CHAPTER 6: ISO/IEC 38500 AND THE IT STEERING COMMITTEE

ISO/IEC 38500 is a principles-based standard. It describes what governing bodies should do, but does not provide guidance on how they should go about implementing an IT governance framework.

The governing body, in effect, needs to create a mechanism through which it can exercise its IT governance responsibilities and provide the business with technology leadership. The most effective way of doing this is through the creation of a standing board IT committee. Technology or IT leadership requires a specific mechanism of this sort, in a way that, for instance, neither HR nor sales do, for two reasons:

1.HR, sales, marketing, and so on are usually already dealt with effectively as part of the existing governance agenda; most members of the governing body understand the issues around sales and marketing, and the people involved in making sales happen get a great deal of informed attention. The organisation almost certainly already has well-developed governance frameworks for these key activities. No extra benefits would accrue to the organisation through the creation of additional leadership mechanisms for these activities.

2.IT, in contrast, is not as well understood at this level and there are usually no established IT governance frameworks inside organisations. It is not well understood, but it is critical: in 2019, the median investment in IT accounted for 19% of an organisation’s annual capital investment, with 49% of organisations increasing their budgets (and 29% reducing them).¹⁴ There is, in other words, a gap between the importance of IT and the understanding of IT: an IT governance framework closes that gap, providing all those with a limited understanding of IT in the enterprise with a framework within which they can improve their understanding to a level appropriate for this critical contributor to their competitive position.

The top-level IT steering or strategy committee has a number of functions, some of which (depending on the size, structure and complexity of the organisation) may be dealt with through subcommittees.

This committee takes the lead, on behalf of the governing body, in dealing with IT governance principles (including the decision-making hierarchy), strategy and risk treatment criteria. ISO/IEC 38500 is very clear in its statement that the governing body cannot escape its overall responsibility for IT and, therefore, it continues to have a key role in monitoring and oversight across the whole of IT, and particularly in respect of project governance.

This monitoring component means that the IT committee has similarities to the audit committee and, given the extent to which IT governance issues impinge on audit issues (particularly around internal control), there is some sense in having a number of members of each committee in common.

They are not necessarily the same committees, however. Many governing bodies expect their audit committees to carry out, on their behalf, the crucial monitoring activities of their overall governance framework. In many such organisations, the monitoring component of the IT governance framework will be included in the agenda of the audit committee to ensure a clear segregation between those responsible for determining (the ‘direct’ and ‘evaluate’ actions) the ICT strategy of the organisation and approving investment, and those responsible for monitoring and overseeing the appropriateness and effectiveness of those decisions.

Composition of the IT steering committee

The composition of the IT steering committee should be straightforward. The chair should be selected on exactly the same basis, following the same rules, as the chair of the audit committee. There should be a majority of independent directors on the committee, and key executives should be invited to attend: the CEO, the CFO and the CIO (or equivalent) would be included as a minimum. In some organisations, it would be appropriate to include the CCO (chief compliance officer) as well.

The other key business heads (whether they are from production, procurement, retail, sales, marketing, and so on depends on the sector, the organisation and the existing management structure) – the ones who would be included in any business strategy committee – should be included in the IT steering committee.

The CIO’s position and level of accountability should be clear. The CIO should be on the same level, and have the same status, as the CFO and the other functional heads (e.g. sales, marketing, etc.), with direct responsibility for managing the IT operations and personal accountability for the success of organisational IT activity.

•The IT steering committee needs at least one independent director who has the right mix of business and IT experience, and sufficient gravitas to lead the board’s IT governance efforts.

•All the other non-executive directors should be prepared and determined to question (evaluate and monitor) every aspect of IT planning and activity.

•The executive – particularly the CIO and the IT management – should be banned from using IT jargon, and forced to express everything they have to say about IT in a format that focuses on comprehensible (to the non-IT specialist) opportunities, issues, risks or plans.

•The IT steering committee should have access to external, professional advice on this as on other matters. Employ outside experts (strategic IT consultants) as board advisers with the specific brief of confirming that what the board has been told is accurate, complete and true and, if not, what has been left out.

¹⁴IT Spending & Staffing Benchmarks 2019/2020, Computer Economics, www.computereconomics.com/page.cfm?name=it-spending-and-staffing-study.