Alan Calder on IT Governance, information security & ISO 27001

The essential difference between the US and the UK models of corporate governance is that, in the UK, there is a clear understanding of how board rooms work combined with a flexible, principles-based approach while, in the US, corporate governance is essentially an expensive compliance activity that gives CEOs a level of autonomy that allows them, sooner or later to wreck their companies - and the economy.

The usual situation, in a US-listed company, is that the CEO is also the Chairman of the Board; in the UK, this is highly unusual and, whenever it happens, there is a furore amongst investors and in the press.

The usual practice, in the UK, is that the board is chaired by an independent director, who is usually non-executive and who is genuinely independent – and it is recognised that, once a Chairman has been in situ for too long, he (or she) ceases to be independent. The CEO – however mighty, however well-rewarded – reports to the Chairman and, when the CEO fails in his role, the Chairman is responsible for ensuring that appropriate action is taken to ‘drop the pilot.’  The UK board is made up of a majority of independent directors and, in larger companies, there will usually be a recognised ‘senior director’ whose role it is to ensure that the Chairman doesn’t ‘go native’ and who would be expected to lead the board’s annual review of the Chairman’s performance.

US CEOs talk of themselves serving ‘at the pleasure of the board’; of course, this doesn’t really mean much as it is usually the CEO who chairs the board which, itself, is usually made up of ‘outside’ directors with whom the CEO has personal relationships. CEOs of US American companies are therefore usually in place for far too long and, because there is no genuinely independent control over their compensation packages, are hugely overpaid. (I’m never that impressed by a CEO offering to take a $1 salary for a year – it would be so much more impressive if he also volunteered to return 50% or more of the previous year’s multi-million dollar over-compensation to the company.)

While the UK corporate governance model doesn’t always protect UK shareholders from incompetence or stupidity on the part of their boards, it does at least help UK companies avoid a situation where their CEOs turn up in Parliament with a begging bowl, having flown there on parallel private jet flights. One would have thought that any Chairman worth his or her salt would immediately have sacked a CEO who is so far removed from reality that, when asked the direct question on camera about whether they would immediately dispose of the private jet and return home by commercial airline, he couldn’t even come up with a plausible response.

And, while the world has clearly been living beyond its means for far too long, it’s also clear that the US cult of the CEO ego is right at the heart of the huge, ill-considered, crazy bets that their companies have taken – and as a result of which we all now face a long, hard few years.

The US now needs a corporate governance code that resembles the UK’s Combined Code; in the UK, in the meantime, we need to get on with improving our own performance. We also need institutional shareholders tough and determined enough to insist on board changes when their boards are destroying the investments for which they have a fiduciary responsibility.

ISO 27001 is not only about safeguarding corporate information assets – it is also a godsend for organisations struggling to deal with regulatory compliance demands.

SOX, HIPAA, Gramm-Leach-Bliley, SB 1386, OPPA and others generate a welter of often overlapping requirements, which can quickly create a huge drain on management resources. However, ISO 27001 provides a highly effective way of cutting through this burden, resulting in very real efficiencies, as this case study shows:

“My audit preparation time dropped from about 2 months to under two days for the Federal Financial Institutions Examination Council (FFIEC) audit (done by the people who were concerned about SOX controls.)”

“My time spent with the auditors was reduced by 50% over a three week time span.”

Show that to people who question whether getting certified creates an ROI.

ISO 27001 is of course an ideal solution to businesses that need to ensure they comply with Sarbanes Oxley IT control requirements. I’ll be doing a webinar on 25 January in collaboration with Compliance Online to discuss precisely how the standard draws together CobiT, ITIL and ISO 17799 to create the necessary multi-layered solution. Topics to be covered will include:

* Current and future governance and compliance requirements
* The role of enterprise risk management
* Linkages and similarities between state, national and international regulations
* Why the traditional approach to regulatory compliance no longer works
* Business risks arising from legal contradictions, overlaps and loopholes
* Scale and impact on corporate brand, market position and share value of regulatory failure
* Key governance requirements of directors
* Role of best practice frameworks Linkage between compliance requirements and best practice frameworks
* Background and history of CobiT, ITIL and ISO 17799 – similarities and differences
* Importance of the CobiT/ITIL/ISO17799 joint framework
* Benefits of deploying this best practice framework
* Critical success factors in deploying this framework

For more information or to make a booking, click here.

Final settlement of the WorldCon case, which involved eleven outside directors contributing rather more than they received as compensation for their stewardship of the company and guardianship of the interests of their shareholders, was announced today. The directors’ settlement, announced back in March involved them paying, between them, a total of $20.25 million from their own pockets – and this is in addition to the amounts paid out to the creditors and shareholders under the board’s Directors’ and Officers’ insurance policy.

What does this mean for corporate governance generally, and for IT governance specifically? Well, it clearly establishes the outside directors of a company as a legitimate, attractive target for aggrieved creditors and shareholders when a company goes bankrupt. Given the increasing extent to which organizations are dependent on IT – and the extent to which a significant IT failure can now impact the long term competitiveness and viability of any organization – it’s not going to be long before the expectation of transparency around general corporate governance extends to IT governance.

Sure, SOX has already transformed the early awareness of the need for proper IT governance, that was created by the Turnbull report in the UK, into a far more significant board issue. Let’s hope it doesn’t take a significant IT failure, leading to a corporate collapse, before boards really get to grips with their responsibilities. Reality suggests otherwise, though.