Corporate governance hit the headlines again recently with the breaking of the Fidentia scandal. It was, in fact, corporate scandals like Enron, Arthur Anderson and the like that resulted in the United States' obsessive drive for corporate governance with Sarbanes-Oxley (SOX) et al in the first place.
That there are moves afoot to replace SOX with a system that is less prescriptive, and thus less onerous to comply with, is perhaps an indication of how firmly corporate governance is here to stay - and how seriously C-level executives should be taking it.
Locally, a new Companies Act is on its way. Expected to come into effect next year, the new Act is dramatically different from the last version. According to the LexisNexis Web site, the Act includes, among other things, "accounting and auditing changes with increased liability for directors" and "an improved system of corporate governance and remedies for shareholders". King III is also reputed to be on its way, although this was unconfirmed at the time of going to press.
IT governance is an automated mechanism to drive corporate governance.
Lenore Kerrigan, business unit manager, HP SA
Corporate law firm Cliffe Dekker defines corporate governance as such: "In terms of section 424(1) of the Companies Act 1973, a person who is knowingly a party to the carrying on of the business of a company in a reckless manner... may be held personally responsible for the liabilities of the company."
Andrew Stekhoven, MD of Escrow Europe (South Africa), says South African directors and officers have a duty of care to a company's shareholders and stakeholders.
"This certainly includes an ICT duty of care. Where there is a dependence on technology for executing company functions, one has to examine the risk associated with that technology and determine what the dimensions of that risk might be," he says. In other words, although much that is considered to be good governance practice is not specified in any local regulations or legislation, the law does cover its bases sufficiently that a prosecution for negligence, for example, could probably be brought against the directors of a company that goes under - which may be attributed to a massive system failure. If it can be proven that the directors knew the system would or could fail catastrophically, and did nothing to remedy the situation, then they stand accountable.
Drawing the line
<B>Governance across the board</B>
Governance impacts and is affected by every aspect of a company's IT systems. All must be aligned in order for compliance to be achieved in the first place.
1. "Legislation has focused on the need for data protection and retrieval at all levels. Business initially focused on the data centre, probably quite rightly so. However, the growing popularity of mobile devices, as well as the reality that information is more decentralised and resides on the devices assigned to individuals, necessitates appropriate protection. This has been lacking.
"For example, a large financial services company discovered recently that there are 10 notebooks within the company that, if they went missing, could have a material impact on its business.
"As a result, there has been an explosion of interest around protecting the information contained on the desktop and the notebook. Gartner says 60% or more of corporate data is going home at night.
"About the same percentage of data is, as a result, being less than reliably backed up. Companies are taking note of this and starting to do something about it." - Michael Law, MD of Attix5
2. "The challenge faced by companies, which must retain records in accordance with corporate governance requirements, is that they have to store the information intelligently based on its value to the organisation and the likelihood that it may have to be retrieved at short notice. This is the essence of information life cycle management: storing information in a smart way, so it is managed according to its changing value over time." - Frank Touwen, area manager for EMC Africa
3. "Notwithstanding corporate governance legislation such as Sarbanes-Oxley, general corporate governance principles require proper management of all aspects of the business. Evidence of management of the business is held in corporate records, which immediately suggests that organisations need proper records management.
In addition, there is a close link between risk management and proper corporate governance. Corporate information and records potentially represent a great deal of risk, particularly considering access to information, privacy and protection requirements, which is why proper protection of company records is an absolute necessity." - Paul Mullon, information governance executive at Metrofile
4. "Professional technology escrow is absolutely part of the duty of care for the director or officer. So, Gartner, SOX and so on state that if you are dependant on technology for a vital or mission-critical area of your business, it is just good business practice to take out insurance against an event that may pose a problem for you in terms of business continuity, for instance, the software's developer gets hit by the proverbial bus." - Andrew Stekhoven, MD of Escrow Europe (South Africa)
Given the multiplicity of terms used to describe governance, and its components, a short clarification is necessary here. Corporate governance, as defined by Bitpipe.com, is "a term that refers broadly to the rules, processes or laws by which businesses are operated, regulated and controlled. The term can refer to internal factors defined by the officers, stockholders or constitution of a corporation, as well as to external forces such as consumer groups, clients and government regulations."
