I admit to criticizing my “alma mater” PwC for much of their thought "leadership" over the last years. Today, I come to praise PwC, not to bury it.
They have published an excellent guide for boards that merits reading not only by board members but also by all those responsible for management of IT, risk management and internal audit.
The guide, "Directors and IT: What Works Best," suggests a six-step process — what they refer to as an IT Oversight Framework — that I believe should be effective for the majority of organizations.
Why is this important? PwC answers:
- “The pace of change in this area is rapid, the subject matter is complicated, and the highly technical jargon used to describe emerging and evolving risks makes this a challenging area. And companies are relying more and more on technology to get ahead, often prompting substantial changes in how they operate.”
- “Many directors are confused by and uncomfortable with overseeing IT. They sometimes don’t have an adequate understanding of the subject to be effective and confident in overseeing this area. And they do not necessarily have a well-defined process to help them in fulfilling this very important responsibility.Together, these factors can create an 'IT confidence gap.'”
- “Directors are hungry for more information about the company’s approach to managing IT strategy and risk and believe they do not get enough information from management: 67% indicate their company’s approach to managing IT risk and strategy provides them with only 'moderate' information to be effective or the information 'needs improvement.' Many directors want more comfort regarding IT activities so they can sleep better at night.”
The six step process is described in detail in the guide. Here is my summary:
- Assessment: Understand the role of and reliance on technology — in the industry in general, and as it affects the organization in particular. As PwC says: “Conclude how important IT is to the company’s success.” But a word of caution — see #4, below.
- Approach: Who will provide oversight of IT and technology and how?
- Prioritization: Of all the technology-related activities, which merit priority attention?
- Strategy: In many ways, this is the most important area of focus. Most organizations are highly dependent on technology to advance — much more so than is evidenced by the responses to PwC’s study. Frankly, as intimated by PwC, when 87% directors and executives fail to indicate that reliance on technology is critical, it indicates myopia or outright blindness to the future. PwC reports that “Nearly half of directors believe the board’s ability to oversee strategic use of IT is less than effective.” However, they also say that “Most CEOs of global companies say technology is the number-one factor that will impact their company’s future in the next three years; they believe it will be even bigger than changing economic and market conditions.”
- Risk: As PwC indicates, technology is a source of risk to the business, and technology-related issues need to be "baked" into the risk management oversight process.
- Monitoring speaks to the continued need for oversight, not something you take on once a year.
This is, in my opinion, an excellent starting point for oversight (and management) of technology. But:
- My advice is to start looking at technology as the subject of discussion rather than IT. The IT function or department only manages or directs part of the investment in and use of technology across the organization. In fact, much of the budget and decision-making when it comes to technology is increasingly outside the IT function — especially when it comes to the use of technology for marketing.
- New technology and related issues change constantly, so don’t limit yourself to the subject areas introduced by PwC.
- Boards need to understand that IT is no longer a utility that provides a platform for the business. In most cases, it is a vital and integrated element and capability for strategy and execution. Separate discussions on IT and strategy, or even organizational performance, may soon have to disappear.
I welcome your views and commentary.
Editor's Note: Interested in reading more from Norman? Go no further than A Leap Forward for Risk and Compliance
About the Author
Norman Marks, CPA, is vice president, governance, risk, and compliance for SAP's BusinessObjects division, and has been a chief audit executive of major global corporations for more than 15 years. Norman is a recognized thought leader in the profession of internal auditing, frequent speaker and writer on governance, risk, and controls. Author of the Institute of Internal Auditors' popular guide for management to Sarbanes-Oxley Section 404, and their GAIT family of guidance products.