IT professionals have been warned to prioritise ICT governance and business continuity to minimise risk to the business, in the wake of the recent natural disasters plaguing the nation and indeed the world.
Michael Morris an ICT lawyer with Queensland law firm, HopgoodGanim, cautioned those taking a “reactive approach” to ICT governance by only prioritising governance when something goes wrong, noting miscommunication between the IT department and the board is a major barrier in the process.
“While boards and executive management have a responsibility to put appropriate systems in place, IT managers also have a responsibility to facilitate and support this process,” Morris said in a statement.
“Boards will be relying on IT managers to articulate ICT business risks in a language they can understand - in the same way a lawyer has a responsibility to deliver advice to a client in a language it understands, without the techno-babble or legal jargon.”
According to Morris, ICT governance should be a discussion about maximising business value and minimising business risk, as opposed to a discussion about technology.
When it comes to a duty of care to ensure proper IT governance, the buck does not stop with the CIO, Morris said.
“A failure to adequately plan for business continuity can be seen as a governance failure, just as much as can a failure for a company to put in place appropriate workplace health and safety initiatives, or a failure to plan for other business risks.”
“Directors and senior officers of companies, which in many cases can include the CIO, have positive duties under the law to implement proper governance,” he said.
“However, not all boards will have individuals conversant in IT and accordingly, a CIO must preside over an IT team which collaborates with relevant managers to assist the organisation to put appropriate measures in place to identify and mitigate risk.
"This means articulating the nature of the risks and what can be done to reduce their effects, in language understandable to non IT-savvy folk.”
Commenting on the recent Queensland floods, Morris said issues related to governance were uncovered at the time and were associated with business continuity and disaster recovery.
“All modern organisations, to some extent, depend on the availability and integrity of their IT and communications systems.” He said. “This dependency ranges from the business critical and extreme to the less immediate, but potentially has equally disastrous consequences of the flow-on effects of a systems failure.”
On the international stage, Morris said the law is paying closer attention to the issue of ICT governance, a trend soon to reach Australia.
“It’s only a matter of time until an ICT failure causes substantial damage to Australian shareholders,” said HopgoodGanim ICT lawyer, Hayden Delaney. “Once that happens, it’s possible we will start to see a few high profile cases involving alleged breaches of the Corporations Act and directors’ duties of care.”
According to Delaney, a failure to have proper systems in place to ensure business continuity during a natural disaster could potentially constitute a breach of an officer’s duty of care and diligence under the Corporations Act 2001.
“However, there are a number of practical steps to maximise business continuity, such as implementing appropriate disaster recovery arrangements, or outsourcing various functions to an appropriate provider in ‘the cloud’ to guarantee the required amount of availability.”
Follow Chloe Herrick on Twitter: @chloe_CW
Follow CIO Australia on Twitter: @CIO_Australia