IT governance, also per Bitpipe.com, is "a structure of processes that govern decision-making around investment decisions, client relationships, project management and other important IT operational areas". As Lenore Kerrigan, HP SA business unit manager for HP Software, says: "IT governance is effectively saying 'you need to get your own house in order so that IT can function like a business'."
IT governance is a crucial part of corporate governance. It is a critical early step, in fact, to ensuring the success of any corporate governance initiative. It is this dependence that may finally turn the talk that has gone on over the years around uniting IT and the business into action.
As Kerrigan notes: "IT governance is effectively an automated mechanism to drive corporate governance."
iLayo Software Solutions managing director Inana Nkanza says: "Due to organisational dependence on technology, IT has an opportunity to increase its profile and increase the efficiency of the business with regard to corporate governance.
"The critical thing with Sarbanes-Oxley or any compliance is that it is not a once-off effort," he notes, adding that this is where business and IT need to be aligned, and where processes need to be put in place to automate compliance and ensure it is maintained.
"In order to serve corporate governance, you need system governance," says Amir Lubashevsky, managing director of Magix Integration, echoing HP's Kerrigan and iLayo's Nkanza.
"You need to ensure your systems are up to scratch and that people are not bypassing the rules or bending regulations. You cannot continuously change your systems to meet regulatory requirements, but you need monitoring, continuous auditing and processes to highlight irregularities."
Small steps
The place to start, Lubashevsky continues, is a full audit of all IT assets - hardware, software, systems and information.
"You first need to do a high-level audit to highlight visibility and identify problems. Ninety percent of the time you will find a problem," he comments. "Then you need to implement a platform-independent and application-independent tool to gain visibility of your processes and be able to see what people do with the company's data."
Compliance can only be maintained if people adhere to the processes and procedures laid down by the organisation. In order to ensure this happens, tracking activity in order to be able to pinpoint and flag irregularities is a must.
Business Connexion CIO Hugo Winterbach outlines a three-phased approach: "Firstly, make sure you have done your homework. Analyse the compliance requirements, document procedures and identify the minimum control requirements. This must be a team effort and must involve legal scrutiny and advice."
Winterbach says the research phase of the process should be followed by an equally thorough planning phase, during which all policies and procedures are identified, and processes are aligned with compliance requirements. Winterbach cites storage and deletion processes as examples.
"A business may find its processes regarding the storage and deletion of e-mail conflict with the demands made of them from regulators, forcing it to shape the process to fit the standard," he says.
In order to serve corporate governance, you need system governance.
Amir Lubashevsky, MD, Magix Integration
Finally, there is the implementation phase in which policies are adapted to meet requirements. Winterbach emphasises that communication with clients and customers is crucial when finalising compliance. "Displaying your compliance and showing that your own house is in order can give your business a competitive-edge," he notes.
Take it from the top
Make sure that you have done your homework. Analyse the compliance requirements, document procedures and identify the minimum control requirements.
Hugo Winterbach, CIO, Business Connexion
IT governance initiatives cannot, however, merely be initiated on the fly by IT departments. As HP's Kerrigan says: "You need to have core sponsorship." Another critical factor is change management. Implementing IT and, thereafter, corporate governance, affects every aspect of a company's operations. If staff are not onboard from the get-go and do not understand why they have to stick to processes and procedures - and not, for example, lend their system log-in details to a colleague - the initiative will fail.
It is just good business practice to take out insurance against an event that may pose a problem for you in terms of business continuity.
Andrew Stekhoven, MD, Escrow Europe (South Africa)
Another detail that's often forgotten is business benefit. While compliance is mandatory, it should be done in a way that provides tangible benefit to the business, as, for example, having visibility into processes and procedures, or having up-to-date asset registers does.
There is also a bewildering array of methodologies and best practices for every kind of governance initiative. Here organisations need to find a best-fit approach that will provide business benefit with the minimum of pain.
Compliance for the sake of compliance is of no benefit to the organisation. Taking the opportunities that are a necessity for compliance provides - such as aligning IT and business, gaining visibility in terms of assets, finding out exactly what data resides where and why, and so on - will provide long-term organisational benefits. It's a win-win situation all round, really.
Share