SA boards defer IT responsibility


Despite an increased awareness of the importance of IT governance in boardrooms across South Africa, certain board members still tend to abdicate responsibility to the head of IT when something goes wrong.

Marius Van Den Berg, Partner at EY Africa, said worryingly and despite its strategic importance, IT governance is still deferred to the head of IT even though the buck should now stop with the board.

“Post the King 3 report on corporate governance in South Africa which came into effect in March 2010 and King 4 in 2016, there has certainly been an increased awareness of IT Governance at Board level and an acknowledgement on an intellectual level, especially by our larger corporates, that IT responsibility is now firmly a board responsibility.

“Nobody on the board can say ‘I didn’t know’ or I didn’t understand’ any longer.”

But in the on-the-ground reality, many boards are struggling with practical implementation and technical understanding, and therefore Governance is still deferred to the head of IT.

“Boards however ignore IT and IT Governance at their peril. Getting the IT agenda wrong could leave a business with an expensive bill. Worse, it could impair operations and even become an existential threat,” he added.

Not only is the spend on IT often a significant line item for most organisations, but technology is a key enabler, and often a key differentiator, especially for an excellent customer experience.

So how should boards take IT from remote service providers and the arcane world of in-house experts and give it its rightful place in the boardroom?

“A regular integrated IT report to the Bpard, that is a concise summary of a business’ IT health, risks and projects is a good place to start, “ Van Den Berg advised.

Vitally, such a report needs to be ‘business understandable’ to be of real use to the board. “It cannot be overly technical but equally board members need to make sure they understand it and ask for help if they can’t. And in line with integrated reporting, it also cannot be a stand-alone report.

“For example, while it may be important for a portfolio manager to be made aware of which IT projects are behind schedule, the CEO and the Board would more likely want to know about the performance of specific important projects, the mitigation of IT risks and the value derived from the IT systems.”

Boards should not only look at the IT report once a year. They should be given regular reports covering all major aspects of the IT environment at various intervals, culminating in an integrated report at year end.

The board also needs assurances that there is a framework in place that is used to guide and track the implementation of IT governance.

“Such a framework could be used to assess the capability of IT governance within the organisation as well as demonstrate progress or changes in desired capabilities over time.”

Van Den Berg said the King code was progressive in placing IT Governance on the Board agenda and a decade ago South Africa was the global leader in this aspect of IT governance.

“But given the pace of change in IT and the move into the digital era, South Africa is no longer leading the way. Certain large corporates compare favourably, however, with their international counterparts,” he concluded.