Ten years ago, Richard Nolan and F. Warren McFarlan wrote a Harvard Business Review article about the role of the board of directors (BoD) in IT governance.1 The authors stated that while companies spend a large amount on information assets and are highly dependent on these assets in meeting strategy, there is a general lack of BoD oversight for IT activities. This puts companies in a dangerous position, where chief information officers (CIOs) act on their own and IT-related risk is not recognized and properly addressed.
Nolan and McFarlan mention that some companies had taken the initiative on board oversight by creating board-level IT committees similar to audit, compensation and governance committees. They discuss how these committees can assist the chief executive officer (CEO), the CIO, senior management and the BoD in driving technology decisions, keeping IT under control and developing competitive advantage. But what exactly are these committees’ roles and responsibilities for IT governance? This article attempts to answer this question by examining the roles and responsibilities contained in the committee charters and matching these roles and responsibilities to the five IT governance areas depicted in the IT Governance Institute’s (ITGI’s) Board Briefing on IT Governance.2
Companies With Board-level IT Committees
A list of companies with board-level IT committees was compiled by searching the web sites of all Fortune 500 companies. Initially, 54 companies with a committee containing the word “technology” in the name were identified. However, reviewing the committees’ charters revealed that 30 of the 54 committees are primarily focused on research and development within the company rather than on IT. These companies were eliminated. Vanguard Health Systems Inc., which was recently acquired by Tenet Healthcare Corporation, was also set aside to eliminate redundancy, as the two companies have similar charters on their company web sites. The analysis is based, therefore, on the board-level IT committees for the remaining 23 companies (figure 1).
Descriptive information about each company and its board-level IT committee was collected (figure 1). Company information includes name, Standard Industrial Classification (SIC) code3 and 2014 fiscal year-end revenues.4 The companies come from various industries, as depicted by the range of SIC codes, from commercial printing (2750, R. R. Donnelly & Sons Company) to commercial banking (6022, State Street Corporation) to general medical and surgical hospitals (8062, Tenet Healthcare Corporation). The companies reported revenues from US $3,800 million (Allegheny Technologies) to US $476,294 million (Wal-Mart). The average revenue for all companies with board-level IT committees is US $44,058 million.
From each committee charter, the committee name, the year the committee charter was adopted or amended, the minimum required number of members and meetings, and the roles and responsibilities were collected. Information about the year the committee was formed was gathered by reviewing proxy statements for each company, where applicable. It was found that the board-level IT committees have various names. Six committees are simply called Technology Committee. However, the majority take on compound names, such as Automatic Data Processing’s Corporate Development and Technology Committee, or more inclusive names, such as Sempra Energy’s Environmental, Health, Safety and Technology Committee. Some even refer to governance or oversight, as in FedEx’s Information Technology Oversight Committee. Four of the board-level IT committees date back to 2000 or earlier, while 10 were started more recently, during the period from 2013 to 2015. Seventy-eight percent (18) of the charters have been adopted or amended since 2013. While one company, WellCare Health Plans, requires only one member on the committee, more than half (12 out of 23) require three members, six require two members, and four do not specify. The average required membership is 2.6. The minimum required number of annual meetings for the committees as specified in the charters ranges from one to four, with two being the most common. The average minimum required number of annual meetings is 2.7.
Committee Roles and Responsibilities
The committee charters listed 175 total roles and responsibilities, with each company listing between three and 16 (figure 1). The roles were coded into the five primary IT governance domains: strategic alignment, value delivery, resource management, risk management and performance measurement. Board Briefing on IT Governance was used to develop a summary sheet that guided the coding process (figure 2). An “other” category was created for roles and responsibilities that did not fit into these five domains.
Both authors were involved in coding. They jointly coded the first two companies to reach an initial understanding of the process. Then, the process was completed separately for the remaining companies. Each of the 175 roles and responsibilities was coded into one or more of the IT governance domains or the “other” category. There was 60 percent agreement between the classifications made by the two authors. Differences were discussed and resolved. A subsequent second review of the classifications by both authors working together resulted in some additional changes. These revised classifications serve as the refined data for analysis.
Findings
Figure 3 presents the coding results by company. Because each of the 175 roles and responsibilities could be coded into more than one domain/category, there were 214 total classifications. Thirty-eight of the roles and responsibilities were coded into the “other” category. These do not relate to any of the five IT governance domains, but instead relate to other duties including evaluating the committee and its charter, reporting on meeting activities, and carrying out other unspecified duties. The remaining 176 classifications relate to the five IT governance domains. Only eight companies (35 percent) have responsibilities covering all five domains.
