Couldn't the same arguments for creating a board-level IT oversight committee apply to other functions, such as HR or marketing? Or is IT a special case?
The compensation committee deals with HR issues, so I think that's covered. Marketing and some other areas have moved into the general board discussions and strategy. But IT doesn't get into the conversations in the same manner.
What companies have IT oversight committees? How have they benefited?
I think a lot of companies bring their CIOs into board discussions, or bring on board members with IT expertise. But the oversight committee is a new idea; other than FedEx and a number of boards I'm on, I haven't found many examples. FedEx's IT oversight committee oversees major IT-related projects, technology-architecture decisions, and advises FedEx's senior IT-management team. We are just setting up an IT oversight committee at A&P. We set it up in October, with four members, including myself. The chairman, Dan Kourkoumelis, is a former CEO of the QFC supermarket chain in Seattle, where he was involved in developing a strong IT architecture.
It's too early to say what issues we'll be working on, or the decisions we are making, since we aren't convening until February. We will probably involve most of the board in our early activities, because we look to their advice in ensuring that our charter fits within the overall corporate governance of the company. But we want to ensure that we are getting the proper return on the IT investments that were made, and that we are strategically aware of technologies that might impact us. We also need to deal with the privacy of the information we collect on our customers and to make sure we are securing that information. Our committee has already talked about making sure IT operations will not fail if we lose power or there is a catastrophe such as the World Trade Center.
Can you effectively push for the creation of an oversight committee if you're a CIO?
One of the reasons I'm advocating the oversight committee and calling on boards to take action is because I don't see a mechanism for this idea to bubble up from below. First off, I don't see CIOs being able to engage in discussions with the senior management and the board to do this. It looks like self-promotion. Also, CIOs have been compartmentalized and marginalized in companies. Technology is a subject that makes senior executives' heads hurt. It's hard for them to have these conversations, so there's a natural tendency to avoid them.
So it's not resistance, but avoidance, that might get in the way. If IT oversight committees are going to happen, directors will have to lead the way.
That's right. We're going to have to recognize there's a revolution, and if you don't take action, there's a threat of more legislation like Sarbanes-Oxley that would require companies to provide more disclosure on IT investments, and the risks of these investments. This IT oversight board is the right thing to do for good corporate governance. The sooner it's done, the better it's going to be for companies in general.