Wednesday, May 7, 2014

Material Risk: Setting the board agenda for IT Governance

“The board of directors does not give IT Governance enough attention”, one of the most difficult tasks in IT Governance is to get the topic on the agenda of the Board of Directors. Identifying the material risks will give the arguments to achieve this task. 

The complaint quoted in the opening line is often heard amongst IT Governance experts. And within most organizations it is probably true. However most of the time the discussion stops there, a statement of fact. Many experts seem to share the frustration of lack of attention from top management but also believe there is very little they can do about it. No matter how hard they try, the board of directors just will not accept how important IT Governance is for the organization.

As a starting consultant I was educated by an organization that did not believe in such statements of fact. You address the issue, find the underlying causes and resolve those. So here goes. When I listen to the arguments of why the board of directors should get more involved with IT Governance I keep hearing the same arguments: “These days IT is persuasive in the organization”, “Cost of IT is high and subsequently so are the cost of failure of IT”, “IT Projects are big and costly projects and should get appropriate attention from the board of directors” and many more similar arguments. What almost all of these arguments have in common is that they are made from the perspective of the complainer who in most cases resides in or works for the IT domain. First of all we should address the issue from the perspective of the board of directors, after all they need convincing. So as usual it is much smarter to look at the issue from their side and then try and find the arguments that make sense from their side of the table. Look at the problem from the top down not from the bottom up. When you try to do this you might find it gives very interesting results. For example a couple of years ago I was assigned to a major oil company and as usual big organizations spend big money on IT related projects for instance SAP Implementation projects with budgets of hundreds of millions, Infrastructure projects with similar budgets. So yes, I felt that given the size of these projects IT Governance should rightfully get a lot of attention from the board of directors. Until I came across a listing of the top 50 biggest projects running in the organization. When I looked at the list I found that there was no IT Project ranked in the top 50. For this organization a “big project” was building a drilling rig capable of drilling “ultra-deep” in the Gulf of Mexico. Another project in the list, building a town for 10.000 people, harbour facilities, all infrastructure and industrial installations for the oil and gas drilling operation on a deserted Island of the cost of Siberia. In this organization, to reach top 50 the project budget had to be at least a billion instead of just a couple of 100 million. The moral of the story: It might look big and important from the bottom up but from the top down it may look completely different.

When you look at the issue from the perspective of the board of directors the first think you realise is that in most organizations the board does not fiddle around all day. The number and variation of topics that require their attention is vast and the agenda of the board is normally completely full. So if IT Governance claims more time in the board’s agenda other topics automatically get less attention since time is a finite resource. So the trick is to set the board’s agenda so all those topics that are important enough to receive direct attention get time relative to their importance. However given the incredible variety of topics this is like comparing apples to oranges.

Here we introduce the concept of “material risk”. For me a material risk is such a risk that if it happened it would gain the (negative) attention of the organizational stakeholders. More specifically those stakeholders that the Board of Directors is accountable to. Some examples, a project failure of the SAP Project with the Oil Company would have internal repercussions but would most likely not have a serious impact on the financial figures for the organization so it probably would not attract a serious negative reaction from stakeholders like the shareholders. On the other hand a major Dutch bank had a project to upgrade its internet payment services. When customers of the bank were unable to use their internet banking facilities for the third time in a row the CEO of the bank decided to apologise on national TV promising it would not happen again. This in reaction to the public outrage resulting from the (recurring) incidents. Clearly the IT Project of the bank had a material risk attached to it.

So to set the board agenda you look for the topics that have material risks attached. Interestingly those topics that usually make the board agenda (strategy, major projects and sizeable investments) always seem to have material risks attached to them. The difference is that now the reason why they are on the agenda can be logically assessed and compared based on the change and impact of the attached material risks. It is note worthy that in almost all cases were disaster struck an organization and the board of directors was taken by surprise, the unawareness of the board can be found in the failure to identify and manage a material risk. For example at the start of the financial crisis almost all boards of financial institutes were taken by surprise because almost nobody correctly identified the material risks attached to the financial products and services that were arguably one of the causes for the crisis.