In a recent Harvard Business Review article, authors Richard Nolan and Warren McFarlan explored the role of the board of directors in IT governance—and how most "fall into the default mode of applying a set of tacit or explicit rules cobbled together from the best practices of other firms." Instead, they argue, directors need their own framework to develop IT policies. First step: Determine your current approach, or mode (support, factory, turnaround, or strategic), to IT. (See sidebar.)
In this excerpt, Nolan and McFarlan discuss how to build an IT governance committee. Nolan is an emeritus professor of business at Harvard Business School and a professor of management and organization at the University of Washington Business School in Seattle. McFarlan is a Baker Foundation Professor and the Albert H. Gordon Professor of Business Administration emeritus at Harvard Business School.
How do you set up an IT governance committee? A company that decides it needs board-level IT oversight must do three things: Select the appropriate members and the chairman, determine the group's relationship to the audit committee, and prepare the charter. The first two are especially important.
We recommend that the IT governance group be made up of independent directors, as is the case with audit and compensation committees. Chairmanship is also critical. For firms in support, factory, or turnaround modes, the chairperson need not be an IT expert but should certainly be a tough-minded, IT-savvy business executive—either a CEO or a top manager who has overseen the use of IT to gain strategic advantage in another organization.
The expert's job is to challenge entrenched in-house thinking.
In any case, at least one person on the committee should be an IT expert who should operate as a peer at the senior management and board level. The expert's job is to challenge entrenched in-house thinking. He or she should not think ill of technology-averse cultures and must be a skilled communicator who does not hide behind technology jargon or talk down to board members. The expert should help the committee avoid dwelling on the difficulties of the work and emphasize instead the opportunities. The focus should be on the big picture: Conversations about IT strategy are hard and can be discouraging if the committee gets dragged down in technical details. (In fact, when looking for someone who fits these criteria, boards may find that many talented CIOs and CTOs drop off the list of potential IT committee members.) The IT expert must have not only a solid grounding in the firm's overall business needs but also a holistic view of the organization and its systems architecture. This is particularly important if the firm chooses to outsource its functions and connect multiple vendors across a network. The expert must also thoroughly understand the underlying dynamics governing changes in technology and their potential to alter the business's economic outlook.
Generally speaking, the IT expert serves much the same function as the certified financial expert on an audit committee. A CIO or CTO with solid experience in the management of IT qualifies; for example, the IT oversight committee chairman for the Great Atlantic & Pacific Tea Company (A&P) was previously CEO of an extremely successful supermarket chain on the West Coast, where he achieved impressive business results through effective IT system implementation and management. As chair of the IT committee, he helps balance his company's short-term business needs with long-term IT investments.
Unfortunately, skilled, business-oriented technology strategists are in short supply. In the absence of such a person within a company, an IT consultant who can help sort out technology issues can fit the bill, as might a divisional CEO or COO who is actively managing IT. Alternatively, a manager who has served in an influential technology company such as Microsoft or Oracle can help a firm determine its place on the strategic impact grid, begin to embrace emerging technologies, and locate other experts who can serve on the committee.
Businesses in strategic mode should have an IT oversight committee chaired by an IT expert. In this mode, it's even more important to get the membership right. For example, the chairman of the IT committee for Novell—a company in strategic mode—founded a major IT-strategy-consulting company, sold it to one of the then Big Six accounting firms, and continued as a senior partner in that firm's IT consulting business. Two other members of Novell's IT committee previously served as CIOs in major Fortune 100 companies; they also serve on Novell's audit committee.
We recommend that the relationship of the IT governance committee to the audit committee be very close, because IT issues can affect economic and regulatory matters such as Sarbanes-Oxley compliance. For this reason, it's a good idea to have one audit committee member serve on the IT oversight committee. The charter of the IT committee should explicitly describe its relationship to the audit group, as well as its organization, purpose, oversight responsibilities, and meeting schedule.