When deciding on the best board approach to IT oversight, directors should evaluate whether the board or a specific committee of the board will “own” IT oversight and whether the appropriate resources are available. This includes considering whether to add IT expertise to the board or engage outside consultants.
Who should provide IT oversight?
In our research, 56% of directors say the audit committee is responsible for IT oversight. This committee often oversees the company's risk management process, and IT is usually discussed from a risk perspective. One-quarter of directors assign IT oversight to the full board, while only 7% of directors use a separate board-level risk committee. Even fewer boards have established a separate board IT committee--those that do believe IT is “critical” or “very important” to their company's success.
|IT is critical||IT is very important||IT is somewhat important||IT is a commodity|
|The audit committee||51%||51%||62%||61%|
|The full board||34%||29%||20%||22%|
|A separate risk committee||7%||9%||6%||0%|
|A separate IT committee||5%||4%||0%||0%|
|No board oversight||2%||5%||11%||17%|
Regardless of whether the full board or a committee is given the oversight task, the board should consider the backgrounds and experience of existing directors to decide if they have the skills necessary to oversee IT. If not, the question is whether the board should add IT expertise, particularly for companies that determine IT to be of greater importance to their business.
How often should directors discuss IT?
Once the board determines who will provide IT oversight, directors should decide how often to meet and discuss IT issues, as well as when to communicate with the CIO. The amount of time the board spends on IT oversight increases in line with the importance of IT to the company: Half of directors at companies where IT is “critical” and about one-quarter of those at companies where IT is “very important” dedicate more than 11% of their annual board hours to IT.