INTRODUCTION
‘Can IT align with the business?’1
Your immediate response to this question gives a sense of the adequacy or otherwise of your IT governance arrangements. If you think it’s a good question, one worth pursuing, then you’ve just identified the first, and most critical, symptom of inadequate IT governance: a disjunct between your most important business enabler and the business itself.
If you find the question incomprehensible – because, to you, it’s axiomatic that IT aligns with the business – you may not need this book. However, before putting it aside, consider this: a late-2004 global study2 of North American and European businesses found that only one-quarter of the respondents considered their business and IT strategies to be ‘fully integrated and developed simultaneously’ – which is a backward step from the findings of the same study in 2002, in which one-third of respondents considered these processes to be fully aligned.
Symptoms of inadequate IT governance
1. How does your board assess (measure) the real contribution made by any of your IT systems to improving the organization’s competitiveness?
2. What divergence is there between the views that your sales/operational management has of the benefits of IT systems and projects and those of the IT management? Who is right and how do you find out? Are you getting maximum value (maximum business benefit for minimum actual total cost) for each of your IT investments? How would you know? How
1 Computer Business Review, March 2005
2 ‘Why Today’s IT Organization Won’t Work Tomorrow,’ AT Kearney, 2005
would you know if your IT spending is putting your company at a cost disadvantage?
3. What is your board’s process for comparing the (fully costed) ROI on your technology projects to those of any other strategic options, including acquisitions, and how does this affect strategic planning?
4. What is your board’s view on the relationship, in your organization, between the potential impact of a compliance or information security failure (in financial terms) and the (fully absorbed) cost of meeting the compliance and security objectives? What is the total actual (direct and indirect) cost of all the compliance and information security incidents in your organization in the last twelve months?
5. What is the real, financial value to your organization of its information and intellectual capital and how are you leveraging it?
6. How are you driving up the intellectual capital/headcount ratio? What’s the relationship between this ratio and the IT intensity (IT investment to headcount) ratio?
7. Do all your IT projects come in on time, to budget and to specification?
8. How does your D&O insurance deal with the personal consequences for directors of IT failures arising from inadequate board oversight of core business processes and significant financial transactions?
If you organization has a clear, widely understood set of answers to these questions, complete with meaningful metrics, then you probably have an effective IT governance framework in place. The fact is, very few organizations do. There are a number of reasons for this.
Competitiveness
The first is that IT and IT governance simply don’t feature on the CEO’s top 10 list of challenges. Tighter cost control makes it in at number seven; transferring knowledge/ideas/practices within the company (which could, arguably, be linked to using IT as an enabler), makes it on to the list at number 10.
What are the top three challenges?
Not surprisingly, they are all related to competitiveness as measured by revenue growth. The Conference Board’s annual survey for 20043 listed the top three challenges identified by CEOs worldwide:
1. Sustained and steady top-line growth
2. Speed, flexibility, adaptability to change
3. Customer loyalty, retention
This focus on top-line revenue growth is as much a challenge in the public, voluntary and not-for-profit sectors as it is the private one. Information technology is, surprisingly, only a subsidiary issue in responding to this challenge, as is evidenced by the IT Governance Institute’s ‘IT Governance Global Status Report 2004’4, which found that:
1. 93 percent of business leaders recognize that IT is important for delivering the organization’s strategy, yet
2. 93 percent of respondents experienced IT problems in the previous year; 40 percent of respondents identified operational failures, incidents and an ‘inadequate view on how IT is performing’;
3. 75 percent of the IT community recognize that IT has problems that need resolving;
4. More than 80 percent of the IT community thinks that IT governance has some part to play in resolving these issues.
In the AT Kearney survey5, only 28 percent of IT leaders ranked IT as a top 10 percent issue; only 37 percent of ALL the executives surveyed ranked IT as being this important.
3 ‘Conference Board CEO Challenge 2004’, Executive Summary
4 ‘IT Governance Global Status Report, Executive Overview’, IT Governance Institute, 2004
5 ‘Why Today’s IT Organization Won’t Work Tomorrow’, AT Kearney, 2005
Historically, therefore, the CEO community has not rated the importance of IT governance nearly as highly as does the IT community. However, while shareholder and regulatory pressures have been driving IT governance up the board agenda, the over-arching reason for IT to become a key board room issue in the 21st Century is the extent to which information and information technology is now driving and shaping the competitive environment.
