Who's Afraid of the Big, Bad Board?

Boards of directors increasingly are turning their attention toward IT. And while board-level oversight can be scary, evidence is mounting that CIOs, their departments and their enterprises can - and should - thrive in the spotlight.

Bill Farrow remembers the time when his company's board of directors first realized just how critical technology - especially robust, redundant technology - was to the success of their organization, the Chicago Board of Trade. It was in April 2003 (Farrow can't recall the exact day), and the futures and options exchange had been hit by a message storm: an influx of computer impulses that suck up computing power and preclude servers from finding available capacity for processing all the messages. Farrow's staff had been monitoring the performance of the servers and feared they might become overloaded and crash. The IT staff brought the trading system down for a few minutes until they could clear the queues of messages. Within 20 minutes, the system was back up. By acting quickly, IT staved off catastrophe. The servers didn't crash; no trades were lost.

Farrow, who is executive vice president in charge of IT, says his board thanked him for catching the problem before the systems crashed. And when he proposed a new trading platform to ensure that such a close call never happened again, the board members didn't baulk. They quickly approved the new infrastructure, even though it would cost tens of millions of dollars.

Corporate boards are increasingly aware of how dependent their companies have become on IT, and they are paying closer attention than ever before to its workings, even more so than they did during Y2K, according to Richard Nolan, a business professor at the University of Washington. At the same time, computer crashes, denial-of-service attacks and the need to automate compliance with new government regulations have heightened their sensitivity to IT risk and the need for board-level scrutiny. "There are so many opportunities where things can go wrong for CIOs," says Bob Weir, CIO of Northeastern University in Boston. As if managing a company's central nervous system wasn't enough responsibility, CIOs have become stewards for an enterprise's information assets and, in some cases, for as much as 60 percent of its capital spend, according to Nolan.

In recognition of that, a handful of companies - including FedEx, Procter & Gamble and A&P - have established subcommittees of their boards devoted to overseeing business-critical IT projects, new technologies and internal controls. And even those boards that don't yet have a subcommittee devoted to IT are more closely scrutinizing its operation through other committees.

The trend toward board-level IT oversight may sound threatening to CIOs, especially since it's largely being driven by negatives such as risks and regulation. And it is true that since the majority of corporate directors are current or former CEOs and financial types, they don't always know a great deal about the costs, risks and benefits of implementing technology. Therefore, some board members may lack the qualifications to ask the right questions about IT. In some situations, they might focus too heavily on cost issues and not be able to help their CIO evaluate, say, whether he or she has a sound program in place for training sales staff on a new CRM tool to ensure that the deployment doesn't tank.

Yet, many IT executives are discovering that board scrutiny can be of benefit to them. CIOs whose boards pay attention to IT say it gives them greater visibility within the enterprise, puts IT on a level playing field with other functions represented by board-level committees - such as finance and HR - and provides support for evaluating projects, risks and investments. CIOs such as DTE Energy's Lynne Ellyn and FedEx's Rob Carter say executives who don't have such board-level attention should push for it, either through the audit committee or through a separate IT oversight committee.

"There's a lot of wisdom in the boardroom," Ellyn says. "Being able to get advice from board members on how to manage consultants and how to do the cultural change pieces of a big project is invaluable."

Page Break

Why Boards Have Suddenly Discovered IT

Boards first began paying attention to IT in the years leading up to Y2K, according to Ann Senn, a global leader of CIO Advisory Services at Deloitte Consulting. Y2K remediation was the first major IT project that caused companies concern at the highest levels. Boards wanted to know where they had Y2K risks and what their organizations were doing about it.

It was Y2K that put Northeastern's Weir in touch with Donald Kramer, a Northeastern board member and then-chairman of the audit committee assigned with Y2K oversight. Weir worked closely with Kramer in planning and executing Northeastern's Y2K conversion; to this day, they meet once a year for dinner.

