By donflinn | November 27, 2009
IT governance does not and should not operate in a vacuum. Therefore, in this installment we will briefly investigate the broader issue of corporate governance; its structure and the feedback mechanism.
Governance, done properly, should flow from the top layer of the enterprise to the bottom; from the Board of Directors to the lowest operating unit of the enterprise. If it is operating properly, the BoD should be responsible for setting high level corporate direction. Policies developed by the board inform the company of the board’s intentions relative to its macro outlook.
Given this, we can infer an important principle – corporate governance must be anchored in governance policy established by the board. Since a prime responsibility of the BoD is to assure long-term corporate viability and maximization of corporate value, it follows that the policies set by the BoD will have this same business goal, which should be positioned to influence, in a positive sense, the entire company’s direction.
As we move down the chain of command there must be coordination between the affecting and the effected layer. But there are constraints on this coordination. At the top level, while BoD policies are created in consultation with top management, the board has the ultimate responsibility for these policies. This is an instance of what is known as the independence requirement of the BoD. Board’s can and should take input from management, but the board’s policy decisions must be that of the board alone; free of coercion by management. Most of the world governments make this a major tenant of their governance policy, using law and regulation to enforce it. Ignore this separation at your peril.
Continuing down the chain of command, strategic board policies should be used by management to set priorities and focus for the company’s business units. For example, some of these policies, either directly or indirectly, may establish the role that information and data play in the company. Policies such as these are examples of the type of policies that affect IT. Note that it is not the purview of the board to develop policies for any particular business unit but to develop broad policies that affect the viability and value maximization of the corporation. It is management’s job to interpret the policies in the context of each particular business unit.
A critical point is that the high level board policies are derived from a business point of view and directed toward long term corporate value maximization. Consequently, when these policies are used to establish principles to drive the business units, the business unit governance principles will be congruent with the business goals of the company.
Senior management, guided by board policies, has the responsibility to create specific rules and regulations for each of the business units that the policies affect. While senior management retains full responsibility, they will delegate some of the detail work to lower levels and will set up structures and processes to obtain pertinent input from knowledgeable parties.
In the rest of this series we will be discussing the policies, activities, duties and responsibilities that direct and control IT. So, while the concentration will be on goals that should be satisfied by IT, it is important that the derivation from the long term business goals be preserved. Continuity is easily lost during the detail activities, thus it will have to be continually enforced and renewed by company management.
It can not be stressed too strongly that the legitimacy of specific rules and regulations lie in their derivation and correlation to the high level corporate policies. This emphasizes the importance and difficulty of getting the high-level policies right.
Beyond policies, rules and regulation, another important part of the broad governance structure are the committees that collect metrics relative to the output of the business units, their compliance with the directives specified and how well the resultant outcomes meet corporate goals. These committees are the “boots on the ground” for the board and management and a major part of the feedback mechanism.
Each of the metrics should be reported to the correct party. Those which affect the board’s policies should be reported to the board and those which affect the rules and regulations of the various management teams should be reported to those teams. The criteria for deciding who should receive what metric are dependant on who needs the particular metric to assess and correct a particular activity. This will require careful planning.
Part of the process of using the metrics is management’s responsibility to construct an effective enforcement mechanism. Without enforcement, the rules and regulation amount to nothing more that a wish.
In line with the independence principle, certain metrics relative to top management should be reported directly to the board, without any management filtering. An example is top management malfeasance or incompetence. This subject, while of critical importance, is out of scope of this blog.
In the next installment of this series we will begin to lay out the structures and processes for the implementation of IT governance .