRC).

The Traditional Role of IT

Let's briefly revisit the role that IT has traditionally played in the backroom. There, IT serves a valuable purpose: to make business more efficient and productive.

However, in this role, we often find that the chief information officer and/or the chief technical officer are primarily responsible for implementing IT strategies that are handed down to them from the business and process owners, including the chief financial officer, the chief operating officer and even the chief legal officer or chief communications officer.

While there's nothing inherently wrong with this traditional IT role, businesses face some challenges, including:

• A lack of understanding of IT and what it can do for the business
• A lack of alignment between what's communicated by the business and what's heard and implemented by IT
• A misrepresentation of IT to the business in terms of the flawed hierarchy alluded to above
• IT as a reactive rather than proactive function

Small wonder, then, that organizations regard IT as a cost center rather than a strategic center or a profit center.

The Strategic Role of IT

As IT makes its way into the boardroom, however, it can serve a more valuable purpose within the organization. Specifically, IT can help the organization better integrate as a whole, align its various parts and proactively compete in an ever-changing and more aggressive competitive landscape. IT and can even drive corporate strategy
in technology-dependent companies and industries.

Industries that have benefited most from recent advances in information technology and its ability to provide competitive differentiation include financial services (banking, insurance, mortgage), healthcare, pharmaceuticals and retail (online and offline).

It's critical that boardrooms adopt and adapt to IT's new strategic role as follows:

1. Recognize the strategic role that IT plays within and for the organization
2. Incorporate the IT function as a board-level function
3. Gain a better and broader understanding of IT among both IT and IT board members
4. Provide IT with the business information it needs to be more effective at serving business needs

In other words, take IT from a servitude mindset to a partner mindset by establishing the tone from the top, where actions speak louder than words. When board members realize and recognize the value of IT, the rest of the organization is more likely to follow.

Roles and Responsibilities

I've outlined thus far how IT can help the business by growing beyond its traditional role of just serving the business to being a partner, and in some cases even a driving force. With this power comes great responsibility.

Specifically, expectations of IT will transform, and it's for IT to step up to the plate to enable business functions including, but not limited to, governance, risk management and compliance:

• As a strategic partner, IT can and must be used to enable corporate strategy, direction and overall agendas - functions typically associated with the board and/or executive suite.
  
  
• By enabling more automated and effective internal controls, IT can enable better risk management more cost effectively and predictably throughout the organization.
  
  
• In so doing, IT facilitates compliance with regulations by providing a means and a framework to put into place broader measures, such as document and record management.
  
  
• Last but not least, IT must adhere to best practices around IT governance, risk management and compliance.

There are several IT-specific practices derived from the business world.
While a comprehensive list of IT-specific regulations is neither feasible nor required, here are some sample regulations that have a significant implicit reliance on IT:

• Securities and Exchange Act of 1934
• Sarbanes-Oxley Act (and bill 198, etc.)
• USA PATRIOT Act
• Workforce Rehabilitation Act of 1973
• DoD 5015.2 Records Management Act
• Computer Fraud and Abuse Act of 1984
• Electronic Freedom of Information Act
• Check Clearing for the 21st Century Act
• Fair Credit Reporting Act
• SEC Rules 240.17 a-3 and 240.17 a-4
• Digital Millennium Copyright Act
• Notification of Risk to Personal Data Act
• Financial Accounting Standard Board Statement No. 133
• Electronic Signatures in Commerce Act
• Regulation Full Disclosure
• Currency and Foreign Transactions Reporting Act
• Basel II, New Capital Accord
• Truth in Lending Act (Regulation Z)
• Office of Foreign Assets Control Suspicious Activity Report
• Bank Secrecy Act - 31 CFR 103
• 21 CFR Part 11 - Electronic Signatures
• 40 CFR Part 263 - Hazardous Waste
• Fair & Accurate Credit Transactions Act
• 12CFR Part 40 - Privacy of Consumer Financial Information (see Graham-Leach-Bliley Act)
• 18 USC 1341 (Mail Fraud Statute) and 1343 (Wire Fraud Statute)
• Insider Trading and Securities Fraud Enforcement Act
• The Comprehensive Thrift and Bank Fraud Prosecution and Taxpayer Recovery Act
• The CAN-SPAM Act (deception and decline)
• HIPAA
• FFIEC IT Examination Booklets (for imaging)

Integrating these two aspects of IT is critical for every organization:

• IT as an enabler of governance, risk management and compliance
• Governance, risk management and compliance requirements of IT

There are numerous standards, frameworks and methodologies that help with the latter. Table 1 (below) shows some of the more familiar and popular ones.

IT Governance, Risk Management and Compliance

IT Governance is the enablement of corporate strategy by ensuring alignment between corporate goals and objectives, and those of the IT organization. IT alignment refers to the ability of the business to integrate its wants and needs with the capabilities of IT, and to create a gestalt between the two.

IT risk management embodies two concepts: one, managing and mitigating risk within and impacting the organization using IT as an enabler of better risk management techniques including automated internal controls (e.g. workflow) and competitive business strategies (e.g. Web-enabled). And two, managing and mitigating risk inherent in IT itself using, for example, risk management and mitigation strategies and frameworks like the Committee of Sponsoring Organizations of the Treadway Commission, the National Institute of Standards and Technology and 8015.

IT compliance also takes on two forms: one, assisting and enabling regulatory compliance by providing tools, technologies, standards and frameworks for the organization to adhere to regulatory requirements, including records retention and document management. And two, IT itself adhering to regulatory requirements and industry best practices including, for example, disaster recovery and business continuity. These, in turn, enable better risk management as well.

Integrating IT Into the Boardroom

So how do we go about accomplishing the potentially daunting task of integrating IT into the boardroom so the board and the executives are able to set the example and lead the way in recognizing the importance and value of IT throughout the organization?

Here are a few suggestions:

• Learning and educating. This is a two-way street and requires non-IT executives and professionals to learn and understand how IT can help the company and even help drive corporate strategy. Likewise, this requires IT (from the CIO down) to understand more about the business so they can contribute as equals.
• Leading by example. The board and executives must not only talk the talk but also walk the walk. This leadership by example is the only way to get the organization aligned with the concepts discussed in this article. Specifically, the organization is more likely to follow suit when it sees the leadership setting the right example.
• Setting the right expectations. I've described how IT can serve as a partner in creating and enabling corporate strategy and business alignment. But it's important to note that IT is only one of the many pieces of the corporate puzzle, and it's critical that we don't set IT up to fail. That is, our expectations from IT must be realistic - we can't expect IT to be the only driving force behind all corporate strategy, regardless of how dependent the company or industry is on IT.
• Demonstrating the value. What is not measured cannot be managed. Demonstrating IT's value goes even beyond just measuring its success, value and impact. It's a statement of demonstrable evidence and proof that IT really works. It's proof that IT can and does serve a critical business function. It's a means to reward and recognize IT for its contribution to business and its stakeholders. This recognition is a self-fulfilling cycle that results in even further integration between the business and technology sides of the equation.

While the above list isn't comprehensive, it's a starting point. To what extent organizations implement these suggestions will depend upon several factors, including the legacy aspect of IT within the organization, the likelihood and propensity of management to change, the ability of the organization to adapt to a new paradigm regarding IT and the ability of IT itself to adapt to the new paradigm.

Ultimately the success of companies today lies in their ability to seamlessly integrate the various business functions. Viewed that way, IT should be treated no differently from the rest of the organization and should have its place at every rung of the corporate hierarchy, from the backroom to the boardroom.

[WEBINAR: Taking IT from the Backroom to the Boardroom!]