There are certain business practices whose significance is directly linked to the responsible entity. IT Governance is a ripe concept, content wise. But it is remarkably immature in its practice. It highlights the importance of aligning IT structures, processes and relational mechanisms with the business objectives. So far, so good. The problem arises when we forget an essential point. Accountability for IT governance relies on the governing body – Boards of Directors -, as opposed to business management – Chief Information Officers and CxO’s in general -. The thin line that separates governance from management is somewhat vague from the perspective of the “what”, but the real difference lies in the “who”. In today’s world, the importance acquired by technology and its business impact is contributing to an increasing role of the digital agenda in the boardroom.

The thin line that separates governance from management is somewhat vague from the perspective of the “what”, but the real difference lies in the “who”

A lack of awareness in this field by the Board of Directors and its renovation dynamics make it difficult to address IT governance effectively. In the ninth edition of the PwC report on Corporate Governance (Spain, 2018), two out of the three objectives that would demand more dedication from the Board are the digital strategy, as well as cybersecurity and technological risks. Nevertheless, when it comes to the most valued experience and knowledge, digital aspects scarcely arise in the seventh place, with just 29% of the respondents. There is a clear mismatch between the objectives to be addressed and the most valued profiles… Each of us can make our own judgements.

Figure 1. Which areas, functions or aspects would require more time to be addressed by Corporate Governance? Source: PricewaterhouseCoopers, November 2018

 

In public companies, the increasing influence of institutional investors, the recent legislation and the Corporate Governance Codes are accelerating a necessary board refreshment. In Spain, the Capital Companies Law was amended by the end of 2014 to improve enterprise-wide corporate governance. It defined a list of non-delegable powers for Boards of Directors in public companies. Crucial among these is the business strategy. Therefore, if we believe that technology is strategic nowadays, governance bodies must strengthen their digital competences and knowledge.

In the international context, the Sarbanes-Oxley Act (2002) enacted in the US requires public companies to establish adequate internal controls over financial reporting. European organizations based in the US have adopted these practices, thereby contributing to its influence overseas. Companies that are required to meet SOX compliance regulations must have robust IT security, logging and backup systems.

Business continuity risks and the direct impact in companies’ bottom lines have raised technology to a primary role

In 2017, Spain was one of the first countries affected by the WannaCry cyberattack that froze up computers across the planet and asked for money in return for unlocking user files. Big organizations like Telefónica, the Spanish multinational telecommunications giant, were deeply impacted. This episode, together with the increasing risks derived from disruptions, have marked a turning point in the consideration of these matters by the boardroom. Business continuity risks and the direct impact in companies’ bottom line have raised technology to a primary role.

Figure 2. Which knowledge and experience are the most valued for directors? Source: PricewaterhouseCoopers, November 2018

 

The banking industry is possibly the most advanced in this respect. The two major Spanish financial institutions, Santander and BBVA, have specialized committees – under their Boards of Directors – for the digital topics – Innovation & Technology Committee and Technology & Cybersecurity Committee, respectively -. Both committees are chaired by the Group Chairman, reflecting how IT is empowered to the highest level.

Nevertheless, the way ahead is certainly long and not free of difficulties. Digitization is still a new subject, and we might need a generational change in the boardroom to allow it for a greater role and visibility for it. Many companies have already started this journey by adding independent non-executive directors with the necessary profile. This trend has just begun and will be consolidated over the next coming years. Those companies advocating for strengthening their digital competences in their Boards will be much better qualified to define and govern successful strategies and provide maximum value to their shareholders in this change of era.