Shareholder accountability
Institutional investors carry part of the blame for the fact that IT has not historically been on the CEO’s agenda. ‘One of the key problems with IT is that the City just doesn’t get it. When analysts sit down with CEOs and finance directors, attention is focused on the financial performance of the business and its strategy moving forward. As a key driver of the competitive profile of the business, IT systems and plans should be rigorously studied. But very few analysts know the right questions to ask to assess how IT will support the business goals.’6
Institutional shareholders are becoming more muscular. Technology is as significant a component of the organization’s cost base as its headcount, but usually consumes substantially more capital. Driven, in part, by the changing corporate governance climate and, in equal part, by the poor record of IT projects, stakeholders and institutional shareholders increasingly seek transparency around IT. This is hardly surprising, when you consider the extent of project disaster made possible by the historic culture of opaqueness around IT governance.
For instance, the Standish Group’s research on IT project failure7 found that:
• 16.2 percent of software projects completed on time and on budget;
• 31 percent of projects were cancelled before completion; and
6 Justin Urquhart-Stewart, HP IT Governance Roundtable, November 2002
7 ‘The Chaos Report’, the Standish Group, 1995
There hasn’t been a significant improvement since then. A Conference Board survey in 2001 found that:
• 40 percent of projects failed to achieve their business case within one year of ‘live’;
• Where benefits came through, it was six months later than expected;
• Implementation costs were, on average, 125 percent of budget;
• Support costs were, on average, 120 percent of budget.
But it’s not only about project failure. 80 percent of corporate assets today are digital8 and, as shareholders and boards focus on the extent to which information and intellectual capital are fundamental to their competitive position and long term survival, so they recognize the fiduciary nature of their responsibility to shareholders in respect of the organization’s information assets and IT.
Compliance
Regulatory compliance and risk management appear to go hand in hand. The best companies have always addressed strategic risk from the boardroom; Basel 2 and today’s corporate governance regimes increasingly expect risk management to be pervasive throughout the culture of all organizations.
Across the world, a proliferation of sometimes competing data protection, privacy and computer misuse legislation, little of which has clear implementation guidance or established case law, creates new challenges for corporate boards. Governance regimes – particularly Sarbanes Oxley - have substantial IT compliance components. Securing information against organized crime and cyber terrorism ought to be high on corporate agendas, but isn’t: just 20 percent of the respondents in a global survey strongly agreed that
8 Testimony of Jody R Westby, PwC Managing Director, to the House of Congress Committee on Government Reform, September 2004
their organizations perceived information security as a CEO level priority.9
Is it therefore surprising that authorities are increasingly looking to regulation to force the issue up the agenda? ‘The road to information security goes through corporate governance. America cannot solve its cyber security challenges by delegating them to government officials or CIOs. The best way to strengthen US information security is to treat it as a corporate governance issue that requires the attention of boards and CEOs.’10
Directors’ personal liability
Historically, the outside, or non-executive, directors of companies have been personally immune – financially, if not in terms of reputation – from the legal consequences of failure of the companies on whose boards they sit. A Stanford University study, for instance, found only four US cases, by 2003, where individual defendants had been forced to contribute personally to the settlement securities class actions.
However, in 2004, an ex-Chairman of Global Crossing made a substantial (US$30 million) personal contribution to settling a class action.
In January 2005, substantially all of the outside directors of both WorldCom and Enron agreed to settle class actions by contributing personal funds to the settlements. Ten Enron directors agreed to contribute an aggregate US$13 million; ten WorldCom directors agreed to contribute an aggregate US$18 million, which reportedly represented approximately 20 percent of their wealth. These personal contributions were in excess of the amounts provided by Directors and Officers insurance, which was exhausted by the cases.
While these settlements don’t constitute an admission of liability or of wrongdoing by any of the settling directors (the cases are still, at
9 Ernst & Young, ‘Global Information Security Survey 2004’
10 ‘Information Security Governance: a Call to Action’, US National Cyber Security Summit Task Force, April 2004
the point of finalising this book, subject to court approval, with the WorldCom agreement in serious jeopardy), they point to significant changes in the personal exposure of outside directors. There is an argument that the WorldCom and Enron settlements are aberrations and that, once the dust has settled, courts will return to the ‘norm’.
In the UK, Equitable Life is suing its former auditors, Ernst & Young, and its previous directors, both executive and non-executive, for professional negligence in relation to its near collapse in 2000. While hearing the £2.6 billion claim started in April 2005, the UK’s Commercial Court had already ruled in 2003 that the company could proceed with a claim that its non-executive directors were negligent over implementing a strategy which later proved to be unlawful.
