Insight Bite

Acuity’s Richard Baker explores the crucial, and yet often overlooked, role of IT governance that company chairmen and NEDs must be aware of in order to avoid any pitfalls when it comes to an exit.

In this digital age, IT is not only a mission critical driver of strategic change but of corporate performance as well. Big Data, real time analytics, multiple channel capability and specific digital solutions expertise are all central to strategic decision making and long term success.

Nowadays, IT is right up there with leadership in terms of its impact on enterprise. For this reason alone, boardroom conversations in relation to IT need to be consciously forward-looking and strategic.

Unfortunately, the discussions are too often haphazard and take place purely as a result of either a regulatory requirement or some sort of cyber meltdown.

Lack of Discipline

The Board must ensure discipline is applied in governing IT just as governing corporate strategy, financial performance, risk and compliance – in the modern tech era, it is surprising just quite how often this is overlooked – with often disastrous commercial, economic and political consequences, as well as scuppering any chance of a successful M&A exit event.

A recent McKinsey study of corporate boards indicated that over half had just one dedicated IT discussion per year or none at all. A consistent phenomenon across SME’s and blue-chips the world over, permeating all industry subsectors.

Over the past 10 years, there have been numerous high-profile examples of companies who have failed to ensure that IT governance is not at the top of the strategic tree – this seems to be a prolific phenomenon, particularly in the respective worlds of financial services and telecommunications.

Consequences and repercussions

Failure to take heed of IT and data security can result in major financial headaches. For example, in 2016, telco company TalkTalk was issued with a record fine by the ICO for security failings that allowed a cyber attacker to access customer data “with ease”. The ICO’s in-depth investigation found that the attack on the company last could have been prevented if TalkTalk had taken basic steps to protect customers’ information. The attack took advantage of technical weaknesses in TalkTalk’s systems.

It doesn’t end there, also in 2016, serial offender RBS suffered a second tech related migraine and fresh regulatory scrutiny, that not even the strongest of aspirin could remedy, after a technology glitch caused the disappearance of thousands of customer payments only months after the bank was hit with a record fine for IT failures. Some 600,000 customer payments and direct debits went missing after a systems failure that closely resembled the cause of its major IT meltdown in 2012 – the latest problems threw further doubt on the ability of banks’ archaic technology systems to cope with the increasing number of customer transactions spurred by digital banking.

In addition, buyers are becoming increasingly hot on ensuring would-be targets operate and adhere to a disciplined and structured set of IT and data security governance procedures. This can often form a separate specialist due diligence stream in itself and is a key area that an acquiring entity seeks to gain comfort on before funds are set to flow.

One step ahead

These incidents may seem excusable because to date there have been no consistent standards for IT governance. However, board committees certainly understand their roles with regard to other areas of corporate control.

As there has been no comparable body of knowledge and best practice, IT governance does not exist per se. Indeed, board members frequently lack the fundamental knowledge needed to ask intelligent questions about not only IT risk and expense but also competitive risk. This leaves the CTOs, who manage critical corporate information assets, pretty much on their own. A lack of board oversight for IT activities is dangerous; it puts the firm at risk in the same way that failing to audit its books would – it also lowers the chances of a successful exit with the potential to unravel a process during due diligence.

• To have a crack at some sort of best practice methodology, the primary goals for IT governance should encapsulate the following:
• To assure that the use of IT creates optimal commercial value;
• To oversee and analyse management’s performance and;
• To mitigate the risks associated with using information and technology

This can be achieved through board-level direction and implementing an organisational structure with well-defined accountability for decisions that impact on the successful achievement of strategic objectives and good practices.

Making it happen

The correct IT approach depends on a host of factors, including a company’s history, industry, competitive situation, financial position, and quality of IT management.

A strategy that works for eBay will not work for a drug delivery company.

IT will continue to evolve at an ultrafast pace and so will its associated risks – these should be viewed as an integral part of the overarching operational risks that any organization has to deal with – failure to do so could send the finest of institutions back to the dark ages and delay an exit event for years.