No Duty of Care: the Governance of ICT

The use of ICT is now critical to most organisations. The efficient and effective use of an organisation's financial and human resources and compliance with legal and regulatory requirements are central to good corporate governance. The way ICT is used, that is the governance of ICT has also become a critical part of good governance. However, the use and proposed use of ICT is not always accorded an appropriate duty of care.

The sudden interest in good governance of organisations can be attributed to the collapse of Ansett, HIH and OneTel in Australia and the likes of Worldcom and Enron in the US, which accompanied the demise of the dot.com stock market bubble in 2000.

These large scale corporate failures affect employees, suppliers, customers and stock holders. While in earlier times, stock holders may have been direct investors in the market, compulsory superannuation arrangements have meant that $1.2trillion belonging to almost all the working and retired population is now invested in Australia.1 .

In response to calls for government regulators to do something, the 2002 Sarbanes-Oxley Act (SOX) was passed in the US and 2004 CLERP 9 Corporate reporting and disclosure2 law were introduced in Australia. The intention was for listed companies to be transparent so that investors could make informed decisions about their investments and regulators could monitor activities more effectively.

The Australian Stock Exchange (ASX) also published Principles for Good Corporate Governance Practice in March 2003 and revised them in 20073 . The annual reports of listed companies have tended to include a Directors' statement

A series of Australian Corporate Governance standards were also published in 2004. These provide guidance on general principles of good corporate governance, Fraud and Corruption Control, Organisational Codes of Conduct, Corporate Social Responsibility and Whistle Blower protection programs.

2000 was not the first failure, nor the last. The IMF attributed in part the 1997 “Asian financial crisis“ to poor governance and called for reform of financial systems “to improve the efficiency of markets, break the close links between business and governments, and ensure that the integration of the national economy with international financial markets is properly segmented.“4 The market turmoil caused by sub-prime housing loans in 2008 has resulted in the US government bailing out troubled banks and caused consternation both in the US and elsewhere.

While organisations need to comply with a legal framework, they also need to perform. The ASX and Australian Standards for Corporate Governance recognise this, and reinforce the role and responsibility of directors for the activities of their organisations. This has been reiterated by the Chairman of the Australian Securities and Investment Commission and by the Chairman of the Malaysian Stock Exchange.

"The OECD Security Principles define Ethics as "participants should respect the legitimate interests of others"5. The ASX Corporate Governance Principles (2007) Principle 6 is "Promote Ethical and Responsible decision making"6 and the Australian Public Service Values state that members of the service should adhere to "the highest ethical standards"7. Organisations are also mentioning their own code of ethics in Annual Reports."

In his opening address to a corporate governance conference8 , Dato' Yusli Mohamed Yusoff, the CEO of Bursa Malaysia (Malaysian Stock Exchange) called for corporations to appoint strong, trustworthy leaders with a "high degree of personal integrity and courage." He also stated that while the revised Securities exchange Corporate Governance Code included mandatory reporting of corporate social responsibility activities, this was only a base requirement. "Leaders need to take a sustainable view of the environmental and social effects of their company's activities."

He defined “Leadership as not about doing things; it is about doing the right thing.” In his view, the board of directors as leaders of organisations need more than knowledge and ability to manage their companies. They also need to be the driving force in maintaining disciplined culture of good corporate governance, be accountable and prudent stewards.”

This complements the ASX's good governance guidance9 which recommend that directors seek access to independent and external professional advice and indemnity insurance.

The inducement or carrot for good governance of listed companies, is that investors are seeking out companies that do the right thing. There are funds such as Australian Ethical Investment, whose charter for investment includes companies involved in renewable energy, health care, education, waste management and food production but avoids those involved in uranium mining, armaments, tobacco and gambling. USD2-3 billion revenue from the Gulf States exploitation of Oil and Gas reserves has created a market for Shariah compliant investment which also excludes companies whose main activities include revenue streams derived from armaments, tobacco and gambling.10

The rising influence of NGOs in europe has lead to pension funds becoming more concerned about exposure to the effects of negative publicity and consumers, particularly in Australia and Germany reacting negatively to adverse publicity.

