Information technology underpins so many aspects of corporate governance that it can no longer be ignored by non-executive directors. Today, they must recognise it is integral to risk management, business continuity planning and accurate financial reporting, and can be a key strategic driver. Moreover, they must also, in their role as an independent protector of stakeholder interests, make sure money spent on IT is spent wisely.
Of course, a non-executive does not need to be fluent in IT jargon to carry out his or her duties. “A director does not have to understand every detail of corporate finance to understand how it can be applied effectively to his business,” explains Professor Jim Norton, senior policy adviser to the Institute of Directors and a non-executive at two companies. “In the same way, a director does not have to understand exactly how IT works to understand how it can be used and abused. Non-executives simply have to ask the right questions, and to document it... without being fooled by IT’s great but unjustified mystique.”
For many companies, the appointment of a tech-savvy non-executive is essential. An ambitious high-tech business, for example, will probably need an independent board member who can offer valuable contacts from relevant industries and advice from a position of experience in larger operations. This need will be especially acute if a company is public, about to go public or relies on private equity. Equally, if a company decides its future development depends on IT – for example, if a retailer decides to expand its operations online rather than on the high street – it may decide to recruit a new non-executive.
However, other companies may find they can meet their IT governance obligations, and get the independent perspective they need, without putting a new non-executive on the payroll. “You could bring in advisers to work with your existing non-executives,” suggests Jan Babiak, head of information systems assurance and advisory services at Ernst Young. “For example, if you are putting in a big IT system and then not doing any more development work for the next few years, you may not have any need for a new non-executive with specific IT expertise.” Indeed, she continues, “Non-executives often have very little IT experience in their CV because of the era in which they held executive roles.”
E&Y no longer recruits non-executives on behalf of other companies, but it does advise non-audit clients on what they should look for in a non-executive. “Many companies are looking for non-executives with IT expertise, but some are more enlightened about IT than others,” says Ms Babiak. “Most still treat it as a utility, when in fact it can be a dynamic enabler.” Accordingly, she is currently running seminars for groups of 10-15 non-executives, to improve their knowledge of IT governance issues.
Other non-executive advisers and recruiters say they have yet to see pressure on boards to recruit additional members specifically for IT governance. However, all agree that any non-executive should be able to put the day-to-day issues of IT governance into a strategic context. “Through wide networks and experience they should provide their organisation with an external view and a wide perspective – for example, in potential mergers and acquisitions,” says Ms Babiak.
A non-executive should be able to benchmark the IT department in the same way as any other aspect of the business. They should also ensure the rest of the board focuses not on the technology per se, but on the information it stores, sorts and interprets. “When asked what their information assets are, many directors will immediately think of their e-mail or IT systems, as well as databases and registries,” says Andrew Rathmell, chairman of the Information Assurance Advisory Council, an IT advisory group. “While these are important, it is vital not to overlook embedded information, for instance in manufacturing systems, as well as intangibles, such as research and development, intellectual property rights, brand, reputation and complementary assets.”
Prof Norton suggests that the best non-executives are those with a holistic set of skills. “They need to be aware of how every part of the business contributes to its objectives. They also need to be aware of the great panoply of risks it faces. Ten or 15 years ago, when you appointed a non-executive you expected them to be financially literate. Now they must be IT literate in the same way.”
Ultimately, though, they must be able to ask pertinent questions. “Many boards feel that, as long as they have the right independent advisers explaining IT to them in business terms, they are doing enough,” says Phil Keown, head of technology risk management at Grant Thornton, the accounting firm. “They will probably rely on their CIO to alert them to strategic opportunities and directions. Therefore, a non-executive needs to be able to question those opportunities, to make sure the board is not simply investing in the CIO’s pet projects. The IT field is one in which it’s fairly easy to blind people with science.”
Similarly, non-executives should help to ensure their companies respond appropriately to new regulations, codes of compliance or best practices. As Prof Norton points out, UK companies may not be affected directly by Sarbanes-Oxley, but they are conscious it will raise the bar on corporate governance. As a result, he says, “we are seeing increased confusion. Many companies are storing much more data than they need to, with the result they could be making themselves more vulnerable rather than less.” In such a situation, a good non-executive should help to prevent his or her company from turning one liability into another.
