Boards appear to be genuinely interested in improving their performance [i]. They are also looking for guidance on IT issues but (a) their experience with IT advisers had been disappointing [ii] and (b) ‘best-practice’ had been found to be of little practical utility with no consistent impact on success [iii].

However new governance Standards (ISO38500, AS8016, HB280) are emerging that address board-level concerns and are focused on the realisation of above average returns. Within Australia, because of the large investments in IT, effective governance of projects could lead to 1-3% increases in GDP. It will be a major breakthrough if boards start to follow these guidelines and require business process audits as part of the regular governance process.

The leading indicators of change might be:

• appointment of board members with IT experience,
• business project auditing being offered by major consultancies,
• widespread adoption of the new governance Standards,
• the term ‘business projects’ entering into the common business language
• significant negative press over new project failures.

These suggestions were originally presented at an ISACA professional development session in Sydney on 14  March 2007. The slides can be seen by clicking on the link below.

---

[i] R. Leblanc and J. Gillies, Inside the Boardroom: the coming revolution in corporate governance (Toronto: John Wiley and Sons,  2005)

[ii] R.C. Young and E. Jordan, “Lifting the Game: Board views on e-commerce risk,” in IFIP TG8.6 the adoption and diffusion of IT in an environment of critical change, (Sydney: Pearson Publishing Service, 2002), pp. 102-113

[iii] Raymond Young and Ernest Jordan, “Top management support: Mantra or necessity?,” International Journal of Project Management,  26 (2008), 713 – 725

Governance legislation since the Great Crash of 1929 has largely been enacted in response to corporate excess. Arguably, the objective of the legislation has had more to do with reassuring the public than reducing risk.

Most authorities point to the UK Cadbury report (1992) as the source of our modern ideas of corporate governance. The Cadbury report was a reaction to the collapse of BCCI, Polly Peck and Maxwell Communications. Like much of the corporate governance legislation to follow, the resultant Cadbury Code was responding to executive excess.

Australia’s Bosch Report (1995) followed the collapse of Rothwells, Elders, Bond Corporation, Tricontinental, Pyramid and Quintex. The unfettered actions of mavericks such as Laurie Connell, John Eliot, Alan Bond, Christopher Skase are now part of corporate legend.

Governance responses to corporate disasters

Corporate Disaster	Response	Main Details
Maxwell (1991), BCC1 (1991), Polly Peck (1991)	Cadbury (1992)	Directors responsibilities include safeguarding the assets of the company and preventing and detecting fraud and other irregularities
Rothwells (1986), Elders (1986), Bond (1987), Tricontinental (1989), Pyramid Building Society(1990), Quintex (1990) State Bank of VIC (1991), State Bank of SA (1992), AWA (1992)	Bosch (1995) ASIC (1989) CLERP	tough penalties against directors who breach their duties of care, diligence or do not comply with the legislation, especially so in relation to insolvent trading
Zeebrugge Ferry (1987), Kings Cross Fire, Lockerbie air disaster (1988)	Hampel (1998), Turnbull	Directors should have responsibility for all aspects of control and a duty to establish a robust system of risk management
Barings (1995), Allied Irish Bank (2002), NAB (2004)	Basel
HIH (2001), One.Tel (2001), Harris Scarfe (2001), Ansett (2001)	Clerp9
Enron (2001), WorldCom(2001),Tyco (2001), Adelphia (2001), Qwest (2001), Parmalat	Sarbanes-Oxley (2002)
AWB (2004), James Hardie (2004)

Cadbury in the UK, COSO in the US, COCO in Canada, King in South Africa and Bosch in Australia, marked an end to the old boys club. Directors were made firmly accountable for preventing and detecting fraud. The 1992 AWA case in Australia lifted the stakes further in the Commonwealth countries. The ruling established that the law does not differentiate between executive and non-executive directors with all being equally liable.