ICT is not an innocent bystander in market turmoil. An inadequate Billing system and hype about Telecommunications played their part in the failure of One.Tel. The collapse of long distance carrier Worldcom was the biggest in US Corporate History. The High expectation of financial rewards from investment in ICT was central to the Dot.Com bubble. The bubble saw Venture Capital of USD105.9 billion invested in over 8000 deals in 2000, dropping to less than half that value the following year11.

In 2002, David Murray, the long time and well respected CEO of the Commonwealth Bank, shocked a conference of IT leaders, and made headlines by blaming the US IT community for "single-handedly wrecking the world economy through an over-hyped market which lead to unrealistic investments"12 .

Along with the public failures, many organisations were facing difficulties in implementing ICT. As part of the Research undertaken to position and scope a standard for governance of ICT, we reviewed published audit reports of failed government IT initiatives, existing standards, frameworks and methodologies and other literature.

We also undertook interviews with a sample of CIO and senior IT Management."

Our research revealed that while project management (monitoring of schedules and costs) had improved, many of the failures could be attributed to the blind faith and optimism of "Business Owners" in achieving benefits from investment in ICT. The dismal failure of Broadscale outsourcing in both the private and public sector is documented in Audit reports and Media articles

The financial and human resources invested in the use of ICT, sometimes over unnecessarily long periods, have a signficant impact on an organisation. The RACV vs UNISYS court battle lasted 10 years13. The customs project blew out by $100million and took over 10 years to be realised14. The cost of redeveloping the Austrade and DCITA Websites blew out by 500%, and NAB wrote off a $409million IT Project15. More recently, the $1billion Melbourne16 and $300 million Sydney17 Public Transport Ticketing projects have been abandoned and are now the subject of wrangling over costs.

The costs themselves, are not the problem. It is when the costs outweigh the benefits and value delivered that questions arise as to whether the investment was warranted, prudently managed and who, if anyone, should be held accountable for the success or failure of the endeavour.

The Australian Standard for Corporate Governance of Information and Communication Technology (AS8015-2005) was published in January 2005. This Standard was adopted, pretty much unchanged, in May 2008 as ISO 38500-2008 The International Standard for Corporate governance of information technology.

AS8015-2005 defines Corporate Governance of Information and Communication Technology (ICT) as the system by which the current and future use of ICT is directed and controlled. It involves evaluating and directing the plans for the use of ICT to support the organization and monitoring this use to achieve plans. It includes the strategy and policies for using ICT within an Organization.

It also positions ICT as a key corporate resource, making Directors responsible for decisions regarding the use of ICT in their organisations. Echoing the ASX recommendations, it recommends that Directors inform themselves and seek advice from a variety of peer Professionals - lawyers, accountants, vendors, IT professionals, senior managers, IT auditors and external consultants..18

The research undertaken during the drafting of the standard revealed that a number of management standards and methodologies were in wide use. ITIL, standardised as BS15000 and subsequently as ISO 20000 Service Management had been embraced, Project Management via PMBOK or Prince2 was in hand. Many organisations proudly displayed their ISO 9000 certification. CoBIT was used to review ICT projects and security advice was available through ISO/IEC 17799, AS/NZS 7799.2, ACSI 3319 and subsequently ISO 27000. The OECD published Security of Information Systems and Networks Principles in 200220 .

Organisations also needed to ensure their use of ICT complied with Regulation and Legislation, which often laged the introduction of a new technology.

Large companies are required to lodge their taxation information electronically and the ATO offered electronic reporting for the GST, to smaller businesses. In 2007, the Federal Government introduced Legislation to make company websites the default mode of providing company reports to share holders. The ASX encourages and facilitates continuous disclosure by making company disclosures available on its website.