While Y2K turned out to be anticlimactic, boards have had good reason since then to keep tabs on IT, and their oversight has only grown more intense. First, Y2K spurred a great deal of spending that many CEOs and boards ultimately came to view as excessive. Then (in short order) came the US recession, with its focus on cost-cutting; the security concerns sparked by the terrorist attacks of 9/11; and now Sarbanes-Oxley, with its emphasis on internal controls, and the role that IT plays in ensuring the accurate and timely reporting of financial information. The many failures associated with complex IT projects are additional reasons why boards are paying attention to IT, according to University of Washington's Nolan, who has helped set up IT oversight committees at Novell and A&P. Boards would like to avoid the fate of companies such as AT&T Wireless, Nike and Cigna, who were sued by shareholders after highly publicized IT blow-ups.

"These are the kinds of things that can't be swept under the rug if they're mismanaged," Nolan says. "They're directly affecting shareholder value."

How Boards Bone Up on IT

FedEx created its IT oversight committee in 2000 at the behest of CEO Fred Smith. Judy Estrin, a long-time FedEx board member and chair of the committee, says Smith recognized IT's strategic importance to his company and pushed to give IT board-level visibility.

She and FedEx executive vice president and CIO Carter say the committee was also created in part to address the fact that the audit committee couldn't give systems-related questions appropriate attention with all the other financial matters they needed to discuss during their meetings. Carter says Smith's creation of a separate subcommittee devoted to IT was prescient given the fact that audit committees are so focused today on implementing all the governance and control mechanisms for Sarbanes-Oxley. "[Members of the audit committee] really don't have time to dive into all the details of system support issues and opportunities to make systems better," he says.

Not surprisingly, the companies that have created IT oversight committees - FedEx and Procter & Gamble, for example - live and die by IT. They spend boatloads of money on technology, and their CIOs are among the most well-respected in the industry. But separate IT oversight subcommittees are not for every company. (For more information on whether to establish a separate IT oversight committee or to govern through the audit committee, see "Who Does the Watching?"

Many boards that have yet to create separate IT oversight committees are adding outside CIOs to their ranks to help them assess their IT investments and guide their own CIOs. In 2002, CIO (US) identified three non-technology companies that appointed sitting CIOs to their boards of directors. The following year, three times as many non-technology companies elected current and former CIOs to their boards, including department store chain Dillard's, Yankee Candle, Green Mountain Coffee Roasters, Hershey Foods and Mellon Financial.

Alan Rosskamm, chairman and CEO of arts and crafts supply retailer Jo-Ann Stores, recruited Office Depot's CIO, Patricia Morrison, to his company's board in 2003 for her IT experience. "I was hoping to bring someone on the board who was knowledgeable enough about IT to ask the appropriate strategic questions about the application of technology in our business," Rosskamm says.

"Patty was absolutely a perfect fit," he adds.

Page Break

The Benefits of Board-Level Oversight

Companies are not creating IT oversight committees because they have lost confidence in their CIOs. On the contrary, board-level technology committees ensure that IT is given the attention that's due to such an important (not to mention costly) function. "When you make IT an official committee of the board of directors, you put IT on an even playing field with other important aspects of the business, like finance and HR, that are served by board-level committees," says FedEx's Carter. "Any CIO should be striving for that kind of visibility with the board."

John Crowther, vice president and CIO of Diebold - a maker of ATMs, security systems and electronic voting stations - agrees that board-level attention to IT gives the function credibility with the business. He regularly attends board meetings as a member of the senior management team. "The recognition of IT at a board level naturally cascades across an organization," Crowther says. "When the business-at-large sees the board and executive team giving time and attention to information technology, they know it's something they have to take seriously."

In addition to the visibility, board-level attention to IT ensures lockstep alignment between IT and business strategies. Farrow, of the Chicago Board of Trade, claims that his project completion rate is substantially higher than industry averages and attributes successful deployments to his presence at monthly board meetings where he participates in discussions of business needs, priorities and technology solutions. For example, when it came time for the Chicago Board to convert its electronic trading platform earlier this year, Farrow received a lot of guidance from his board regarding the features and functionality he should be looking for in a new system - as well as key milestones for testing, deployment and training traders on the new system. Because of the board's input, Farrow says he was able to deliver - on time and under budget - a dynamic trading platform that has boosted the exchange's trading volumes.

