Alan Calder on IT Governance, information security & ISO 27001

Warren Buffet encourages boards to develop meaningful penalties for executives who fail to fully and personally own risk control in their business.

He is, of course, right. In the UK, the Combined Code expects directors and the board to own risk and provides, in the Turnbull Guidance, comprehensive guidance on what is expected.

My impression is that, in the US, the CEO gets stratospheric compensation - and, the bigger and more complex the business, the more s/he gets paid. It seems wrong that the shareholder should stump up the funds for an acquisition, should see their investment savaged if the deal goes sour, have no real control over the acquisition strategy, get to pay the CEO more and more, but for there to be no real penalty for the CEO when s/he screws up - and being forced out with a big compensation package is no penalty.

While I’m probably more interested in governance than the average person, I do sometimes worry that contextualising information and compliance challenges as governance issues can delay organisations from taking the obvious, common-sense action.

This intelligent article on mobile security governance, for instance, identifies all the steps that organisations should take in considering risks to data posed by the mobile network. See how far you have to read through it before you find guidance to apply encryption to key mobile devices - all laptops and any USB sticks or PDAs that carry sensitive information. The sensible approach is to first apply encryption, which deals with the largest number of mobile device-related risks while keeping you within regulatory requirements, and then to stop and consider what other risks might need mitigation.

You don’t want to have to tell 1,000s or millions of customers or members of staff why someone leaving a laptop at the busstop has exposed all their personal details to fraud and identity theft. Explaining that you were considering the range of risks before deciding what action to take is likely to elicit the same sort of response as a UK MP explaining that their inappropriate expense claims were ‘within the rules’.

It’s great that Hector Sants has said that “delivery of supervision has to be done in partnership with responsible firms, shareholders and auditors.” (It’s a pity that Sants is inconsistent, but that’s another matter.)
The thing is, he’s not exactly saying anything new. I summarised the current position last year in my book on Corporate Governance (the square brackets are my current interpolations):

Institutional Shareholders

The Combined Code [UK Combined Code on Corporate Governance – in place for 10 years] also requires institutional shareholders to interact proactively and objectively with the companies in which they are invested. There are three main principles for institutional shareholders to observe: 

1. Institutional shareholders should enter into a dialogue with companies based on the mutual understanding of objectives. (E.1)
2. When evaluating companies’ governance arrangements, particularly those relating to board structure and composition, institutional shareholders should give due weight to all relevant factors drawn to their attention. (E.2)
3. Institutional shareholders have a responsibility to make considered use of their votes. (E.3)

The Combined Code explicitly recommends that institutional investors should not accept a ‘box-ticking’ approach to corporate governance, and that their consideration of disclosures made by the company in relation to the Code should take into account the “size and complexity of the company and the nature of the risks and challenges it faces” (supporting principle to E.2)

The Combined Code recommends (supporting principle to E.1) that City [ie investing] institutions should follow “The Responsibilities of Institutional Shareholders and Agents – Statement of Principles”, which were drawn up by the Institutional Shareholders’ Committee (ISC)^[1], whose associations represent virtually all UK institutional investors.

The principles were the first comprehensive statement of best practice governing the responsibilities of institutional shareholders and investment managers in relation to the companies in which they invest. 

“They aim to secure value for ultimate beneficiaries – pension scheme members and individual savers – through consistent monitoring of the performance of those companies. This is to be backed up by direct engagement where appropriate.  The principles make it clear that if companies persistently fail to respond to concerns, institutional shareholders and investment managers, ISC members will vote against the Board at general meetings.

The principles set out best practice for institutional shareholders and investment managers, under which they will:

· Maintain and publish statements of their policies in respect of active engagement with the companies in which they invest;
· Monitor the performance of and maintain an appropriate dialogue with those companies;
· Intervene where necessary;
· Evaluate the impact of their policies; and
· In the case of investment managers, report back to the clients on whose behalf they invest.”^[2]

What’s the reality? 

The reality is that active shareholder engagement has – in both London and New York - been extremely limited; after all, the management fees they were earning from ignoring the real risks being run by the companies in which they were invested supported an exciting personal life style. The real victims are the ordinary folk who fell for the polished pitch of the fund managers, who sold so effectively the idea that managing cash is so difficult and complex that ordinary people can’t do it. (An ordinary person said, on a panel interview programme here a couple of weeks ago: ‘I can’t run a bank; can I get a £695k pa pension?’). It’s all very well asking the institutional investors to exercise their governance responsibilities responsibly, but they too have their fingers in the till.

