As a board member, you are very aware of how rapidly the world is changing as a result of evolving IT capabilities, which is why it's essential that you have an understanding of this complex and ever-changing world. Articles on this topic are often in sharp contrast to the current situation in your organization where you may feel that IT costs are increasing and added value is decreasing. You do not need to become an IT expert, but in our opinion, there are eight topics that you should pay attention to. Some subjects are very complicated but are relatively easy to manage because much has been standardized over the years.
1. IT governance
In line with corporate governance, it is also important to indicate who is responsible for what. The good news here is that, especially for large companies, a de facto standard has been developed: Cobit (Control Objectives for Information and related Technology). This is a framework with a kind of checklist of subjects that require agreements. This is suitable to use internally and, because it is standardized, external parties such as auditors can also test and certify the extent to which IT governance is adequate. For smaller organizations, this framework is a bit overkill.
Fortunately, there is a simpler IT governance model created by Weill & Ross (1) that is at least as effective. They have defined five topics on which agreements should be made and have gathered market best practices for each topic. Your task would simply be to adapt these best practices to the context of your organization.
2. Information security
Information security is a subject you should never underestimate. It only gets more complicated with mobile devices, 'bring your own' strategies, and ever-increasing digital services. With information security, it is important to determine what are the most important risks for you regarding confidentiality, integrity, and availability, the so-called CIA triad model.
One scores on a scale of 1 = low risk to 3 = high risk. For a certain dataset, for example, you have a CIA score of 223. This is an average risk in terms of confidentiality and integrity, but a high risk in terms of availability. Based on this, measures must then be taken. These measures normally involve technology, physical security, and organizational measures. All things considered, a challenging task. Here, too, standardization helps. Standards have been defined for this purpose: the ISO 27002. These standards provide tools to organize information security and, for you as a board member, the ability to be tested by third parties.
3. IT strategy
It's no surprise that you must pay attention to IT in your business plans, not only because of the high costs, but also due to the possible disruptive consequences that IT can have on your organization. You may demand that such an IT strategy be expressed briefly and concisely, without falling into the trap of describing what is obvious, and focusing on important topics that you, with your board members, have to debate and define. It is important that the final choice is a balance between the vision, the current maturity status of the IT operation, and what is required by your business environment. In short, a balance between what you want, what you can do, and what you have to do. The fact is that on average 70% of the IT budget is stuck to regular maintenance. In addition, a large percentage of the budget has to be spent on matters such as legislation / regulations, or on meeting the new standards of the service provider (shift to mobile solutions). Only a small part remains for innovation. A good discussion about what to do about this is important because otherwise you will be disappointed.
4. IT organization
In order to establish an IT organization, there are a number of standard models. Given the pace at which technology and thus IT organizations evolve, some of the models are somewhat outdated. Models which promote creating intermediary organizations between business and IT is one of them. As a board member, you should be aware of that and minimize intermediate roles. Organizations should adapt an agile way of working, with interdisciplinary teams (business & IT) focusing on short term results (sprints).
Another classic model that is still relevant is "IS-lite," which was created by Gartner (2) and includes the core competencies of an IT department:
• IT Leadership: connecting challenges of the organization with opportunities that technology offers and vice versa
• Developing information architecture: ensuring the cohesion of the systems inside and outside the organization
• Improving Business Processes: bringing knowledge and experience to technology, and developing solutions together in multidisciplinary teams
• Improving Technology: being alert to technological developments relevant to the management of external partners
• Supplier Management: directing external partners
As a board member, you should determine to what extent there are still intermediary roles between business and IT that probably add little value and see if the core competencies as mentioned above are secured.
5. IT maturity
How well are your basic IT processes organized? For example, solving bottlenecks, continuously adapting existing systems to new requirements from the outside, or managing the extensive portfolio of hardware and software. The good news is that these types of processes are also highly standardized. For example, there is the ITIL standard for technical management, the standard for application management (ASL), and the standard for business information management (BiSL). Because many organizations use these standard processes, it can easily be determined how mature they are. In fact, these standards can be used to assess the maturity level of your own organization. The many maturity models have ultimately been merged into one standard, which is called CMMi (Capability Maturity Model Integrated). This maturity model has five levels.
As IT maturity increases, the processes become more predictable and a shift is made from reactive to proactive. Before you set the bar for your own organization at level 5, we should warn you: most organizations do not go beyond level 3.
6. IT architecture
The era of stand-alone solutions is over. Everything has to work together with everything else. It is not acceptable to have multiple versions of the truth (customer address, product definition, etc.). But what exactly does this mean in practice, and how do you ensure this in your own organization? In many organizations, this coherence is described in the form of IT architecture. As a board member, you need to understand this architecture as it influences IT costs, the continuity of your business, and the flexibility of developing new business. Take your time to understand this. Like building a new home with an architect, you don't have to understand the technical details, but you do need to focus on the functionality IT can deliver. If your current IT architect is not able to explain this to you, stop investing in IT and hire a new IT architect who can bridge the gap between your business goals and the IT solutions that serve them.
7. Control of IT costs
For the standardized IT infrastructure, there are various organizations that carry out benchmarks of IT costs, either general or per sector. This kind of research can help as a conversation starter with your IT department regarding the cost-effectiveness of your company's IT and will help you to understand why certain choices were made so you can reconsider them.
When it comes to cost, large IT projects pose the biggest risk. To manage them, numerous methods and techniques are available. The most crucial factor to acknowledge is that there is a direct link between the scope and complexity of the assignment and the chance of success. Small, incremental developments are therefore strongly preferred for large and complex innovation programs.
8. Innovation and disruption with IT
As an organization, you should be alert to opportunities that IT offers or possible disruptions that occur as a result of IT. Unfortunately, there is no standardized method that helps you monitor these changes, but you will still need to be prepared to act quickly as an organization. This means two things:
• You should set up a process to help you spot significant technological developments and test their relevance & added value
• The organization must have the skills to quickly pick up new developments
Technology in and of itself does not matter, it's about how technology is applied. This is where the focus should be: spotting relevant developments. See where venture capitalists are investing their money; they'll often invest large sums in new technologies that they expect to yield a serious return. Hackathons are another great way to discover how to apply new IT developments to a current issue in your organization.
If a relevant development is then spotted, you must be ready to act quickly. The ability to do so lies in part with the technology and in part with the organization itself. In terms of technology, it means that there must be room for experimentation. For example, Peter Hinssen (3) recognizes a 'Build 2 Load' and a 'Designed 2 Change' environment. This allows the technology to remain dynamic enough to be adapted to your organization's needs. On the organizational side, we see new methods and organizational structures emerging, such as agile methodologies. Within the scrum framework, for example, teams work across disciplines and commit to short iterations of work. Many organizations have elevated this way of working to a standard, such as Spotify and ING.
In short, there is a rich set of instruments available to you as a board member to get a grasp on this complex IT world. Even though some far-reaching standards have been established for this, there are still some cases where you have to roll up your sleeves, such as with IT architecture.