29 July 2004
Key Points:
The draft standard acknowledges that ICT corporate governance takes different forms but suggests that, at its heart, it will always have the core functions "Evaluate", "Direct" and "Monitor".
A Draft Australian Standard, "Corporate governance of information and communication technology", was released by Standards Australia on April 8 2004, with 10 June 2004 as the closing date for public comment. The draft standard was developed by a committee comprising representatives of business users and suppliers of information and communication technology ("ICT"), computer professionals, consumers and project managers.
The stated purpose of the document is to provide a framework for project and operations governance of ICT. In this regard, the draft standard when finalised could provide a platform for Australian organisations wishing to implement, for ICT, the sixth of the ASX's Corporate Governance Principles - "Recognise and manage risk. Establish a sound system of risk oversight and management and internal control."
The draft standard characterises ICT corporate governance as a "business issue that sits above the operational or project level in an organisation" and notes that it can take different forms in different organisations. The draft standard suggests that, regardless of the form taken, three core functions, "Evaluate", "Direct" and "Monitor", form the heart of corporate governance of ICT.
The standard has been developed to form a part of and supplement the AS8000 Good Governance principles series of standards issued in 2003.
In our opinion, ICT corporate governance needs to be reviewed from two separate but related perspectives: that of the acquirer, or user, of ICT on the one hand and, on the other that of the supplier of ICT goods or services. The draft standard does not address the second of these perspectives.
The ICT user and the "Evaluate","Direct" and "Monitor" functions
The draft standard is intended to provide a framework for addressing the risks confronted by the ICT user. There is nothing in the document which would surprise even the most casual observer of the ICT industry. Nevertheless, there is much to be said for formalising an ICT governance framework and giving it the imprimatur of Standards Australia, a non-government entity recognised as Australia's peak national standards body which provides Australian input to standards developed by the ISO (The International Organization for Standardization). Further, banks and financial services institutions will welcome the draft standard's integration into the existing Australian Standards Good Governance framework.
As described in the draft standard, the "Evaluate" functions are directed to analysing and understanding:
The "Direct" functions, as described in the draft standard, are those by which "Senior Officers" of the organisation marshal its resources to address the issues identified by the Evaluate function by way of strategic plans, business cases for acquisitions and development projects, contracts for substantial acquisitions and operations and managerial or technical policies.
The "Monitor" functions are, unsurprisingly, those which enable Senior Officers to measure and report:
In our opinion the draft standard should include a requirement to "evaluate" and "monitor" potential opportunities and benefits of ICT investments.
Checklists and organisational culture
The draft standard contains a series of "Checklists for Assessment of ICT Governance". These would provide useful prompts to an organisation with an underdeveloped risk management and legal function.
However, many of the organisations which appear in the international shame files of poor corporate governance and failed ICT projects were mature entities with formal policies directed to the very issues which led to the collapse of the organisation or project. These policies were poorly implemented or simply were not observed. A checklist alone would not have helped.
The ICT supplier and the "Evaluate, "Direct" and "Monitor" functions
Suppliers of ICT are also users of ICT. In that sense, suppliers confront the same ICT corporate governance issues as those outlined above.
ICT suppliers also confront additional risks which arise for them in the sales cycle. These include the possibility that under Australian law the supplier will be held to account for representations made during the sales cycle if the product or services do not live up to the statements made. While this is not an unreasonable principle in itself, it does constitute a risk for the supplier which needs to be addressed by appropriate policies and behavioural constraints.
Conclusion
The draft standard does not attempt to address ICT risks from the supplier perspective. It may be that these risks are, or will be, the subject of another standard.
The draft standard is, to some extent, a set of motherhood statements about ICT corporate governance. However, it does demonstrate the extent to which it is now recognised that good practices in ICT are integral to good corporate governance generally.
Banks and financial services institutions (and other enterprises) that particularly heavily rely upon their ICT to function on a day-to-day basis will closely watch for the issuing of the standard in final form.
Besides their intrinsic interest in the subject matter of the draft standard, banks and financial services institutions will be aware of the participation of APRA in the standards development process. APRA has a continuing interest in ICT competence of their regulated entities and this appears to have been featured in many of its recent reviews.
However, there are some deficiencies in the draft standard which will, hopefully, be addressed during the public comment stage. Of significance is the draft standard's lack of integration with AS3806 (the Australian Standard on Compliance Programs) and the draft standard's departure from the internal structuring of the Good Governance standards.
That being said, the draft standard will provide a useful reference point from which organisations can develop their approaches to this important issue.
For further information, please contact Randal Dennings.
