In today’s changing world, the stakeholders of an organization, such as customers, suppliers, employees, shareholders, regulators and society in general, require the board of directors (BoD) to lead the creation of value or, at least, its maintenance.
Since people, information and technology are critical resources to meeting this expectation, more than ever, it is necessary to implement and audit effective technology governance.
There are two fundamental questions: What is IT governance? And why is the BoD ultimately responsible?
IT governance is “the responsibility of executives and the board of directors; consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the enterprise's strategies and objectives.”1
Leaving aside all legal issues, if "the Board of Directors...has broad responsibilities for the exercise of the functions of strategic guidance, supervision, control of ordinary management"2 and technological resources guide the creation of value through improvements in products or services to the client, improvements in internal processes, training of staff and implementation of the concepts learned and the digital transformation of organizations, how can the board not be ultimately responsible for IT governance as part of organizational governance?
This is reinforced by The Institute of Internal Auditors (IIA) in its guide Global Technology Audit Guides (GTAG): Auditing IT Governance, which mentions that:
IT governance represents a subdiscipline of organizational governance, which is composed of leadership, processes, policies, and structures that ensure that information technology supports the organization's strategies and objectives. IT governance underpins the organization's regulatory, legal, environmental and operational requirements so that aspirations and strategic plans can be achieved.3
Based on COBIT®, ISACA’s framework for governance and management of enterprise IT, some important points for boards, management and IT functions include:
- The business objectives of an organization are defined from the needs and expectations of stakeholders. They are the basis for defining IT objectives and, thus, are used to achieve business-IT alignment and vice versa and facilitate the creation of value through IT investments. For example, an organization's strategic plan should include what is required from the IT function and the IT strategic plan should align its projects, initiatives and investments in a way that supports the organization's strategic business plan.
- If business operations require IT services, then business is the client of IT, and the client defines the value of the service provided by IT. For that, it is helpful for the IT function to stop using advanced technological language to communicate and instead use business language.
The BoD is not only responsible for overseeing management; it also plays an important role as a strategic advisor on the services that the IT function provides to the organization and all its stakeholders.
The BoD is not only responsible for overseeing management; it also plays an important role as a strategic advisor on the services that the IT function provides to the organization and all its stakeholders.
In terms of implementation, COBIT establishes a set of components for an IT governance system, many of which are reflected in the multidisciplinary approach to governance proclaimed by the Institute of Corporate and Public Governance (IGEP), a member of the Global Network of Director Institutes (figure 1).
Figure 1—COBIT + IGEP
| COBIT Components for a Governance System | IGEP Multidisciplinary Approach to Governance |
| Culture, ethics and behaviors |
|
| Organizational structures |
|
| Principles, policies and procedures |
|
To generate value through the combination of profitable IT investments in the broad sense, organizations need to implement the efficient use of resources and the management of IT risk. One of the most frequent concerns stakeholders have is the growing risk associated with cybersecurity, especially ransomware. To address this, most believe that organizations should start with risk analysis. However, that is not always the needed first step.
Why? Because the probability of an attack is nearly 100%—as evidenced by just reading the news. The impact is already known: inaccessible resources and unavailable information. The BoD should ensure that incident response includes prior informed decision-making, do-not-pay communication, awareness training for staff on issues related to cybersecurity, and teleworking and incident management and backup policies with testing.
These analyses are what allow board members to be able to identify what to ask to obtain information and to be able to answer questions related to the cybersecurity risk that, without a doubt, the BoD will receive from the interested parties in the face of an incident that affects the reputation or the value of the organization's shares.
With a fresh look at the importance of the role of the BoD and other stakeholders in IT governance, it is time for boards to take advantage of the opportunity offered by IT governance to create value in their organizations.
Endnotes
1 ISACA®, “Glossary”
2 The Development Bank of Latin America, Guidelines for a Latin American Code of Corporate Governance, Venezuela, 2013
3 The Institute of Internal Auditors (IIA), Global Technology Audit Guides (GTAG): Auditing IT Governance, USA, 10 September 2021
Graciela Braga, CGEIT, COBIT Fundamentals, CP, GPDR Foundation
Is a certified professional in enterprise governance of information and technology (EGIT) oriented to the achievement of enterprise and alignment goals. She has worked on audits and reviews for public and private entities using international frameworks such as COBIT® and the International Standards Organization (ISO) standards. She is an author and researcher on governance and management of information and technology in various media, including ISACA® publications. Braga is a former leader of the ISACA COBIT and Frameworks Community and a global guidance contributor to the second edition of The Institute of Internal Auditors (IIA) publication Global Technology Audit Guide (GTAG) Auditing IT Governance. She can be reached at www.linkedin.com/in/graciela-braga-cgeit.