So, isn’t it time we taught basic financial risk management to ordinary people? I know this might require breaking the centuries-old link between financiers and politicians, but perhaps that might start a move toward a society in which those who produce the cash don’t have it conned out of them…..sorry, that’s a bit hopeful…

As I see it, those organisations that survived 2008 are only going to get through 2009 if they manage cash really carefully. Cash management is only useful if it takes into account the full range of possible risks faced by the organisation. Simply hanging onto cash, not paying creditors and avoiding all expense and investment, is not the same as managing cash - because, even in a recession, there are business opportunities and growth prospects and those organisations that manage their cash effectively are able to prepare themselves to handle the range of possibilities - both on the upside and the downside.

Effective risk management tends only to happen in well-governed organisations; where risk management has failed (such as in our banks, the Big Three auto manufacturers and so on) it doesn’t take long to spot that their governance framework must also have been ineffective - not least if the organisation has had to beg for a support package from central Government.

I think that governance and risk management are going to be key themes in 2009 for the world’s better organisations; for all the rest, those for whom governance is just about box-ticking, 2009 will bring much more  box-ticking, because regulatory authorities are not going to allow a repetition of 2008’s ‘perfect storm’, which means that compliance requirements are going to increase.

Of course, box-ticked governance will still be the poor relation of more constructive, fully engaged governance and risk management models that boards - under the guidance of an independent Chairman - deploy to manage the risks faced by the organisation in the difficult economic climate we all face this year.

I kind of hope that those organisations that eschew proper governance will go bust quickly, and get out of the way of the rest of us.

The Top Ten Predictions for Green IT in 2009 are based on Gartner’s view that the combination of economic meltdown and Obama’s commitment to eco-friendly policies will drive a signficant increase in Green IT activities and investment in 2009. Our recent Best Practice Report (Green IT: Reality, Benefits and Best Practices) focused on the economic benefits that corporations can derive from embracing Green IT - not just in terms of customer take up (and, frankly, I suspect that a ‘green label’ won’t attract much of a price premium in recessionary economies - watch organic farmers, for instance, reduce their organic output to match the reduced budgets of their customers) but, far more importantly, in terms of cost-reduction. Green IT in 2009 will be interesting to boards of directors because of the opportunity for significant reductions in power and utility costs.

Some evidence is emerging that that ISO/IEC 38500, the best practice standard for IT governance, is catching on. We’ve certainly seen steady demand for copies of the ISO38500 standard itself, as well for the ISO38500 Pocket Guide and, more importantly, the ISO38500 IT Governance Framework Toolkit.

Regarding Liken’s survey, Rowlands says, “We were impressed by the strength of support for ISO/IEC: 38500. Against the unfolding economic panorama, could it be that this is a more suitable measure of corporate IT governance and a catalyst for sound asset management?

“Cost savings and efficient usage seem now to be the primary drivers as organisations place a greater emphasis on controlling software and hardware usage rather than managing inventory and licensing.”

“ISO38500 is a catch-all IT governance standard and it’s much more attainable for a lot of businesses and it will give the directors of those businesses a sense that they are doing things the right way.”

In a nutshell, ISO38500 provides practical, straightforward guidance for directors as to how they should go about ensuring that their IT operations are doing the right things - and doing the right things, cost-effectively, is going to be a critical component for all organisations of surviving the tough economic conditions that we are currently experiencing.

The essential difference between the US and the UK models of corporate governance is that, in the UK, there is a clear understanding of how board rooms work combined with a flexible, principles-based approach while, in the US, corporate governance is essentially an expensive compliance activity that gives CEOs a level of autonomy that allows them, sooner or later to wreck their companies - and the economy.

The usual situation, in a US-listed company, is that the CEO is also the Chairman of the Board; in the UK, this is highly unusual and, whenever it happens, there is a furore amongst investors and in the press.

The usual practice, in the UK, is that the board is chaired by an independent director, who is usually non-executive and who is genuinely independent - and it is recognised that, once a Chairman has been in situ for too long, he (or she) ceases to be independent. The CEO - however mighty, however well-rewarded - reports to the Chairman and, when the CEO fails in his role, the Chairman is responsible for ensuring that appropriate action is taken to ‘drop the pilot.’  The UK board is made up of a majority of independent directors and, in larger companies, there will usually be a recognised ’senior director’ whose role it is to ensure that the Chairman doesn’t ‘go native’ and who would be expected to lead the board’s annual review of the Chairman’s performance.

US CEOs talk of themselves serving ‘at the pleasure of the board’; of course, this doesn’t really mean much as it is usually the CEO who chairs the board which, itself, is usually made up of ‘outside’ directors with whom the CEO has personal relationships. CEOs of US American companies are therefore usually in place for far too long and, because there is no genuinely independent control over their compensation packages, are hugely overpaid. (I’m never that impressed by a CEO offering to take a $1 salary for a year - it would be so much more impressive if he also volunteered to return 50% or more of the previous year’s multi-million dollar over-compensation to the company.)

