IT governance: Where technology and finance part

Eugene Lacey: President Bush will hold 'corporate criminals accountable' and the IT industry is keen to follow the new enthusiasm for governance. Can it?

Corporate governance is much in the news these days. The bursting Wall Street bubble has left gaping holes in pension funds and shattered the public's confidence in buying shares as a way of building financial security for the future.

As one financial scandal after another is uncovered and the sight of chief executive officers being lead away in handcuffs becomes a regular item on the evening news, the Bush administration knew it had to act, and act swiftly to restore confidence in the financial markets.

The White House came up with a ten point plan, a task force to root out corporate fraud, a string of prosecutions and some tough words from the president: "We will hold corporate criminals accountable for their misdeeds, and we will deter corporate crimes by enforcing tough penalties...we're beginning a new era of corporate integrity. Corporate responsibility is essential to America. It's essential to shareholders. It is essential to investors."

The clean-up campaign requires chief executives to take a pledge that they will treat stock options as compensation and fully expense them out of company earnings.

There is some research from McKinsey and others that suggests investors have begun to place significant emphasis on corporate governance.

The technology industry has spotted an opportunity in all the publicity around corporate governance -- with an increasing amount of energy going into the concept of IT governance.

Hewlett Packard recently hosted a round-table discussion in London about corporate governance in IT. Background information handed out to participants states: "Although the link between IT and shareholder value is increasingly understood and quantifiable, investment in technology is particularly vulnerable to market sentiment. Financial pressure has seen companies adopt a more cautious approach to IT. The question for business leaders is to know where, when and how they should invest in technology. Solving this dilemma will have a crucial impact on the performance of business. This is where IT governance comes into play."

But is it where IT governance comes into play? And is corporate governance in IT really the same thing as a tougher regulatory regime to root out what President Bush describes as "corporate criminals"?

Surely if IT governance has a directly traceable impact on company profits, then the lack of it by some recognisable measure ought to be a reason for investors to avoid buying the stock of certain companies.

That is where the analogy with the bursting of the Wall Street bubble and its aftermath falls apart. There is no recognisable measure of IT governance. There are best practices, certification programs for IT professionals, good systems for competitive tendering designed to ensure companies spend wisely, and even BS 7799 (a British Standards accreditation for security professionals), but nowhere are the various elements of a 'correct' IT approach drawn together.

Perhaps there ought to be a recognisable measure, and perhaps it would be a good thing if, for example, institutional investors (the custodians of your pension fund) didn't invest in companies that fail to take proper precautions against viruses, e-fraud, and other threats to their IT infrastructure.

IT professionals are acutely aware of the threats to business continuity and profits of outages and cyberattacks. And if you can have investment portfolios based on environmental concerns, then why not have one based on a preferred IT governance regime too?

But you see the problem. What will the recognisable best practice in IT governance be? Who will decide? What should the penalties be for transgressors? How do you deal with cross-border differences in the legal frameworks covering commerce, security, privacy and a raft of other issues? The finance sector employs compliance officers to ensure institutions act within the accepted rules of corporate governance.

It is hard to see how a compliance regime could apply to IT governance. It is hard enough in finance, with the new tougher US regime creating regulatory difficulties in London. Generally the US favours self-regulation whileEurope is more disposed to legal frameworks. In short, a 'one size fits all' plan for global IT governance with a clear notion of compliance and regulation seems a very distant prospect.

Some forward thinking chief information officers are enthusiastic for IT governance. They see it as a way of getting the business to treat IT more seriously, breaking down barriers between departments, and finding a common language for IT professionals and board members to communicate more effectively.

The debate over IT governance will sharpen executive thinking about the role of technology in business. Its start point is that executives should be accountable for large investments in IT, and it makes it harder for them to delegate and abdicate their responsibilities in this area.

There is no doubt that will be positive for all stakeholders in information technology. But it is less clear how a direct line to "boosting shareholder value" can be drawn from IT governance, and there are ethical pitfalls in attempting to do so. The important debate over IT governance shouldn't hitch a ride on the popular bandwagon of corporate and financial governance. It is not the same thing.

To have your say online click on TalkBack and go to the ZDNet UK forums.