In effect, Farrow's board helped him share responsibility for such a complex and risky project.

Similarly, at FedEx, where Carter is currently deploying a new series of handhelds to 40,000 FedEx ground contractors and its courier workforce, the CIO says his board helped him navigate such important decisions as selecting the right platform, operating system and wireless network. Its members also helped him think through the security issues.

"I think Rob sees us as an asset, another set of eyes and ears and brains focused on making FedEx successful," says Estrin, chairwoman of the oversight committee. "If we ask a question that makes him realize that maybe he hasn't thought through something, he sees that as a benefit."

Of course, not all boards have the technology expertise that Carter's IT oversight committee has. While some CIOs will privately admit that there are negative aspects to board-level oversight, they won't say so for the record. "No one is interested in smoking their CEO's board," explains Stephen Mader, president and CEO of executive recruiter Christian & Timbers.

Indeed, Carter says he realizes that the board's involvement in his area means that he and his IT staff have to be on their toes. "With this level of board visibility, we have to be sharp. We have to be accountable. We have to make this stuff work," he says. "[The IT staff] understands that their key projects will be reported to the board of directors, which certainly creates a higher level of accountability, and that's a good thing for the organization."

Page Break

How to Make the Case for Board Oversight

If your company's board does not currently attend to IT in a formal fashion and you think it should, DTE's Ellyn suggests you should state your case to your CEO. For example, Ellyn advises CIOs to talk up the benchmarking opportunities that often come from having a relationship with a board member who can tell you about his own organization and introduce you to people inside his company to share best practices.

Recently, Ellyn and some of her colleagues at DTE spent an entire day at a company where one of DTE's board members works. The purpose of the visit was for DTE executives to learn this company's process for implementing a consolidated financial system so that they could better manage a similar project, called DTE2, in their own company. "We really got an in-depth look at how they did what they did," says Ellyn. "It helped us understand what it took for them to be successful. We learned some of the rough areas that they had experienced and what they might have done differently, and we've incorporated those lessons learned into our own thinking about this project."

Ellyn also advises CIOs to emphasize the ways in which access to board members will help them think through their IT strategies for project deployments. She says advice she's received from her board about vendor partnerships and business buy-in has helped her keep financial consolidation on track. Specifically, her board recommended that DTE Energy maintain control of the project and not outsource it to an IT services firm to foster a sense of commitment to the project within the enterprise. Board oversight also helped Ellyn recruit a key business sponsor - the senior vice president of operations - to the executive team leading the project. "The members of the board knew that that was key to success," she says.

Another way to convince your CEO of the importance of establishing an oversight committee is to discuss the size of your company's IT spending budget and how those dollars directly support the business strategy and direction. Also, make sure your CEO understands the extent to which your company relies on technology both in day-to-day operations and as a competitive advantage, and how the board really needs to pay attention to IT in the context of corporate governance given the challenges associated with major IT projects and security risks (see "The Business Case").

Deloitte Consulting's Senn remembers a CIO at a manufacturing company who had embarked on a campaign to educate his board on the importance of IT. This CIO complained to Senn that the board paid more attention to his company's investment in its new corporate office than it did to IT - even though IT spending at his company had topped $US1 billion and the new office building cost a fraction of that. Over the course of several board meetings, the CIO had made an extra effort to explain where IT was spending its money, what it was spending on, why it was spending that money and the value the business was getting from it. As a result, his board is now paying more attention to IT as a way to add genuine value to the business and no longer views it simply as a cost centre.

Page Break

Schmoozing the Board

Once you've obtained access to the board, it's a good idea to get to know individual board members outside of their mahogany-panelled chambers. Some CIOs suggest taking advantage of corporate social functions such as holiday parties to meet board members. But whether you're meeting them for the first time at a company picnic or speaking to them after the occasional board meeting, position yourself as a resource. Ellyn and Northeastern's Weir say that interaction between CIOs and board members is a two-way street. It's not just about the CIO going to a board member for advice; it's about the board member asking the CIO for insights about the company's performance, operations and IT strategy. By talking with the CIO, the board member also gets a better idea of the quality of the executive staff.

