Draft standard on corporate governance and information and communication technology

By Paul Noonan.

Key Points:
The draft standard acknowledges that ICT corporate governance takes different forms but suggests that, at its heart, it will always have the core functions "Evaluate", "Direct" and "Monitor".

A Draft Australian Standard, "Corporate governance of information and communication technology", was released by Standards Australia on April 8 2004, with 10 June 2004 as the closing date for public comment. The draft standard was developed by a committee comprising representatives of business users and suppliers of information and communication technology ("ICT"), computer professionals, consumers and project managers.

The stated purpose of the document is to provide a framework for project and operations governance of ICT. In this regard, the draft standard when finalised could provide a platform for Australian organisations wishing to implement, for ICT, the sixth of the ASX's Corporate Governance Principles – "Recognise and manage risk. Establish a sound system of risk oversight and management and internal control."

The draft standard characterises ICT corporate governance as a "business issue that sits above the operational or project level in an organisation" and notes that it can take different forms in different organisations. The draft standard suggests that, regardless of the form taken, three core functions, "Evaluate", "Direct" and "Monitor", form the heart of corporate governance of ICT.

In our opinion, ICT corporate governance needs to be reviewed from two separate but related perspectives; that of the acquirer, or user, of ICT on the one hand and, on the other that of the supplier of ICT goods or services. The draft standard does not address the second of these perspectives.

The ICT user and the "Evaluate", "Direct" and "Monitor" functions

The draft standard is intended to provide a framework for addressing the risks confronted by the ICT user. There is nothing in the document which would surprise even the most casual observer of the ICT industry. Nevertheless, there is much to be said for formalising a framework and giving it the imprimatur of Standards Australia, a non-government entity recognised as Australia's peak national standards body which provides Australian input to standards developed by the ISO (The International Organization for Standardization).

As described in the draft standard, the "Evaluate" functions are directed to analysing and understanding:

• the people/positions responsible for ICT;
• the organisation's present and future circumstances and stakeholder requirements for ICT;
• the risks of proposed ICT investments;
• ICT security risks and protection measures;
• key business processes of the organisation and availability requirements;
• the organisation's legal, regulatory and other obligations;
• the people in the process to ensure that their needs are met.

The "Direct" functions, as described in the draft standard, are those by which "Senior Officers" of the organisation marshal its resources to address the issues identified by the Evaluate function by way of strategic plans, business cases for acquisitions and development projects, contracts for substantial acquisitions and operations and managerial or technical policies.

The "Monitor" functions are, unsurprisingly, those which enable Senior Officers to measure and report:

• the capability of ICT to sustain business activity without unacceptable risk;
• the continuing validity of business cases and the achievement (or otherwise) of promised benefits;
• the extent to which IT services meet changing business needs;
• performance of internal and external service providers; and
• the effectiveness of business continuity, disaster recovery and security measures.

In our opinion the draft standard should include a requirement to "evaluate" and "monitor" potential opportunities and benefits of ICT investments.

Checklists and organisational culture

The draft standard contains a series of "Checklists for Assessment of ICT Governance". These would provide useful prompts to an organisation with an underdeveloped risk management and legal function. Many of the organisations which appear in the international shame files of poor corporate governance and failed ICT projects, however, were mature entities with formal policies directed to the very issues which led to the collapse of the organisation or project. These policies were poorly implemented or simply were not observed. A checklist would not have helped.

The ICT supplier and the "Evaluate, "Direct" and "Monitor" functions

Suppliers of ICT are also users of ICT. In that sense, suppliers confront the same ICT corporate governance issues as those outlined above.

ICT suppliers also confront risks which arise for them in the sales cycle. These include the possibility that under Australian law the supplier will be held to account for representations made during the sales cycle if the product or services do not live up to the statements made. While this is not an unreasonable principle in itself, it does constitute a risk for the supplier which needs to be addressed by appropriate policies and behavioural constraints.

The draft standard does not attempt to address ICT risks from the supplier perspective. It may be that these risks are the subject of another standard. The draft standard is, to some extent, a set of motherhood statements about ICT corporate governance. However, it does demonstrate the extent to which it is now recognised that good practices in ICT are integral to good corporate governance generally. There are some deficiencies in the draft standard which will, hopefully, be addressed during the public comment stage. The standard will provide a useful reference point from which organisations can develop their approaches to an important issue.