ICT departments have over the last two decades moved from the obscure sections within the finance department into full blown corporate divisions with strategic impetus that can make or break organizations
Should Corporate Boards and CEOs trust their ICT Departments?
Unfortunately many have. And this has led to scandals upon scandals.
Most fraudulent activities are nowadays executed through ICTs and with the generous help of what is known as the ‘insiders’ within the ICT departments.
What has happened is that as the strategic role of ICTs in organisations grew, there was little or now commensurate growth in the ICT oversight capabilities of organizations.
Essentially, ICT departments have become the alpha and the omega, the beginning and the end, answerable only to themselves.
An environment with little or no oversight is fertile ground for all sorts of schemes and scandals – some by design, while many others by omission or laxity.
So what should Boards do if they cannot trust their ICT departments?
Corporate boards and their CEOs must institute and put their trust in ICT governance systems.
As we begin the new year, ICT governance should be part and parcel of your resolutions since it can never be overemphasised.
This is especially so because ICT Governance rarely gets visibility in this developing region that is automating faster than it can manage the related risks.
Most enterprises are jumping blindly into new technologies that bring convenience to their customers but are avoiding the cost of building oversight systems around these innovations.
In the end, the ICT departments are left to their own devices in terms of determining what systems need to be protected, how and when to protect them and under what budgets.
In the financial discipline, the oversight structures have been around for centuries and have matured to the point where they are now coded into our legal landscape.
For example, all organisations are required by law to do external financial audits every year and to file the same with the government registrar of companies or societies.
On the ICT side of things, there has been no such legal requirement to do ICT audits. Subsequently, many enterprises consider such ICT audits as an extra cost that can and should be avoided.
Whereas one can avoid the costs of doing ICT audits, they will end up incurring much higher costs in terms of stolen funds, damaged reputations, misguided or failed ICT projects amongst other side effects.
The new Data Protection Act does address part of the problem by demanding ICT audits – though from a limited perspective of protecting citizen privacy.
There is however need for corporates to go beyond the privacy requirements and institute processes and structures that compel the ICT department to do broad quarterly reporting to the boards – the same way it happens for Finance, Production, HR and other critical departments.
If the boards continue to provide little or no attention to what is happening within their ICT departments, they will continue to reap the losses that ICT scandals have visited upon organizations - both in the public and the private sector.
One way to get the Boards interested in oversighting ICT operations is to ensure that at least one of the board members has above-average knowledge in ICT related matters.
Unfortunately if our boards continue to be dominated by the over-seventy year old retired politicians and civil servants, our organizations will continue bleeding rather than benefiting from ICTs.
Mr Walubengo is a lecturer at Multimedia University of Kenya, Faculty of Computing and IT.
Email: [email protected], Twitter: @Jwalu