While the UK corporate governance model doesn’t always protect UK shareholders from incompetence or stupidity on the part of their boards, it does at least help UK companies avoid a situation where their CEOs turn up in Parliament with a begging bowl, having flown there on parallel private jet flights. One would have thought that any Chairman worth his or her salt would immediately have sacked a CEO who is so far removed from reality that, when asked the direct question on camera about whether they would immediately dispose of the private jet and return home by commercial airline, he couldn’t even come up with a plausible response.

And, while the world has clearly been living beyond its means for far too long, it’s also clear that the US cult of the CEO ego is right at the heart of the huge, ill-considered, crazy bets that their companies have taken - and as a result of which we all now face a long, hard few years.

The US now needs a corporate governance code that resembles the UK’s Combined Code; in the UK, in the meantime, we need to get on with improving our own performance. We also need institutional shareholders tough and determined enough to insist on board changes when their boards are destroying the investments for which they have a fiduciary responsibility.

I think it’s a great pity - but clearly unavoidable - that the FSA has arrived at the view that it will have to fine individual board-level executives of retail banks if it is to get them to take adequate measures to protect customers’s information. I think this is excellent news - particularly the clear statement that ‘FSA wants to avoid executives palming off overall security responsibilities onto the IT department. Chief executives, compliance officers and board-level IT directors could all be held responsible.’

One would have thought that banks might have spotted that protecting customer information might be a fundamental part of customer care in this identity-theft age but, then again, I guess we might have expected banks to have spotted that it might not make sense to lend someone of limited income 130% of the already-inflated value of a house. 

A number of UK banks have been - or are about to be - taken into public ownership. The UK government doesn’t exactly have a great track record (eg HMRC, MOD, etc) when it comes to protecting personal data, either. So we have to hope that the FSA will have the courage to fine the government-appointed directors of nationalised banks where they fail to ensure their organisation takes adequate steps to protect personal data - or the protection of personal data in the UK will just become even more difficult.

When financial markets appear to be in free fall, many organisations might think that data protection is the least of their worries. Who cares, they might wonder, about protecting personal data if tomorrow we might not exist any more? (And, from what we’ve seen over the last few weeks, the ‘might not exist tomorrow’ possibility should be a very real planning scenario for all but the world’s best-capitalised banks).

Well, in the UK, the Information Commissioner is unlikely to cease caring - already identified as “setting the political and administrative agendas for the protection of personal data in this century in the UK” and for “firmly disciplining politicians, civil servants, the media and business folk into line”, he’s unlikely to allow data protection to take a back seat at exactly the moment that spammers are expected to take advantage of bank buyouts to launch new phishing scams.

However, we’re talking here about banks who were unable to identify or adequately manage some rather more obvious risks to their business (like, if you lend someone 130% of the value of his collateral, and if his current cashflow is insufficient to pay the interest let alone repay the principle, how do you expect to survive?) than those around personal data. So, if you’re a bank customer, it might not be wise to hope that, in the midst of all this turmoil, your personal data will be adequately protected. The facts speak for themselves: US organisations are on track to report at least 680 data breaches by the end of 2008, affecting more than 30 million records.

It is clearly the case that, with personal data, one can only rely on oneself to protect it!

I watched the Congressional clash of ideology and pragmatism play itself out in the US stockmarkets yesterday and through Asia overnight.  While I’m not entirely clear on the point of a vote that avoids spending $700 bn but triggers a $1 Trillion stockmarket slide, I am clear that the financial disaster will negatively impact the real economy. Even though this month’s Fortune magazine argued that, in the real (US) economy, there was no evidence of a recession, I can’t see how a combination of restricted credit, devalued assets, deleveraged businesses, increased unemployment, and reduced output can translate into anything other than a downturn.

While I largely agree with the analysis in this blog: Impact of the Economic Crisis on Security, I do think that Boards and IT management teams have it within their power to avoid the traditional knee-jerk response to a crisis, which is usually to cut investment, cut training, and cut corners. The key strategic fact is that IT is now fundamental to both survival and success - and, in a tougher economic climate, those organisations that more effectlvely leverage their information and IT investment are likely to be those organisations that are still standing at the end of the shake out. Of course, I’m only talking here about those organisations that have a living, breathing enterprise risk management framework - as we’ve seen, those who substitute hope for objective risk management get to go bust.

Put another way, effective IT governance will, in many instances, be the difference between success and failure.