NEWSLETTER // June 2015
By Andrew Ngozo
What Every Board Should Ask The CIO!
In an information age, it is folly for any medium to large-sized company to be without an information technology (IT) policy. It is even more to an organisation’s detriment if there is no chief information officer (CIO) to oversee that the policy is enforced in such a way that takes the company ahead.
Because the CIO is hands-on on a daily basis, the decisions they take are highly critical to the survival and success of the company. This cog in the company’s machinery has to be able to answer effectively to the board. It is often difficult for the board to keep up with the rapid changes that occur in the IT world. Just what should the board be asking the CIO?
The board oversees the company’s overall strategic direction and management. As part of this responsibility, it has to keep abreast of issues pertaining to the management and control systems in place to keep the risk of loss arising from fraud and error to an acceptable level. There are three areas that the board should focus on when assessing the CIO: strategic planning, internal control, and risk.
Strategy Is Everything!
Strategic planning should be carried out for the organisation’s information systems. The board should then ask the CIO if the company has a strategic information systems plan in place that is monitored and updated as required. It should seek to know if this plan forms the basis for the annual plans and long-term projects, and how much of a priority IT projects are in the company.
It is crucial to keep up with current technology trends to maintain appropriate information systems. Organisations that retain obsolete systems may find it difficult to integrate them with state-of-the-art systems, which may lead to lost opportunities. In this regard, has the CIO taken and established appropriate measures to ensure that the company is up to date with the technology trends? Are these periodically assessed and taken into consideration when determining how the company can better position itself?
Any kind of planning has to take into consideration the issue of organisational performance. This is key, as it highlights the areas that need to be improved on or that require change to be cost-effective and efficient. The CIO should be able to state if key performance indicators and drivers of the IT department have been determined, whether they are monitored periodically, and if they are up to industry standards. He or she should also point out if measures are in place to monitor and manage the performance of the company’s third-party service providers.
The hiring and retention of skilled staff are a challenge in the information age. Therefore, has management identified the required technology expertise and how top talent is attracted? Does the CIO have appropriate procedures to address the IT employee turnover, training and project assessment?
Be Aware of Risks
Risk is part of any business facet and IT is not immune. In an IT context, risk relates to the probability that error or processing disruption will occur within the system to impact on the business operations of the organisation. In this regard, does the CIO have a plan to periodically conduct risk assessments covering the company’s use of IT, including internal systems and processes, outsourced services, and the use of third-party communications?
Related to the aspect of risk assessment, the board should ask the CIO how the company ensures data integrity, relevance, completeness, timeliness and accuracy, and its appropriate use within the company. It should also question the CIO on what arrangements the company has for regular reviews and audits of its systems to ensure that risks are sufficiently mitigated and that controls are in place to support the major processes of the business.
The entry of an organisation into e-business activities not only brings new risks, but also increases the risks that already exist. The risk of e-business derives from the fact that it is conducted from the Internet. The CIO should be able to answer questions pertaining to the protection, from internal and external attacks, by unauthorised persons that may harm the company’s reputation.
Most businesses are now so hugely dependent on their information systems such that, should these go down, productivity also drops. A backup system has to be in place. The CIO should be able to answer these questions: Do you understand the impact of an interruption in service and are there plans in place to deal with potential interruptions. Is there a business continuity plan which is tested regularly and are the results used to improve the plan?
The last thing that the board should consider are the legal issues. These may be issues such as compliance with software licences. Have management and the CIO considered and addressed legal implications that pertain to the use of software, hardware, service agreements and copyright laws?
Should you, as the CIO or as a board member, be able to raise or address these questions, you can rest assured that your company will be able to ride any wave that the technology tide brings your way!