Step 6: Monitoring

Adopt a continuous process and measure results

Board oversight should be the safety net for ensuring that a comprehensive IT program supported by the chief executive officer and senior management is followed by the company. However, the rapid pace of IT change can cause previous conclusions about the board's approach to IT oversight to become stale quickly. Directors will want to know whether there are any changes to the company's IT plans or new strategic initiatives and their underlying risks.

Decisions about how critical IT is to the company (Step 1), the board's approach (Step 2), identification and prioritization of the most relevant IT issues (Step 3), and the integration of IT into strategy and risk management (Steps 4 and 5), should be revisited at least annually. To assist in ongoing monitoring, directors may want to:

  • Consider regular IT updates to address whether planned IT activities are being implemented effectively and in a timely manner: Directors should define how often they will receive these updates from management. The frequency of board discussions with the CIO and the amount of hours the board is spending addressing IT may also need to be readdressed based on changing facts and circumstances.
  • Determine which key performance indicators and IT metrics they expect to receive from management so they can oversee IT effectively: It may be helpful to create a director's dashboard to capture these metrics. Examples of key IT performance indicators are:
    • reliability of all key operational systems (number and duration of unplanned outages),
    • number of active significant IT projects,
    • return on investment for significant IT projects,
    • IT spend versus budget--by major category,
    • number of security breaches (including significant viruses, worms, and successful hacks), and
    • negative chatter about the company in social media.

The key is to initially define a process that works best for your particular board and then put the process in place. Ongoing monitoring of the effectiveness of the company's IT activities should be supplemented by a continuous evaluation of the board's oversight process. Not only does the business change and technology evolve, but the composition and level of IT expertise of the board fluctuates. Periodic “fresh looks” at the framework will provide directors with confidence in their IT oversight.

The bottom line

As technologies continue to evolve, directors will likely face more IT oversight responsibilities. Therefore, implementing a defined process for board oversight can provide distinct advantages over an ad hoc or poorly defined approach. Following an agreed-upon methodology provides thoroughness, discipline, and rigor to satisfying a board duty that is concerning many directors. We believe that use of the IT Oversight Framework enables directors to bridge the “IT confidence gap” and rest more comfortably knowing a robust oversight process is in place.