Other Compliance requirements for ICT include:

The Internet provided both opportunities and threats. In 2003, around 30% of Small Business were victims of Online Credit Card Fraud. There are also a variety of Scams25 including - Online auction & sales of non-existant products or services, Fake Domain name renewals, Spam (junk mail) offers - cheap products, promises of wealth – supply bank account, credit card and personal details.

Phishing and card skimming, used to collect authentication data to enable unauthorised transactions emerged as a new tool for fraud. A study carried out on students and staff found that good websites fooled 90% of participants and 23% of participants did not look at the address bar, status bar, or the security indicators.26

ICT also provides wider flexible access to organisational resources. This can result in unauthorised access to information, compromised data or the misuse of resources such as printers, faxes, telephones, email and Internet Browsing. Organisational Policies need to be designed and implemented to complement legislation and meet the organisation's needs. They provide guidance on what is considered appropriate and inappropriate behaviour.

The innovative aspects of ICT, which can contribute so spectacularly to the performance of an organisation are also problematic. The introduction of ICT requires organisations and their business partners to adopt new practices. If the change is not realised, not only the sometimes significant investment in the technology, but also the benefits are lost.

The UK's National Audit Office has noted that delivery of Public Services cannot be risk free. However, the Public Service who is charged with overseeing the planning, implementation and diffusion of these services, particularly those involving ICT, is more risk ignorant than averse, and this was no more obvious than in the large scale ICT Projects it undertook.27

The Australian Standard proposed 6 principles and model for prudently dealing with this uncertainty and risk. In deed, it was noted in feedback on the draft standard, that it fitted any organisational innovation not just that brought about by ICT. The AS/NZS 4360-2004 defintion of Risk is also reiterated. That is the chance of something happening that will have an impact upon objectives. It is measured in terms of consequence and likelihood.

The standard provides six principles that organisations should adopt in dealing with ICT. These are:

  1. Establish Clearly Understood Responsibilities for ICT
  2. Plan ICT to best support the organisation
  3. Acquire ICT validly
  4. Ensure that ICT performs well, whenever required
  5. Ensure ICT conforms with formal rules
  6. Ensure ICT respects human factors

While there has been a focus on risk identification and management, particularly driven by an insurance based risk management approach, it is also emerging that all the risks associated with ICT cannot be identified at the start of a project. In a recent paper, Rice, O'connor, Pierantozzi's 28 identified four broad areas of ICT project uncertainty: Technical, Market, Organisational and Resource.

These four broad areas, of uncertainty. can be aligned with the principles and model proposed in AS8015.

  1. Technical – acquisition and conformance principles
  2. Market – Plan and Performance principles
  3. Organizational – Responsibility and Human Factors principles
  4. Resource – Evaluate, Direct and Monitor aspects of the Model.

The standard provides guidance on what is required for good governance of ICT. The successful implementation of ICT, transforms business practices. It changes roles, responsibilities, skills requirements within and between organisations. It has also been shown that Conflict is a signficant factor to the failure of projects29 .

In 2005, an Ontario [Canada] Government review of large-scale Information and Information Technology projects recommended that the “Business transformation needs to be elevated to the same level as that of the thirty Deputy Minsters focused on policy and operations issues, if it is to get the decision-making attention it needs to succeed.” Further that the “Management Board of Cabinet should determine the government's capacity for large IT-driven business transformation and strictly limit the number and size of concurrent projects accordingly.”30

The Ontario task force also found that joint ventures were not as well suited to IT as they are to capital projects, it is difficult to share risk when many aspects of the project are not easily known at the start of the project.

Another study found that across industry sectors, businesses saw the role of ICT as supporting or improving the efficiency of business functions. Where innovation did occur it was opportunistic.31 While in the manufacturing sector, opportunities for strategic innovation through ICT may be reduced when ICT responsibilities are distributed through organisations. While aligning or distributing ICT through the business may have provided Managers with a better appreciation of ICT they may not be aware of the strategic importance and contribution of ICT throughout the business.32

In 2006, following a performance review of ICT, the Queensland Government created a new role of Chief Technology Officer and endorsed the reorientation of CITEC as the Government's technology service provider.43

The centralisation of ICT is not new. However, the role of ICT has changed and as discussed above compliance is not sufficient to ensure the realisation of the most benefit from ICT investment. The requirement to do so is that leaders and organisations engage in the right activities. AS8015 explicitly mentions professional guidelines and ethics in relation to Principle 5 Ensure ICT conforms with formal rules.

