Directors: Could your next IT glitch land you in court?

Company directors must take a more active role in IT governance, or risk being held to account for IT failures within their companies, writes Justin Warren.

Justin Warren, managing director of PivotNine.

The Federal Court ruled on Wednesday that the directors of property group Centro breached their duties as company directors for failing to notice billion-dollar errors in the company's accounts.

For those of you that missed the story, Centro's directors had argued in their defence that they had relied upon the expertise of advisers, auditors PricewaterhouseCoopers, and Centro management.

That defence wasn't found to be sufficient. Justice John Middleton wrote in his judgment that company directors were expected "to take a diligent and intelligent interest in the information available to him or her, to understand that information, and apply an enquiring mind to the responsibilities placed upon him or her."

Justice Middleton also noted that "the case law indicates that there is a core, irreducible requirement of directors to be involved in the management of the company and to take all reasonable steps to be in a position to guide and monitor."

There are lessons here for any company director that chooses not to understand the more complex and detailed parts of a business - whether that's line items on the books, or the complexities of data governance.

The boards of most Australian companies are, at best, peripherally aware of the use of IT within their companies, and IT tends to be poorly regarded within most organisations.

Recent research of North American companies conducted by Financial Executives International and Gartner indicated that only 25 percent of chief financial officers see the CIO as a key player in determining business strategy. That's alarming when you consider that 42 percent of IT organisations report to the CFO, a number that is expected to rise.

How can directors be certain they will receive the information about IT that they need when their own executives hold IT in contempt?

"Only five percent of organisations have a true Business Intelligence strategy," says Ian Bertram, Managing Vice President at Gartner.

Operational dashboards and management scorecards provide part of the picture, but Bertram says that boards need to ensure they're asking the right questions.

"You have to ask 'What are the right metrics?'," he says. "Companies need to know more than what happened, they also need to know what's likely to happen."

As IT becomes more central to business - and exposed to greater risk - directors have much to be concerned about. There has been a spate of security breaches in recent months, from the sophisticated attack on RSA's SecureID product, to the widespread disruptions caused by LulzSec and Anonymous, not to mention the theft of private information held in trust by Sony's PlayStation Network and the Australian Institute of Company Directors.

Modern organisations are heavily dependent on IT for critical business functions. We have gone from a situation where IT played a support role with email, payroll and the like to one where IT is fundamental. Today, if IT stops, business stops as well.

With business performance heavily tied to IT, it is surprising that so many boards still ask few questions about IT capability, performance and risk.

One possible explanation is that board members are reluctant to explore areas where they have little experience. Research by Ernst & Young found that only 13 percent of Australian CIOs were offered a seat on the board, compared with 28 percent globally.

Another is that some business managers become so focused on technology, they lose the business context in which IT is used.

"In the boardroom, the discussion of IT should always be focused on business outcomes, performance and risk," says Mark Toomey, the Australian Institute of Company Directors' lead delegate to Standards Australia. He recommends that directors make use of the guidance contained in ISO38500.

One company leading the pack in terms of IT governance is Westpac.

Under the leadership of Gail Kelly, Westpac set up a Board Technology Committee in April of 2009, partly as a response to the poor state of IT within the bank at the time, as reported by iTnews earlier this week.

The Westpac committee deals with more than just risk management. The committee charter defines nine key reporting areas covering strategic, implementation, and performance outcomes.

Westpac explicitly seeks to compare its performance to Australian and offshore peers "where reliable information and metrics are available."

Other organisations are seeing the value of having board visibility of the company's use of technology. Tabcorp have also formed a Board Technology Committee charged with assisting the board "to fulfil its corporate governance and oversight responsibilities relating to Tabcorp's investment, operations and strategy in respect of technology."

Will we see more companies join Westpac and Tabcorp in tackling the issue of IT governance head on, and forming technology committees of their own?

If directors are expected to "take all reasonable steps" to keep themselves informed, can a modern board afford to be without one?

Or will it take a failure of governance like that of Centro to get directors' attention?

Justin Warren is managing director of management consulting firm PivotNine, a firm specialising in bridging the gap between business executives and IT departments.