BoardroomDirect®
Update on the current board issues: December 2012

December 2012
  • Print-friendly version
To achieve diversity, boards may have to shake things up

At a glance

This issue of BoardroomDirect® from PwC highlights results from the Carbon Disclosure Project and what the results mean for directors.

Issue in focus

Download a PDF version of this Issue in focus 

IT oversight—Leveraging the CIO

Many company directors and their chief information officers (CIOs) are struggling to understand each other's information technology needs. Directors are often challenged by IT’s complexity and related technical language. CIOs aren't always sure which information the board wants or how to simplify the discussion.

The majority of directors acknowledge investing in and leveraging IT for competitive advantage is a top priority for the future success of their company. IT is also an area that creates significant risks that need to be effectively mitigated. The CIO can play an integral part in helping directors sleep better at night by developing responsible and strategic IT investments and providing the board with regular updates.

So while directors understand the importance IT plays in business strategy and risk management, some may not be grasping the importance of the CIO relationship.

"Many boards should be asking, 'Why isn't my CIO my wingman?'" said Virginia Gambale, a former CIO who is now a director with JetBlue and two other companies. "For many companies and their boards that are trying to have a better relationship with customers and business partners, there is a technological element. So you have to wonder why the person who can give you the idea generation is not sitting there with you."

Carolyn Chin, chair and CEO of Health Wellness Solutions and a director with two other companies, reiterated the importance of the CIO to boards. She and Gambale sat on a panel on CIO optimization during the National Association of Corporate Directors (NACD) Board Leadership Conference in October.

"You can't think about a strategic change without including the CIO," Chin said. "They play an important part in the information flow processes that allow informed directors to ask educated questions."

Two recent research publications refer to the importance of the relationship between the CIO and the board in IT oversight.

The Gartner-Forbes 2012 Board of Directors Survey: Stay in Balance describes the desire for companies to increase IT spending over the next two years even during uncertain economic times. A recent book by PwC (Directors & IT -- What Works BestTM) provides a framework for directors to oversee IT. Both address the important role the CIO plays in helping boards understand IT risks and opportunities.

The Gartner-Forbes survey found that 86% of directors worldwide believe IT's strategic contribution to business will increase by 2014, with 18% saying the increase will be significant. Overall, IT was tied with sales as top investment priorities for boards. The survey also found a lot of exuberance for IT driving business and giving companies a competitive advantage. Sixty-six percent of directors agreed with the statement, "We start with people first, and IT provides the tools they need to compete." And half agreed with the statement, "In our industry, we see IT as a way to change the rules of competition."

In Directors & IT -- What Works BestTM, PwC defines an "IT confidence gap" for board members as situations where directors want to better comprehend risks and opportunities related to IT, but they don't have an adequate understanding or the tools to be effective in their IT oversight role.

The PwC book describes various approaches to director and CIO communications. It cites the 2012 PwC Annual Corporate Directors Survey result that only 18% of boards are communicating with the CIO at every formal board meeting and that 14% aren't communicating at all. This may be contributing to the IT confidence gap along with several other factors:

  • Many directors grew up in a predigital age; their average age is 62.
  • Very few directors have IT backgrounds. (Less than 1% of Fortune 500 board members have been or are currently CIOs.)
  • Board time is at a premium. (Almost 60% of directors responding to the PwC Annual Corporate Directors Survey would like their boards to devote more time to IT oversight; only half of current board members spend more than 5% of their time on it.)
  • Technology is changing at a rapid pace.

Don Keller, a partner in PwC's Center for Board Governance who was the chief architect of the Directors & IT book, and a panel of experts at the NACD Board Leadership Conference all emphasized the importance of the CIO using appropriate IT oversight metrics to report to the board. Keller also pointed out that directors and CIOs have to prioritize the IT issues most relevant to the company.

"There are a lot of areas to consider, including data security, mobile computing, data privacy, social media, streamlining business processes with digital means, and cloud services," Keller said. "But not all of them may be equally important to a particular company."

Keller was referring to the third step in the six-step PwC IT Oversight Framework. The framework is a process boards can use to provide a structured approach for IT oversight, including oversight practices to facilitate those all-important discussions with the CIO. Those steps include:

  • Assessment: Evaluate the company’s current IT situation, while considering various factors, and conclude how critical IT is to the company’s current and future success.
  • Approach: Agree on the board's IT oversight approach including who is responsible (the full board, the audit committee, a risk committee, etc.), how often to discuss IT, and when to talk with the CIO.
  • Prioritization: Identify the IT subjects most relevant to the company and focus oversight efforts on those areas.
  • Strategy: "Bake" IT initiatives into the board’s oversight of overall company strategy based on the importance of IT to the company.
  • Risk: Include IT risks as part of the board’s risk management oversight process.
  • Monitoring: Adopt a continuous IT oversight process, regularly revisit the efficacy of that process, and measure results.

Such a framework can only work if a board is committed to understanding the role IT plays in the company and the opportunities and risks that are most relevant.

What directors should know about IT risk oversight:

  • Fifty-six percent of directors believe the effective use of IT in creating long-term shareholder value is critical or very important and another 33% believe it is somewhat important. (Annual Corporate Directors Survey)
  • Nearly 60% of directors would like to devote more board time to IT. (Annual Corporate Directors Survey)
  • Directors may have an IT confidence gap, which can be attributed to a variety of factors but can be overcome with a solid process for oversight. Historically, there have not been a lot of tools for boards to use.
  • Understanding the company’s current IT environment is an essential starting point for deciding on an appropriate process.
  • Make sure to prioritize the most important IT areas for oversight.

The IT oversight process should be continuous and provide the board with adequate information for effective monitoring.