In their 2003 analysis of the failure of HIH et al, Clarke and Dean33 raked over the failures and called for more than simply shaming of the culprits. They bemoaned the practice of equating of corporate governance with ethics. They referred to the labelling of the Auditors, in this case, as demostrating "Bad ethical behaviour", as simply replacing the inept CEOs of previous crashes, as the time-honoured scapegoat.

Legal action and imprisonment of senior officers, followed the US and Australian corporate failures of 2000. A company director's duty of care extended to include the commercial implications of their actions such as Achieving the efficient conduct of their business; setting strategy that management can work towards; safeguarding the assets of the company to whom they are responsible; and providing an environment where instances of material fraud and error are not present” 34

Many annual reports now include a Directors' response to the ASX's good governance recommendations as a reflection of their approach to business. Some annual reports have also mentioned significant ICT projects being undertaken. However, the reporting on ICT has been superficial and rather than discussing, the risks, uncertainty or the benefits, were mentioned as though any investment in ICT should be considered a positive performance indicator.

There has been some discussion about the scope of Professional ethics in ICT. In Ethics35 , Mike Bowern looks at whether the system developer may have contributed to the difficulty a Centrelink client has in resolving a human data entry error and getting their correct payment. He concludes that in the complex system individuals should not be held responsible for problems with the overall system.

In Building ethics into quality assurance36, Craig McDonald's categorisation of stakeholders is interesting. He sees a distinction between the interests of the project team - "professional conduct of the project and for meeting the needs of the team members" and those of the business owner - who is "expecting a benefit or return." for the Organisation.

This hands off – no responsibility role of ICT Professionals is echoed in the HREOC findings of the 2000 SOCOG case, when they found “The only remaining matter is that raised by the respondent namely that any discriminatory conduct in respect of the web site was not that of the respondent but that of its contractor IBM and there has been no complaint against IBM. The web site is the respondent's site. It has engaged within its organisation a person who is identified as the person in charge of its information technology.”37

In ICT Integrity: bringing the ACS code of ethics up to date38 , the authors note that only 20% percent of people working in the ICT are members of the ACS. They go onto argue, that even expulsion from the society would not be seen as a barrier to working in the field.

Pye and Warren39 conclude the ACS Code of Ethics (2003) is about individual behaviour whereas the standard provides advice for organisations. Such Codes of ethics, may be superflous and could undermine or confict with corporate codes of ethics.

In the ICT Industry itself new ethics and values have emerged - notably from the Free Software movement. The open and free software movement challenges the licensing models, central to traditional ICT. "To use free software is to make a political and ethical choice asserting the right to learn, and share what we learn with others. Free software has become the foundation of a learning society where we share our knowledge in a way that others can build upon and enjoy."40

Or the Meritocracy of the group developing the Open Source Apache Web Server - “When the group felt that the person had "earned" the merit to be part of the development community, they granted direct access to the code repository, thus increasing the group and increasing the ability of the group to develop the program, and to maintain and develop it more effectively.”41

Parallels are often drawn to Lawyers, Accountants and Doctors. However, the obvious similarity is to that of well established Mechanical or Civil engineer or even Architect who need to communicate often intangible concepts in order to create tangible outcomes. Lessons on professional indemnity taken from Engineering and Building42 also seem more relevant to ICT.

When it comes to ICT, there are rarely precedents or a well troden paths to follow. The risk and uncertainty of a project or even ongoing operation of an ICT system needs to be undertaken within responsible ethical environmental, safety, capability and financial limits – “the computer” cannot continue to be blamed. Nor are Protracted court cases over responsibility or footing the bill for abandoned ICT projects a desirable outcome either.