To improve this relationship, Ellyn has gone so far as to cooperate with DTE Energy board members who also serve as trustees for local charities by asking someone from her department to assist one of those charities with its IT problems. Serving on the boards of local charities with some of her company's board members is another way she's increased her level of interaction with various DTE board members. She recently had dinner with three of DTE's board members after a board meeting and says that over the course of the dinner conversation, she learned firsthand which aspects of corporate strategy and which DTE Energy businesses those board members were most interested in. She says speaking with them one-on-one has given her a much better handle on the board's priorities.

As beneficial as relationships with board members can be, they can prove tricky to navigate politically - especially if you're not a member of the executive management team the way Carter, Farrow and Ellyn are, or if you report to the CFO. Weir keeps his boss - Larry Mucciolo, the chief administration and financial officer at Northeastern - in the loop of every conversation he has with his friend and Northeastern trustee, Donald Kramer (even if they're just talking about their kids). "I always tell my boss every time I talk to Don. It's common sense and good relationship management. I don't want anybody to think there's hidden agendas," he says.

Because Weir (who has been with Northeastern for six years) is not a member of the senior management team and only attends board meetings about twice a year, having an ally on the board has been instrumental in obtaining funding to relocate his machine rooms from the basement of a 1940s building to a more secure location. And because Weir's board-room buddy also happens to be chairman of the finance committee, he has an advocate whose opinion his boss values.

"A good board relationship, not to mention a good relationship with one's boss, can go a long way toward a CIO's career longevity," Weir concludes.

SIDEBAR: Fun with Boards

While your board is boning up on IT, you can bone up on boards. Check out the Web site www.theyrule.net for an interactive presentation of who serves on which boards where.

SIDEBAR: Who Does the Watching?

Only a handful of companies have established separate subcommittees of their boards in charge of IT oversight, but many boards keep tabs on IT spending and the progress of major IT projects through the audit committee. Judy Estrin, a long-time member of FedEx's board who chairs its IT Oversight Committee (ITOC), says separate ITOCs are worth looking into for large companies that spend a lot of money on IT. Conversely, she doesn't think technology companies need separate IT oversight committees because their boards are always talking about technology. She should know; she's also the president and CEO of Packet Design Management, a developer of network appliances. Companies (unlike hers) where IT is not a competitive differentiator but simply provides back-office processing should make sure that their audit committees are looking at IT security and the 404 processes associated with Sarbanes-Oxley, she says.

Another consideration when deciding whether or not to establish an ITOC is the current composition of your board and whether any of its members possess IT expertise. "Sometimes you just have one board member who's into technology, and they can have their own meetings with the CIO. And you don't need a committee," Estrin notes.

SIDEBAR: The Business Case

Three very convincing arguments for board-level IT oversight

• The extent of corporate IT spending To convince your CEO or CFO that your board should be more concerned with technology, tell them exactly how much money the company spends on IT. But don't just throw the number on the table. If your company has never evaluated its total IT spending, the figure may frighten your higher-ups. Discuss the tally in terms of how it enables the corporate strategy and the return the company is seeing from it.
• The company's dependence on technology Pick a couple of key business processes and explain how and where they are enabled by technology. Describe how your company could suffer if a key IT enabler of that process failed as well as how your company could benefit from increased automation. The degree to which systems support business processes will also help explain the size of your company's IT spending.
• The role of IT in Sarbanes-Oxley compliance Financial reporting, access to data and data integrity require effective information systems. "You can't separate the increased focus on governance and controls from systems and information technology," says John Crowther, vice president and CIO of Diebold. "Going forward, they'll be even more tightly linked. Therefore, it's important to have someone address the executive committee and the board on the performance of those systems and their ability to meet the various requirements of Sarbanes-Oxley," he says.