The Disney case, in which the company is taking action against its directors in respect of the hiring – and later firing – of Michael Ovitz, provoked the comment that the alleged facts in the case: ‘suggest that the defendant directors consciously and intentionally disregarded their responsibilities, adopting a “we don’t care about the risks” attitude concerning a material corporate decision. Knowing or deliberate indifference by a director to his or her duty to act faithfully and with appropriate care is conduct, in my opinion, that may not have been taken honestly and in good faith to advance the best interests of the company.’11
In a similar vein, the former Chief Justice of Delaware commented, in March 2005: ‘Directors are expected to act—indeed are presumed to act, unless the presumption is rebutted—“on an informed basis, in good faith, and in the honest belief that the action taken was in the best interests of the corporation.” This means that when making a business decision directors are expected to inform themselves with all material information reasonably available.’ In other words, the reasons for action against outside directors are not limited to fraudulent activity; negligence or breach of fiduciary duty is the main thrust of any such action.
‘There are seven normal expectations that a stockholder should have of a board of directors. Although there may be others in some situations, the stockholders expect that:
1. The stockholders will have a right to vote for the members of the board of directors and have a right to vote on fundamental structural changes, such as mergers;
2. The board of directors will actually direct the management of the company, including strategic business plans and fundamental structural changes;
3. The board will see to the hiring of competent and honest business managers;
4. The board will understand the business of the firm and develop and monitor a business plan;
5. The board will monitor the managers as they carry out the business plan and the operations of the company;
6. When making a business decision, the board will develop a thorough understanding of the transaction and act in good faith, on an informed basis, and with a rational business purpose;
7. The board will operate with basic honesty, care, and loyalty; and
8. The board will take good-faith steps to make sure the company complies with the law.’
He went on to advise outside directors that they should:
• ‘Embrace best practices in governance practices;
• Pay special attention to the board agenda—is the board focused on the right issues and is the board involved in making that determination?
• Make sure you have a reasonably complete understanding of the company’s business, competitive environment, financial controls, and financial disclosures. The same is true of the need to have a thorough understanding of a particular transaction being considered for board action.’12
12 ‘A Perspective on Liability Risks to Directors’ (emphasis added by the present writer), E. Norman Veasey, former Chief Justice of Delaware and now a senior partner at Weil, Gotshal and Manges LLP, March 2005
While the law itself hasn’t changed, the ‘norm’ may be in the process of doing so:
• These various settlements and actions raise expectations for future settlements;
• Plaintiffs’ legal firms (who are competitive and fee-orientated) will use these cases as benchmarks in future cases;
• Legal actions for breach of fiduciary duty can be expected, over the years ahead, to include failures in areas other than simply keeping the CEO and the executives in check: failures of large IT projects, for instance, through inadequate project governance, or of significant corporate losses through inadequate information security, might each be at the heart of a future action against directors personally;
• The corporate governance and information security climate is changing with increasing scrutiny of governance practices and information security arrangements and, therefore, the likelihood of new scandals emerging.
The costs involved in legally defending directors are substantial, as are the personal penalties that can be incurred. Directors and Officers’ (D&O) insurance has developed to transfer this risk to the insurance market and D&O covers have gradually broadened over the years. It usually (in the UK, certainly) includes protection in respect of any claim or claims first made against the directors ‘jointly or severally by reason of any wrongful act’ committed – or alleged to have been committed - by them in their capacity as a director or officer of the company. But a combination of rising claim numbers, a doubling of average settlement cost per claim, and increased shareholder activism has radically changed the insurance market. Not only are premiums increasing, but layers of cover are being stripped away, leaving many directors unknowingly exposed to greater personal risk than ever before.
There is ‘an increasing trend to impose personal liability on directors and other officers for the shortcomings of companies. In considering the practical consequences of this liability regime, it cannot be assumed that all those exposed to personal liability are able to obtain protection through insurance. The availability of insurance cover reflects the market’s appreciation of relevant risks.’13 The market for D&O insurance is tightening as the willingness to take on these risks has decreased. Policies have increasing limitations and fees have increased, with the result that smaller companies and high risk enterprises may have difficulty securing cover. This trend may be exacerbated as more insurers understand the potential for IT-related disaster and realize that boards with inadequate IT governance frameworks may have significant legal exposures.
‘The future of how D&O policies will be handled by the courts is an open question as bankruptcies mount and laws and regulations change to meet the challenge. There is an absence of case law determining how courts will rule on certain policy language and no guarantee that they will uphold policy provisions.’14
Conclusion
The pressures on boards – in both the public and private sectors – to implement an effective IT governance framework are becoming inexorable. The straightforward guidance provided in this book recognizes that, while there is no one-size-fits-all solution, IT governance, to be of value, has to simultaneously deliver improved competitiveness, better compliance and greater shareholder transparency – while enabling directors to clearly and properly discharge their fiduciary duties in a way that helps them avoid the risks of litigation that exposes them to personal, financial ruin.