So what is governance of technology and is it discussed in the boardroom, delegated to management or hidden from directors? The international standard on 'Governance of IT' for the organisation (ISO/IEC 38500) defines it as a system by which current and future use of IT is directed and controlled, as a subset or domain of organisational or corporate governance. This guidance document also has a focus on the role of good governance in contributing to improved performance through innovation and strategic alignment.
I recently participated in the initial discussion of the AICD 'Technology Governance and Innovation Panel'. It is clear that there is a wealth of experience and information available to directors but that it needs to be more accessible. The following includes some tips about what exists and why directors might find it useful. This resource is continuing to evolve and includes voluntary guidance documents that Australian experts have contributed to over the past 20 years.
What are the right questions to ask about technology and innovation and how will you interpret the answers? A good place to start is with an understanding of your business profit levers, culture and what gets your stakeholders, customers and regulators excited. Combine these factors with the six principles, tasks and governance mechanism in ISO/IEC 38500 (Figure 1) and you will have a framework to find appropriate questions.
Governance of IT Principles
- Human Behaviour
- Strategy & Policy
- Proposals & Plans
- Performance & Conformance
Figure 1: ISO/IEC 38500 Governance of IT Principles, governance tasks and mechanisms
Like most things about being a company director, it’s about being comfortable with complexity and building up your knowledge of what makes your organisation tick. You can approach the topic in the same way that you would with other aspects of the governance role such as financials and risk management. Through a lens of strategy and compliance, looking backwards and towards the future, we seek to understand the system in place and how we as directors can influence the outcomes. What are we required to do? How do we do it? How do we know it is being done? What are we going to do differently? What do our competitors do? The questions are a small subset of what we ask ourselves and management as we execute our fiduciary duty.
At the board level the core standard 38500 started with governance of IT for the organisation and now has been joined by the relatively recent ISO/IEC 38505-1 on the application of these principles to governance of data. This is timely for directors seeking an deeper understanding of the governance of data that is created, collected, stored or controlled by IT systems, and impacts the management processes and decisions relating to data. This standard is currently being adopted by Australia. That means that this guidance will be more readily available to Australian organisations. Shortly this standard will be joined by a technical report 38505-2 that provides case studies.
The governance of IT standards have now been broadened and supported by the ISO/IEC 30105 series of standards in IT-enabled Services Business Process Outsourcing (ITES-BPO) to recognise the complexity of the way we purchase and provide services.
At the management level various IT standards are used to improve performance and reduce risk, the continually evolving 20000 series and the ITIL framework are examples.
These guidance documents provide a shared vocabulary for directors and management and supplement corporate governance practice to include strategic focus on governance of technology and innovation.