By David B. Sidon
At a recent quarterly meeting of the Connecticut Bankers Association’s Technology Committee, comprised of CIOs and IT managers, the consensus and almost unanimous responses to the discussion were “not preferred,” “lack of appropriate expertise,” “we use a management committee process” and “maybe, for educational purposes only.” The question?
Is it time for a board-level technology committee?
As the underlying foundation for banking has transitioned from nickels-and-notes to bits-and-bytes, technology mysteries have introduced a new dynamic and challenge for corporate governance. How can the board effectively understand, strategize and manage technology-related efforts if not fully immersed in the planning and steering efforts? The initial reaction of most CIOs is a “show-me-the-expertise” argument or, stated more sarcastically, “IT steering committees don’t meet to decide whether or not tellers should work on a 13-inch or 17-inch screen; nor should the color-scheme of the Web site be on the agenda.”
But what’s the regulatory expectation? What are the rules? Research on the requirements leads us down the usual fuzzy paths – another argument for a single codified set of banking rules (the IRS as inspiration), albeit a personal pet-peeve subject for another article. Try this:
“Review the membership list of board, IT steering or relevant management committees established to review IT related matters. Determine if board, senior management, business lines, audit and IT personnel are represented appropriately and regular meetings are held.
“Determine whether board of directors and senior management appropriately consider IT in the corporate governance process, including the process to enforce compliance with IT policies, procedures and controls.”
These questions come from the Federal Financial Institutions Examination Council’s June 2004 IT Examination Handbook, “Management.” The fact that approximately 70 direct references to the board and its responsibilities with respect to IT management appear in a 53-page document begs a number of questions, not the least of which is whether any board members are even aware of this guidance.
So, the discussion amongst bank technologists was lively. Although the overwhelming response disfavored board involvement in technology details, the group was clear on its responsibility to cogently justify and educate the board with respect to IT costs and benefits. Out of a sample of approximately a dozen institutions represented in the discussion, only one reported a technology steering committee at the board level (meeting monthly). The norm was a committee drawn from management spanning, as the exam question suggests, “senior management, business lines, audit and IT personnel” reporting to, but not including, the board. One participant described an education strategy in which board members were invited to attend and observe the bank’s technology steering committee meetings on a limited and rotating schedule.
The central issue is of course expertise. By way of example, many IT shops in our institutions have moved (or are considering) Citrix and “thin-client” solutions. The benefits of efficiency and security are best understood by a technologist, with most of the rest of us requiring the “idiots-guide-to” explanation. The concern expressed by our bank technologists is that laymen could bog down and confuse analysis and research and grind technological progress (already slow in our industry) to a halt.
The answer is to strike a balance. As the group considered the question, the educational strategy of inviting board members to participate in turn on a management-based committee sounded like a good compromise, especially in meeting regulatory expectations.
The shortcoming of our discussion, however, was the lack of balance, excluding board opinion as well as regulatory opinion. The CBA’s Technology Committee invites a continuation of the discussion, especially from individuals who serve on our member banks’ boards of directors. Comments and opinions are welcome and may be forwarded to firstname.lastname@example.org. Based on responses, we could summarize the board view and present such opinions in a future article(s) in an attempt to help strike the appropriate balance for the industry on this very complex issue.u
David B. Sidon is the founder of The Navis Group, a Danvers, Mass.-based compliance and technology project management company.