Roles and responsibilities related to strategic alignment are the most frequently mentioned in the charters. Sixty-two items (29 percent) relate to this domain. Also, all 23 companies include at least one role coded as strategic alignment. Items were coded to this domain if they mentioned IT strategy and/or business strategy. Many of these items relate to monitoring trends, appraising systems, and suggesting changes related to IT strategy and its alignment and consistency with the organization’s strategy and objectives. One example from Bank of New York’s charter is: “Monitor and evaluate existing and future trends in technology that may affect the Corporation’s strategic plans, including monitoring of overall industry trends.” Another from Ingram Micro says, “Periodically appraise IT-related systems architecture to assure its consistency with the organizational structure, strategy, and business objectives of the Corporation.” A few of the items coded to strategic alignment also related to policies. For example, “Approve technology-related policies or recommend such policies to the Board for approval, as appropriate,” from Nordstrom, addresses the policy guidance aspect of strategic alignment.
Board Briefing on IT Governance discusses how strategic alignment drives value delivery and indicates that the two domains are often combined in professional and academic literature. Indeed, of the 16 cases of value delivery in the data set, eight were also identified as relating to strategic alignment. Most of these relate to prioritizing or evaluating IT investments and budgets to ensure that they align with strategy. An example of this is First Data Corporation’s role “Review, evaluate and make recommendations to the Board regarding the Company’s major technology and investment plans and strategies.” Other roles that fit into this domain refer to opportunities, benefits, competitiveness, growth and return on investment (ROI). One such role, identified in the charter of Nationwide Mutual Insurance Company, calls for the Technology Committee to provide “oversight of IT financial management disciplines, including return on IT investments.” While 14 of the 23 companies (61 percent) mention value delivery in their roles and responsibilities, it is the IT governance domain mentioned least often overall and by the fewest companies.
Roles related to resource management are found in all but three of the 23 companies examined. Resource management relates to various activities, from overseeing IT expenditures to maintaining skilled employees. Examples of resource management roles drawn from the charters include reviewing “significant information technology investments and expenditures” (American International Group) and the “talent and skills of the Company’s workforce supporting its technology” (Advanced Micro Devices).
Just over two-thirds of the companies (16, or 70 percent) include a role related to risk management in their charters. These 16 charters include 39 roles (18 percent) classified in this domain. Six of the charters cite three or more risk management roles, which could indicate the importance these companies place on the BoD’s role in risk management. Issues related to IT security, internal controls and audits, and disaster recovery plans are addressed by these duties. For example, one of FedEx’s roles is to “monitor the quality and effectiveness of the Company’s IT security.” As another example, Molina Healthcare calls for its committee to “oversee activities related to cyber risks, such as reviewing adequacy of the cyber risk budget.”
Twenty-nine roles and responsibilities relate to performance measurement. Seventy-eight percent of the charters include at least one performance measurement role. Performance measurement relates to tracking projects, monitoring services and measuring performance (figure 2). Example duties in the charters that relate to performance measurement include evaluating “the capacity, performance, and competitiveness of the Corporation’s IT-related systems,” from Ingram Micro, and periodically reviewing “key IT performance metrics,” from Nationwide Mutual Insurance Company. Also, World Fuel Services discusses overseeing and evaluating “the Company’s planning and implementation of significant technology and operations initiatives.”
Conclusions
While relatively few companies have board-level IT committees, the companies that have them span a wide range of industries. Also, many such committees have been formed recently, suggesting that more companies may establish IT committees in the future.
The charters for the committees reveal important conclusions. First, strategic alignment is by far the most often cited role for these board-level committees. According to Board Briefing on IT Governance, IT governance usually starts with strategic alignment as a driver for IT processes and value delivery. These BoDs have recognized this role of strategic alignment and have formalized it in their charters. Second, most committee charters do not include roles in all five IT governance areas. This could reveal an opportunity for these companies and their BoDs to broaden the scope of the committees. For example, they could increase roles related to value delivery, the domain containing the fewest roles in the sample.
Per Board Briefing on IT Governance, value delivery is the outcome of having a good IT strategy. BoDs should determine if the strategies they have evaluated and/or recommended have materialized.
Finally, the other three IT governance areas—resource management, risk management and performance measurement—are important roles for the committees to varying degrees. Interestingly, charters indicating risk management roles often mention multiple roles in this domain. This could reflect the varied and growing nature of IT risk, confirming the importance of board-level IT committees.
Endnotes
1 Nolan, R.; F. W. McFarlan; “Information Technology and the Board of Directors,” Harvard Business Review, October 2005, https://hbr.org/2005/10/information-technology-and-the-board-of-directors/ar/1
2 ITGI, Board Briefing on IT Governance, 2nd Edition, USA, 2003
3 Collected from www.sec.gov
4 Collected from individual company annual reports
Nancy Lankton, CISA, CPA, is an associate professor in the Lewis College of Business at Marshall University (Huntington, West Virginia, USA). She teaches accounting information systems (IS) and IS auditing. Lankton has published in many top IS journals, including the Journal of Management Information Systems, the Journal of Strategic Information Systems and the Journal of the Association for Information Systems.
Jean Price is an associate professor of accounting in the Lewis College of Business at Marshall University. She teaches introductory and intermediate-level financial accounting courses. Price’s current research interests include information technology governance and controls, and trust and distrust in electronic data exchanges.