It can be very difficult to know who in a corporate is investing how much in IT, but guarding stakeholder value depends on it. IT investments below R20 million are most dangerous to stakeholder value, argued Thabo Ndlela, CIO at Sun International, at the IT Governance Africa conference, in early November.
"Everybody always thinks, nah, it's not a big investment. One of the things IT governance has done is place responsibility of technology decisions on the board."
At Sun International, the board not only takes responsibility, but also prioritises IT spend.
"In the beginning of the year, we sit with the board and executive management. We discuss investments, strategies that need to take place, and we agree on a priority list. I quite enjoy that, because everybody knows there are only four or five big projects. You come up with anything fancy [and] I'll say 'join the line for next year'. It makes my job so much easier.
"The big benefit is that board members say 'this is what's important to us from a business and technology point of view, and what we should stick with'. Now and again you may adjust as things change, but at least it gives you a base, so you don't get yourself into arguments you shouldn't be in."
The benefits extend beyond minimising arguments, however, to departments no longer doing IT investments on their own.
“The IT governance committee has brought law and order. We know of any IT investment you make. We've dropped the threshold as well; you can't say 'oh it's only R5 million', and nobody knows about it. Now we set up terms of reference, so everyone knows that anything you do has to be formalised."
But getting law and order may mean boosting IT's visibility at board level and setting up an IT governance committee, both actions potentially fraught with executive politics.
"At Sun, the CIO sits on the board. I thought that was refreshing," said Ndlela. "When they called me for the job, I said 'put me down for that one' because it sounds like I'll make some decisions. On top of that, they decided to put in place an IT governance committee as a sub-committee of the board. That's very forward-thinking, because even though King III speaks about it, most other companies have an IT steering committee, which is completely different."
If the IT governance committee is to be relevant to regulatory compliance and corporate governance, a governance framework (COBIT is one possible example) needs to be adopted as well. Adopting a framework is something the committee would do, Ndlela said.
Creating stakeholder value from IT, with investments aligned to business, needs a new governance approach.
"IT should be a subject that gets discussed at a board level. To put that in place, our organisation put together an IT governance committee, which King III speaks about and which I highly recommend. You may find there is no particular formula to this; that the committee reports to the risk committee or another committee of the board, or directly to the board.
"The bottom line is that there has to be engagement by board members, they should understand that IT is their responsibility, not executive management's. Boards like pushing IT responsibility down because they don't understand it, they're scared of it. That needs to be part of the discussion," concluded Ndlela.
Share