Home / Resources / News and Trends / Industry News / 2021 / The Better the Board Management the Better the Governance

The Better the Board Management, the Better the I&T Governance

Graciela Braga
Author: Graciela Braga, CGEIT, COBIT Fundamentals, CP, GPDR Foundation
Date Published: 9 June 2021

Today, information and technology (I&T) can have tremendous influence on whether an organization succeeds or fails. For that reason, the King IV Report on Corporate Governance for South Africa 2016 stated that “technology governance has become a critical issue.”1

In general, governance is the responsibility of the board of directors (BoD) or the governing body. Accordingly, COBIT®, a framework for the governance and management of enterprise I&T, assigns the responsibility of the governance practices associated with organizational assets or capital, such as IT and financial resources, to the board or body.

The King IV Report lists 9 principles that embody good corporate governance. The 9th principle states that “[T]he governing body should ensure that the evaluation of its own performance and that of its committees, its chair and its individual members, support continued improvement in its performance and effectiveness.”2

Adding I&T Practices to Board Performance Review

The Board Management Excellence Model 2021 Edition, prepared jointly by the Argentine National Quality Award Foundation and the Management and Business School of the Argentine Austral University (Pilar, Argentina) expresses that “[T]he management of the governing bodies, separating for the execution, provides a context that facilitates their proper performance, setting the course and creating an environment of trust, transparency and accountability.” 3

The Model has 3 purposes:4

  1. It can be used to implement good board management practices through integrated and results-oriented performance requirements.
  2. It serves as a reference for a self-assessment process that the board can use as a tool to improve.
  3. It constitutes the parameter for the assessment of boards.

The model contains 7 criteria and subcriteria “…to establish the degree to which the board of directors performs its managing role and adds value to the company contributing to its continuity.”5 Using the model, 1,000 points are distributed among these criteria and the actual performance of a board can be defined by the compliance percentage of each criterion.6

I&T practices should be included in performance reviews, especially if the review is meant to address all board responsibilities.

I&T practices should be included in performance reviews, especially if the review is meant to address all board responsibilities. This can be achieved by using COBIT practices related to the board and I&T and adding them to the Board Management Excellence Model.

For example, the following governance practices and activities from COBIT® 2019 can be applied to the model’s criteria. In each case, the statement is the criterion from The Board Management Excellence Model 2021 Edition, and the bulleted items are governance practices and activities from COBIT 2019.

Definition of Mission and Roles of the BoD (140/1,000 points)
This is often legally required and includes the purpose of the BoD, what it is constituted for and what roles it should play for quality management and excellence. This can be defined using the following practices:

  • Determine the significance of I&T and its role with respect to the enterprise.
  • Communicate the principles that will guide the design of governance and decision making of I&T activity (e.g., I&T governance is critical to enterprise success; I&T and the business align strategically; business requirements and benefits determine priorities; enforcement must be equitable, timely and consistent; industry best practices, frameworks and standards must be assessed and implemented as appropriate) and agree with executive management on the way to establish informed and committed leadership.
  • Specify the authority that the board strictly retains for itself and determine the appropriate levels of authority delegation for I&T decisions, which should be made in line with the enterprise’s strategies and objectives and desired value.
  • Consider external regulations, laws and contractual obligations and determine how they should be applied within the governance of enterprise I&T.

Directors and BoD Structures (140/1,000 points)
This includes the methods by which candidates are nominated and linked to the BoD and the operating structure. This can be determined using the following practices:

  • Establish an I&T governance board (or equivalent) at the board level. This board should ensure that governance of I&T, as part of enterprise governance, is adequately addressed; advise on strategic direction; and determine the prioritization of I&T-enabled investment programs in line with the enterprise’s business strategy and priorities.
  • Involve an adequate number of senior executives in setting a governance direction for I&T.
  • Direct that staff follow relevant guidelines for ethical and professional behavior and ensure that consequences of noncompliance are known and enforced.

BoD Operating Processes (140/1,000 points)
This includes the methods by which the board carries out its activities (e.g., the induction of new members, training, the dynamics of meetings, the treatment of relevant issues, decision-making, documentation, distribution of reports, self-evaluation). These can be defined using the following practices:

  • Determine the information required for informed decision-making. Ensure that communication and reporting mechanisms provide those responsible for oversight and decision-making with appropriate information.
  • Assess the effectiveness of the governance design and identify actions to rectify any deviations found.

