Information technology is a huge and critical issue that lies at the core of organisations. At the different spheres of an organisation, there is a profound understanding of IT, but unfortunately board directors in most companies are not well versed in the IT operations within their own organisations.
This was according to Michael Judin, senior partner at Judin Combrinck Attorneys, as he facilitated a panel discussion at the Governance, Risk and Compliance 2016 Summit hosted by IT Web and its partners yesterday in Hyde Park, Johannesburg.
Participating in the round table discussion, which focused on key success factors for corporate
ICT governance, were senior analyst of Tyme Digital, Mthandeni Langa, and head of IT Risk at Wesbank, Bessy Mahopo.
Judin said the lack of IT education among company board members posed a huge risk to organisations.
"Smart as they may be in growing companies, 90% of these hugely experienced and very successful company directors are absolutely clueless about IT and this will impact on corporate governance of IT.
"How does a board who should be delegating strategy to management, deal with IT-related operations when they don't understand it?" he asked the panel.
He said this brought about a huge level of frustration.
Langa, who is currently conducting research at the University of Johannesburg in this area, responded by explaining the purpose of IT governance.
"IT governance is established to get an IT representation at board level. That is why the board of directors should issue guidance, which will be interpreted from within the company's corporate information technology policy.
"That policy will then be taken to operational management level," he explained.
Mahopo responded by stressing that the complexities within the discipline of IT are the main reason employees may not easily understand it, especially at board level.
"Roughly 20 years ago we didn't care about protecting mobile phones and the data in them but as time progressed IT gained huge hype from everyone because suddenly the business is using IT and there's a heavy reliance on IT," she noted.
She added one thing the board are experiencing is the global hype surrounding IT where certain concepts such as IOT have gained traction.
"The first thing the board want to know is what does this mean to me? This hype is now forcing board members to put IT on the agenda in their meetings.
"There is sudden interest in IT and how we operate our IT environment because key businesses now depend on how robust their processes are and this is where GRC comes in," she continued.
She pointed out that IT GRC professionals need to educate all company employees as quickly as possible to ensure that they understand the world of IT.
Judin referred to the complicated court case of Australian company Centro, where the judge in his ruling held the non-executive board of directors liable for matters of damage in fraud for not complying with governance stipulations.
"It's not sufficient for the board to approve and say yes to an IT proposal just because they think it's a good idea, but rather approve it because they understand it.
"There is no governance without education, from a governance perspective it's very important for the board to have a deep understanding, not necessarily on the same level as their executives, but enough understanding to know what you are approving," he advised.
He said there is nothing to be ashamed about in saying one needs to be trained and to request such training.
"The board need enough understanding to say yes let's do this with our cyber security strategy, or yes I approve this because it will improve our companies in certain areas."
Mahopo concluded by saying it is everyone's responsibility within an organisation to ensure that they are educated on relevant issues which affect their line of work.
"Because everyone in any organisation has accountability, this means that everyone is responsible for ensuring that they understand IT in order to understand IT GRC processes," she said.
Share