Ashley Walker's Blog

Navigating the Intersection of Corporate Governance and Technology

, ,

Corporate Governance and IT (with extension with technology) is a sprawling area, with more and more requirements from legislation, stakeholders, customers and consumers. The simple question is, what is corporate governance in how it relates to IT and technology?

Corporate Governance in relation to IT (and technology), is the method(s) and processes that a person, or group of persons (typically the board of directors, executives, or IT leaders) use to direct, manage, control, and validate the companies’ activities in relation to their IT infrastructure and systems, as well as technology development. This is done to ensure alignment with the business goals, optimise resources, alignment of strategy, and most importantly, for risk management. This will include activities such as understanding security and privacy, IT procurement, general IT management, development and engineering. These activities interact with some other cross-functional areas that include HR, finances, quality assurance and control, sales, and other areas, which means that the IT or technology Governance cannot be looked at in isolation.

Effective IT and technology Governance is not only necessary to reduce the potential harm, and risks presented to the company (and by extension, the shareholders, and directors). But can also be the advantage of your company over your competitors.

In the simplest form, it is a repeated process to form a governance lifecycle:

  • Determine what needs to be controlled (requirements gathering).
  • Set the direction through policies (policy authoring).
  • Implement the policies through processes, procedures.
  • Validate the implementations (via audits, questions, investigations).
  • Adjust the policies and repeat.

Determine what needs to be controlled

This initial step involves identifying the key areas within the IT infrastructure and systems that need to be managed and controlled. This could include data security, software development, network management, technology procurement, service contracting, and other areas. The requirements are typically based on business goals, legal requirements, and risk management strategies.

Some of these will be easy to identify, others will require a finger on the pulse of the larger technology and IT landscape to watch for trends. The easy ones typically are the ones that are requirements from your vendors, suppliers, and clients. These groups of stakeholders can be very vocal about what they expect. Slightly more difficult are the ones to identify are from regulations, these may not be obvious and require industry experience and knowledge. The more difficult ones are the activities that the business already does but currently has no controls in place.

Set the direction through policies

Once the requirements are identified, the next step is to establish policies that set the direction for how these areas will be managed and controlled. These policies provide a clear framework for what is expected and how the requirements will be met. These should be flexible to allow the specifics of the implementation to be varied. The creation of policies needs to balance:

  • risk,
  • strategy,
  • goals,
  • culture, and
  • alignment.

A recent example (2024) example of this is the rise of AI based chat agents to augment work. All businesses need to have policies in place on how to use it, the data that is permitted to be used, and the disclosure to stakeholders about when an AI has been used. The extreme positions are:

  • Prohibit the use of any AI agent, or
  • Complete free use of any AI agent without any guard rails.

Depending on your organisation, and the risk profile, it would be prudent to consider how you would iterate through a governance lifecycle to balance the risks, and the potential advantages of using an AI agent.

Implement the policies through process and procedures

After the policies have been established, they need to be implemented. This involves developing procedures that align with the policies and ensure that they are followed. This could involve training staff, investing in new technologies, or restructuring certain business processes.

The formalisation of the Three P’s (Policy -> Process -> Procedure) where the terminology generally gets more specific, and the wriggle room for interpretation reduces as the document type is further to the right. This may also be where you need to capture an existing business activity and go from the existing process (or procedure) and consider if a policy is required. Not all activities need to be controlled by a policy, and not all policies need a process or procedure associated with them. But all policies need to have a way for the responsible stakeholders to validate that the policy is working as expected.

Validate the implementation

Validation is often a missed step, many times in these more technical policies, non-technical stakeholders have the assumption that the technical teams have implemented as expected, and it is all fine. But technical implementations may not meet the expectations, or the wording in the policy may be too open for interpretation.

For example, the policy may state that MFA is required for all services. But the technical team implements MFA in a way that a user is only challenged once, or they are only challenged when they login into a computer. Depending on your risk profile, or requirements from the stakeholders, this may not meet the expected requirements. You may have expected that users are challenged every time they log into a specific program or have to MFA when they try and perform certain actions.

In addition to validating the implementation, it’s also important to validate that the implementation meets the initial requirements that were identified. This involves reviewing the outcomes and results of the implementation and comparing them to the expected outcomes based on the requirements. Any deviations feed into the next step of the lifecycle.

Adjust the policies

Based on the results of the validation, the policies may need to be adjusted. This could involve making changes to the policies themselves, or to the procedures used to implement them. Once the adjustments have been made, the process starts again, creating a continuous cycle of improvement.

Without careful consideration, this can also cause a tick-tock cycle where the policies bounce from one extreme of too much control, to the other where there is little to no control. There may also need to be provisions or carve outs to ensure that the policies provide exemptions where necessary or in places where the need to have greater controls is protected.