Risk intelligent questions for directors
Corporate directors aren’t expected to have intimate knowledge of every element of an organization’s information technology (IT) systems. However, if IT emerges at the eye of a security breach for instance, stakeholders will be looking to directors for answers – and they’ll be wondering what steps were taken to mitigate IT risks. “When it comes to IT governance, directors need to ask the right questions of management, and have enough knowledge of IT risks and the corresponding business risks,” says Deloitte Associate Partner Baskaran Rajamani, who specializes in helping clients manage their IT risks.
While the risk climate is constantly changing, Rajamani sees three key areas of concern around IT governance for today’s directors:
- Assessing and managing IT risk
- Aligning IT projects with business priorities and delivering value on IT investments
- Capitalizing on cost-reduction opportunities
By knowing what questions to ask and what answers to expect on each of these three areas, directors can get a comfort level around their organizations IT governance.
Assessing and managing risk: A strong safety net
Security breaches by hackers. Intellectual property in the hands of disgruntled or downsized employees. Leaner teams leading to an inappropriate concentration of duties and weaker internal controls. Loss or distortion of data amid system changes or upgrades. These are examples of the more predictable IT-related risks facing most organizations. While an annual risk assessment may seem like an adequate safety net to mitigate these risks, successful organizations are increasingly becoming “risk intelligent” by engraining risk management into its strategies, decisions and operations, while simultaneously focusing on maximizing rewards resulting from risk management.
While IT should be part of the company’s broader risk management strategy, there are particular questions directors can ask related to IT governance.
- What are the current IT risk hotspots that could have a critical impact on the business?
- What strategies have management implemented to manage the risks that work in today’s economic context?
- Is there adequate governance of information security, data integrity and privacy?
- How does management gain assurance on the effectiveness of these strategies?
- Is there an IT steering committee in place to help balance IT’s contribution to creating business value while managing risks and rewards?
- When was the last time each risk was re-assessed and re-prioritized? Is there an updated risk management plan?
Aligning IT projects with customer and business priorities to deliver value on IT investments
With technology constantly and rapidly evolving, most companies juggle several technology projects simultaneously; in a technology-enabled market, this is necessary to gain or maintain competitive advantage. Whether the company is looking to gain competitive advantage or to comply with new regulatory requirements, introducing new IT functionality or systems to support each change generally requires investing in hardware, software, staff, and project management – which explains why IT projects can be among the most expensive costs of doing business. It also underscores why it’s essential to ensure IT is delivering a return on investments. Let us consider a simple example: the introduction of tax-free savings accounts (TFSA) in Canada in 2008. When the government announced the TFSA as a financial incentive for Canadians, some banks offered this option to their customers within weeks. This change required new IT functionality and additional investment, but delivered value by attracting deposits from keen customers. “This is a prime example of the importance of being able to quickly reassess and realign IT investment priorities,” says Rajamani. “What was considered a priority six months ago may no longer be relevant when reviewed in the context of new developments. By setting IT priorities in line with the overall business strategy, both can evolve with the changing business climate.”
To ensure that IT projects align with market- or regulatory-driven business priorities, directors can ask the CIO for insight into the IT planning process.
- Is there a documented IT strategy that is approved by stakeholders?
- Is there a process to continuously review the strategy and align IT’s priorities with those of the business?
- Is that process working? How do you know? How do you measure return on IT investment?
- What partnerships or outsourcing opportunities has the company considered to optimize costs and maximize the return on its IT investment?
- Have your IT priorities changed over the last few months? And, if so, why – or why not?
- Has a readiness assessment been conducted to ensure IT systems are able to adapt to evolving reporting requirements – such as IFRS, carbon disclosure, or XBRL?
Capitalizing on cost reduction opportunities while investing intelligently in IT
There’s no question that organizations can save money by leveraging IT to automate processes, by sometimes outsourcing their IT services, or by streamlining their infrastructure and applications to reduce the number of servers and integrating applications into a few sustainable number. But what about going green within IT? “Green IT isn’t just about going paperless or encouraging employees to turn off their computers,” says Rajamani. “Companies are increasingly investing in energy efficient IT hardware – for example, fewer servers that generate less heat, requiring less cooling. It’s a short-term investment that will achieve long-term savings. Plus, it can support the company’s broader sustainability initiatives through implementation of enterprise sustainability software and building energy management systems.”
To get a snapshot of the company’s IT cost reduction actions, directors can ask a few simple questions.
- How does the company’s overall IT spending compare to industry benchmarks? Has a plan been developed to address the findings?
- Has IT helped management evaluate the opportunities to automate controls monitoring and determined what ROI could be achieved?
- What risks might IT team size reduction or cost reduction efforts expose the organization to? Are these being managed?
- Has the company embraced green IT?
Start a conversation
While IT priorities and risks will differ for every business, the important message for directors is that they need to be part of the IT conversation. “There needs to be a continuous conversation and alignment between business and IT,” Rajamani says. “And if there’s not, it’s up to directors to start that conversation.”