The author would like to acknowledge the support of the Australian Computer Society, input from members of the Society and numerous others which informed and enabled the drafting and publication AS8015-2005, and Tom Cleary for his comments on this article.

1 APRA Quarterly Superannuation Report September 2007 (www.apra.gov.au/Statistics/upload/September-2007-Quarterly-Superannuation-Performance.pdf)

2 Corporate Law Economic Reform Program (CLERP) Corporate reporting and disclosure laws, July 2004.(www.asc.gov.au/asic/asic.nsf/byheadline/CLERP+9?openDocument)

3 First edition - Principles of good corporate governance,2003 (www.asx.com.au/supervision/governance/principles_good_corporate_governance.htm)

4 A Factsheet - January 1999 The IMF's Response to the Asian Crisis (www.imf.org/External/np/exr/facts/asia.htm)

5 OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, 2002. (www.oecd.org/document/42/0,2340,en_2649_34255_15582250_1_1_1_1,00.html)

6 ASX Corporate Governance Principles and Recommendations (2nd Edition 2007)(asx.ice4.interactiveinvestor.com.au/ASX0701/Corporate%20Governance%20Principles/EN/body.aspx?z=1&p=-1&v=1&uid=)

7 Values in the APS (www.apsc.gov.au/values)

8 Keynnote Address to Leadership and Sustainability in the global environment - Asian trategy and Leadership Institute (ASLI) Corporate Governance Conference, Kuala Lumpur, Malaysia 15 May 2008

9 ASX Corporate Governance Principles and Recommendations, 2nd Edition 2007 (asx.ice4.interactiveinvestor.com.au/ASX0701/Corporate%20Governance%20Principles/EN/body.aspx?z=1&p=-1&v=1&uid=)

10 Developing A Robust Islamic Funds Market in Asia -Quarterly Bulletin of the Malaysian Islamic Capital Market, Suruhanjaya Securiti (Securities Commission) Vol 3, No 2, April 2008.

11 MoneyTree Venture Capital Profile for United States, PricewaterhouseCoopers/Venture Economics/NVCA, Venture Capital Investment in United States Companies, By Year As of 12/31/2007. (vx.thomsonib.com/VxComponent/static/stats/2007q4/nation_us1.html)

12 SNS in the News - March 5, 2002 Clinton Fits the Bill at a Presidential-Style Congress (www.tapsns.com/news.php?newsid=12)

13 Unisys Australia Ltd v RACV Insurance Pty Ltd & Anor [2004] VSCA 81 (14 May 2004) (From Supreme Court of Victoria - Court of Appeal; 14 May 2004; 156 KB)

(www.austlii.edu.au/cgi-bin/disp.pl/au/cases/vic/VSCA/2004/81.html?query=%7E+racv+vs+unisys)

14 Customs' CMR: what it is and what it does. Peter Davidson, Information Age, 12/10/2004. (www.infoage.idg.com.au/index.php?id=1158761497)

15 Report to Senator the Hon Hlen Coonan, Minisgter for Communications, Information Technology and the Arts introducting the PRAGMATIC Programe (Procurement Reform of Australian Government Major Acquisition from Telecommunications and IT Companies developed by Industry Members of the ICT SME Joint Industry Government Working Party, sponsored by the Australian Computer Society, February 2005 (www.acs.org.au/publication/docs/ICTSMEJWP-IndustryReportFINAL.pdf)

16 Ticket chief stopped in tracks, Clay Lucas 2 April 2008. (www.theage.com.au/news/national/ticket-chief-stopped-in-tracks/2008/04/01/1206850910956.html)

17 Not-smart card plan abandoned, By Simon Benson, January 24, 2008 (www.news.com.au/dailytelegraph/story/0,22049,23097730-5001021,00.html)

18 AS8015-2005 Australian Standard for Corporate Governance of Information and Communication Technology, Standards Australia