Sabanes-Oxley represents the most recent knee-jerk reaction to the collapse of Enron, Worldcom, Tyco, and so on. Many feel this legislation is deeply flawed and at least one major Australian organisation has delisted from the US stock exchange rather than comply with unnecessary requirements.

The commonwealth countries have followed a different path with ‘comply or explain’ regimes of corporate governance. The UK’s Combined Code is probably the best example, and represents the maturing of the Cadbury Code following the Hampel, Turnbull and Higgs reviews.

Australia followed a parallel path with the CLERP9 reforms to the Corporations Act (2001) following the collapse of HIH and One-Tel. However, reforms have not been uniform and the resulting regulatory landscape is considered by the Australian Institute of Company Directors (AICD) to be one of the most complex in the world.

There are the ASX guidelines for listed companies, the generic Australian standard AS8000 for all companies, and applied industry guidelines relating issues such as doing business on the internet (security, privacy and spam). There is also competing and sometimes conflicting legislation at both state and federal levels. This includes the Tax Act and related accounting standards, the Trade Practices Act which is prosecuted vigorously by the Australian Competition and Consumer Commission (ACCC), environmental legislation at state and federal levels that is also prosecuted to make an example of any transgressions, the Anti-money Laundering and Counter Terrorism Act and various conflicting state legislations around occupational health and safety, bullying and anti-discrimination, and so on. The most severe jurisdiction is arguably in the ACT where directors can be imprisoned for up to 20 years for industrial manslaughter.

The legislative line is very punitive with directors and officers assumed to be guilty and needing to prove they have taken every reasonable precaution. A culture of compliance is advocated by the AICD as the best defence.

The financial crisis has regulators, governments, and the media focused on economic stimulus. However tough questions will soon be asked about what went wrong. Ineffective governance will be one of the first targets, and it won’t be just the financial sector that faces increased scrutiny[1].

Few doubt that effective governance has value, but to paraphrase Warren Buffet “the tide has gone out, and Sarbanes-Oxley for example, looks like it was swimming naked”. Investor confidence has not increased, management accountability is being called into question and the tens of billions spent by boards for compliance has not stopped or prevented the crisis.

For years, as an academic and as director, I along with many others have been pointing out the flaws of governance only for the sake of compliance.  Most governance prescriptions are a response to corporate excesses and enacted to reassure the public and few prescriptions actually improve performance or reduce risk[2].

Now the tide is out, higher levels of scrutiny must be expected. What will it expose? I believe the corporate governance of major projects will stand out as one of the highest priorities for attention.

Management of large-scale expenditures is a fiduciary duty requiring careful oversight. However a Deloitte survey of boardroom directors revealed oversight of IT projects was either “blind” (29% with inadequate information) or non-existent (16%)[3]. They warned in 2007 that the results were “tantamount to negligence” and the AICD have long reported statistics suggesting the problem is more widespread[4] (Figure 1). My own research suggests that as many as two out of three projects fail to deliver the expected benefits[5]. Increased scrutiny could reveal the real failure rate. However what might be worse in the current financial environment is to have two out of three strategic initiatives fail to increase revenue, enhance customer service or reduce cost and threaten survival.

To survive, thrive and also to minimise the governance backlash, the first step must be to get the right information needed to govern effectively. The board bears the responsibility to set clear guidelines and expectations about the kinds of information they want to see filter up. What benefits are being targeted? [how is this consistent with our strategic priorities?] Do we have the organisational capacity to realise these benefits and what other risks are involved? How will we measure success? Do we have the right person driving the change? Are there any warning signs that the project is going off track? Are the benefits being realised? These questions seem simple but none of the directors I have spoken to had an effective process to terminate failing projects. Benefits are usually quantified (66%), but they are often overstated (27%)[6], change is not always considered (40%)[7], individuals are not held accountable (5-23%) and few organisations track benefits through to realisation (10%)[8]. Organisations do not focus on the true determinants of success.