BoD and Management Team (100/1,000 points)
This includes the methods by which the BoD provides service to the management team (i.e., accompaniment, contribution of its network of contacts, succession, supervision, setting of remuneration guidelines) beyond its functions of appointment and control. This can be identified using the following practices:

  • Allocate responsibility, authority and accountability for I&T decisions in line with agreed-on governance design principles, decision-making models and delegation.
  • Assess the effectiveness and performance of those stakeholders given delegated responsibility and authority for governance of enterprise I&T.

BoD and Shareholders (90/1,000 points) and BoD and Stakeholders (90/1,000 points)
This includes the methods by which the board ensures that the organization manages links with its shareholders and major stakeholders. This can be organized using the following practices:

  • Align the ethical use and processing of information and its impact on society, the natural environment and internal and external stakeholder interests with the enterprise’s direction, goals and objectives.
  • Ensure that stakeholders are identified and engaged in the I&T governance system and that enterprise I&T performance and conformance measurement and reporting are transparent, with stakeholders approving the goals and metrics and necessary remedial actions.
  • Determine whether the requirements of different stakeholders are met and assess stakeholder engagement levels.

BoD’s Contribution to the Enterprise (300/1,000 points)
This deals with the board's contribution to the organization and covers the following 3 subcriteria:

  1. Contribution to sustainability (100/300 points)
    • Ensure that the enterprise’s risk appetite and tolerance are understood, articulated and communicated, and the risk to the enterprise related to the use of I&T is identified and managed.
    • Optimize the value of I&T by establishing a culture in which I&T services are delivered on time, within budget and with appropriate quality.
    • Maintain oversight of the extent to which I&T satisfies obligations (i.e., regulatory, legislation, common law, contractual), internal policies, standards and professional guidelines.
  2. Contribution to strategy (100/300 points)
    • Understand the requirements for aligning I&T resource management with enterprise financial and human resources (HR) planning.
    • Using current and future strategies, examine the potential options for providing I&T-related resources (i.e., technology, financial, HR), and develop capabilities to meet current and future needs (including sourcing options).
    • Review and approve the resource plan and enterprise architecture strategies for delivering value and mitigating risk with the allocated resources.
  3. Contribution to strategic and management control (100/300 points)
    • Monitor I&T-related sourcing strategies, enterprise architecture strategies and business- and IT-related capabilities and resources to ensure that the current and future needs and objectives of the enterprise can be met.
    • Monitor the allocation and optimization of resources in accordance with enterprise objectives and priorities using agreed on goals and metrics.

Board Evaluation Process

As the model explains, the evaluation of the board includes the determination of a percentage of compliance (on a scale of 0 to 100%, minimum 30%) in relation to the requirements, considering the following attributes:7

  • Methodology—To what degree practices are systematic and sufficiently formalized and applied, recorded, and periodically evaluated and improved.
  • Impact on board performance—To what degree this impact is identified, measured, and monitored.
  • Impact on organization performance—To what degree this impact is identified, measured, and monitored.

Conclusion

This kind of evaluation, included with a more general method to facilitate the assessment, helps the board improve and communicate its performance regarding I&T governance, benchmark with other boards, demonstrate its value for the organization and, thus, increase organizational value itself.

Endnotes

1 Institute of Directors Southern Africa, King IV Report on Corporate Governance for South Africa 2016, South Africa, 1 November 2016
2 Ibid.
3 Argentine National Quality Award Foundation and the Management and Business School of the Argentine Austral University, Pilar, Argentina,The Board Management Excellence Model 2021 Edition, 2021
4 Ibid.
5 Ibid.
6 Ibid.
7 Ibid.

Graciela Braga, CGEIT, CP

Is a certified professional in enterprise governance of information and technology (EGIT) oriented to the achievement of enterprise and alignment goals. She has worked on audits and reviews for public and private entities using international frameworks such as COBIT, Committee of Sponsoring Organizations of the Treadway Commission (COSO) and ISO standards. She is an author and researcher on governance and management of I&T in various media, including the ISACA® Journal and COBIT Focus. Braga is a leader of ISACA’s COBIT and Frameworks Community. Also, she was a global guidance contributor to the Global Technology Audit Guide (GTAG) Auditing IT Governance, 2nd Edition, published by The Institute of Internal Auditors (IIA). She can be reached at http://www.linkedin.com/in/graciela-braga-13279b58.