19 ACSI 33 Australian Government Information and Communications Technology Security Manual (http://www.dsd.gov.au/library/infosec/acsi33.html)

20 OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security (http://www.oecd.org/document/42/0,2340,es_2649_34255_15582250_1_1_1_1,00.html)

21 Digital switchover date confirmed, Senator the Hon Stephen Conroy 18 December 2007 (www.minister.dbcde.gov.au/media/media_releases/2007/003)

22 Information Privacy Principles under the Privacy Act 1988. (www.privacy.gov.au/publications/ipps.html)

23 Spam & e–Security, 21 November 2007. (www.acma.gov.au/WEB/STANDARD/pc=PC_310294)

24 Do Not Call Register Act 2006, (www.donotcall.gov.au)

25 (Fido.gov.au)

26 Why Phishing Works” 2006 ACM Computer Human Interaction Conference (CHI 2006 ACM 1-59593-178-3/06/0004).

27 Reward without risk? Innovation in PFI, Matthew Tulley, Winter 2001 (www.publicservice.co.uk/pdf/pfi/winter2001/p152.pdf)

28 Implementing a plan to Counter Project Uncertainty – Rice Oconnor Pierantozzi – MIT Sloane Management Review Winter 2008

29 Warne, L. (1997). "Conflict as a Factor in Information Systems Failure". The 8th Australasian Conference on Information Systems (ACIS 97) 29th-2nd October, 1997. School of Information Systems, University of South Australia, Adelaide, South Australia. ISBN 868032581: 387-391. (www.acs.org.au/governance/LWarne-ACIS97.html)

30 Report of Ontario’s Special Task Force on the Management of Large-scale Information and Information Technology Projects (July 2005. (www.gov.on.ca/MGS/graphics/052929.pdf)

31 Achieving value from ICT: key management strategies (www.dcita.gov.au/ie/publications/2005)

32 Digital Factories: the Hidden Revolution in Australian Manufacturing, 2005 (www.dbcde.gov.au/communications_for_business/industry_development/ict_in_australian_manufacturing/digital_factories_the_hidden_revolution_in_australian_manufacturing)

33 Corporate Collapse: Accounting, Regulatory and Ethical Failure By Frank L. Clarke, G. W. Dean

34 Directors’ Responsibilities: The reality vs the myths, Jeffrey Lucy, Chairman Australian Securities and Investment Commission, 17 Aug 2006,(Directors_responsibilities_August2006.pdf)

35 Ethics, Mike Bowern, Information Age 14/02/2006 (www.infoage.idg.com.au/index.php/id;1260028245;fp;131072;fpid;0)

36 Building ethics into quality assurance, Craig McDonald, Information Age, 18/08/2005 (www.infoage.idg.com.au/index.php/id;648174518;fp;32768;fpid;1663742481)

37 Bruce Lindsay Maguire v Sydney Organising Committee for the Olympic Games ()

38 Michael Bowern, Oliver Burmeister, Don Gotterbarn, John Weckert. (dl.acs.org.au/index.php/ajis/article/view/50/37)

39 Striking a balance between Ethics and IT Governance Graeme Pye, Matthew Warren (dl.acs.org.au/index.php/ajis/article/view/53/40)

40 Free Software and the GNU Operating System (www.fsf.org/about)

41 How the ASF [Apache Software Foundation] works (www.apache.org/foundation/how-it-works.html#meritocracy)

42 Andrew Alexandra, Tom Campbell, Dean Cocking, Seumas Miller and Kevin White - Report For The Professional Standards Council - Professionalisation, Ethics and Integrity Systems: The Promotion of Professional Ethical Standards, and the Protection of Clients and Consumers(www.cappe.edu.au/docs/reports/consultancy/PSCFinalSummaryReport.pdf)

43 Report on Review of ICT Governance in the Queensland Government - Service Delivery and Performance Commission - September 2006 www.thepremier.qld.gov.au/sdpc/library/pdf/ict/sdpc_ict_report_toc.pdf)