In the absence of guidance, management has turned to so-called ‘best practice’ and focused on efficiency measures such as on-time and on-budget. Unfortunately on-time on-budget reporting was never the most appropriate focus for governance. It is certainly not enough in this new world. Only effectiveness will count because average or below-average performance will not guarantee survival. Above-average performance gained through acceptable levels of risk is the true objective of governance[9], the standard to which the board must aspire and the standard to which management must be accountable. Governance effort for compliance only, even if it is with a so-called ‘best practice’ framework, is a governance luxury we can no longer afford.

---

References

[1] 2009 Corporate Governance Conference: New Risk, Accountability and Leadership Challenges. Toronto 6- 7 May

[2] See related article providing A brief history of corporate governance 15 July 2009

[3] What the Board Needs to Know About IT: Phase II Findings (Deloitte, 2007), http://www.deloitte.com/dtt/article/0,1002,sid=36692&cid=151800,00.html

[4] D. Lovalla and D. Kahneman, “Delusions of success: how optimism undermines executive’s decisions, Harvard Business Review,” Harvard Business Review July (2003): 58

[5] R. Young, “What is the ROI for IT Project Governance? Establishing a benchmark.,” in 2006 IT Governance International Conference (Auckland, New Zealand, 2006)

[6] Chad Lin, Graham Pervan, and Donald McDermid, “IS/IT investment evaluation and benefits realization issues in Australia,” Journal of Research and Practice in Information Technology 37, no. 3 (2005): 235-251

[7] KPMG, “Global IT Project Management Survey: How committed are you?,” 2005, http://www.kpmg.com.au/Portals/0/irmprm-global-it-pm-survey2005.pdf

[8] John Thorp, “Unlocking Value – Delivering on the Promise of Information Technology,” in Delivering Value, 2008, http://www.isaca.org.au/modules.php?op=modload&name=News&file=article&sid=28

[9] F.G. Hilmer, Strictly Boardroom: improving governance to enhance company performance (Melbourne: The Business Library, 1993)

Executive Summary

• Following the GFC – governance practices will almost certainly be questioned
• New governance requirements are likely to be introduced
  • Historically new requirements are introduced reactively
  • There is a risk new requirements will not add value
• We should anticipate these developments
  • It takes longer for management to respond than for the board to ask
  • We should identify the key areas that need to be governed
  • We should check we have effective systems to monitor the key areas, and introduce new mechanisms where necessary
  • Governing major projects is one area worthy of attention
  • New Standards AS8016, HB280 have much to offer.

---

A backlash against lax governance

The Global Financial Crisis (GFC) will inevitably lead to higher levels of scrutiny. It is likely to expose the high rate of failure of large investment projects. The Australian Institute of Company Directors highlight the problem in a number of modules in their highly regarded Company Director Course:

• ¾ of mergers and acquisitions never pay off
• most large capital projects fail to live up to expectations
• majority of efforts to enter new markets are abandoned in a few years
• 70% of new manufacturing plants are closed in their first decade

Leading audit firms have commented that management of such large-scale expenditures is a fiduciary duty and imply that current practice, with IT projects in particular, is “tantamount to negligence” [i]. Until now this matter has not received much attention and boards have not been held accountable. The backlash following the GFC is already being felt and the lax levels of supervision are unlikely to be tolerated in the future.

Boards and their advisors are strongly encouraged to implement regimes that will increase the success rates of their investments. The six questions from Standards Australia’s handbook on the corporate governance of projects [ii] is a framework that would make a difference. In the presentation below, some of our early work is presented to suggest how the questions could be implemented in practice.

A version of this article was originally prepared for submission to the Australian Company Director Magazine. The key points were also presented at an ISACA Summit held in Sydney on 31 March 2009.

---

[i] Deloitte, What the Board Needs to Know About IT: Phase II Findings: Maximizing performance through IT strategy (Deloitte LLP,  2007)

[ii] Standards Australia, HB280 How Boards and Senior Management Have Governed ICT Projects to Succeed (or Fail) (Sydney: Standards Australia,  2006)