5 items boards should use to govern IT

In researching material for a post on executive responsibilities for IT I came across an interesting article on how a board of directors should make IT a focus. Here is a link to the full article

Below is a synopsis of the article minus one of the items that I felt was too much detail for board level governance.

These 5 items are what a board of directors should put in place to govern a company’s information technology:

1. Strategic alignment
2. Value generation
3. Information Security
4. Risk Management
5. IT Human Capital Management

Strategic alignment – This governance item should be concerned with reducing the business to IT gap. Having the 2 in strategic alignment is the goal. In most companies IT is not well understood and in most IT shops business is not understood. Consider the table below:

Value generation – Remember the 2 models of IT from the blog post on executive responsibilities in IT.  Even when choosing the cost model it is important for the board to govern the value it is getting from IT. This is where the board should get an understanding of what is being spent on IT. How much value is that driving and what is being done to maximize that value. While the board may still say that only 4% of revenue will be spent on IT, it will still be important to be sure that the 4% is being spent in the best way possible.

Application owners will need to be able to articulate the value applications are providing the business. Infrastructure will need to articulate the applications and business functions that are being supported. In providing this information the board should understand the value being driven from IT.

Information Security – In today’s world of IT every company is one breach away from significant loss of information, revenue, earnings or brand reputation. It is important that the board understand what is being done to ensure an information security policy is in place and enforced in the organization.

It is also important that customers and employees feel that the information that they give the company is used appropriately. It is the boards responsibility to ensure that this data use policy is in place and enforced.

Risk Management – Here the board needs to be assured that business continuity and disaster recovery plans are in place. This planning is not only for IT but for the business as well. While IT can ensure that systems are available quickly in the event of a disaster IT can not assure that business processes are in place to ensure that business will run even while the systems are being recovered. This combined risk management plan should be reviewed with the board and any disaster testing that has occurred should be reviewed by the board.

IT Human Capital Management – The people in an IT organization should have a succession plan that is a little different than the rest of the organization. Due to some of the unique skills needed in an IT organization, consideration should be given to having an on-call contract with a vendor to bring in needed IT skills. It is also important to ensure that IT leadership has an appropriate succession plan.

One other item to consider for an IT organization is that IT people sometimes have access to systems that give them extended capabilities. It is important to implement exit planning for those individuals and those plans should have board level review.

About the author:

Greg Stellflue has 25 years of experience in project management, application ownership and software development. With over 30 years of industry experience he has focused on advancing information technology capabilities in many different organizations.

Email: greg.stellflue@level5iveconsulting.com

If you are interested in a free assessment of your IT or just coffee sign up below.

Book a coffee with us