ISACA Journal
Volume 5, 2,018 


Digital Transformation? Boards Are Not Ready for It! 

Guy Pearce, CGEIT 

Boards of directors (BoDs) should be involved in directing and leading their organizations toward digital transformation, ever wary of the not inconsiderable risk scenarios along the way. Deloitte puts it this way: “Boards play a critical role in the digital transformation journey by bringing expertise, judgment, healthy skepticism, and concern for long-term value.”1

The problem, however, is that boards are not ready for general IT oversight, never mind for digital transformation oversight. Indeed, not only is it that “more than 80 percent of BoDs could be lacking the skills and knowledge to effectively govern business technology and realize strategic gains and financial returns at the enterprise level,”2 but global corporate governance codes also have yet to make any significant reference to digital leadership.3

With digital transformation being so disruptive, IT committees of the board are a key digital transformation oversight tool, given the degree of focus required to ensure that digital transformation materializes as envisaged. What are the problems that need to be overcome within the structure of boards if the organizations they oversee are to be sustainable under today’s digital onslaught?

Board-Level IT Governance Has Been Slow to Materialize

It has been reported that up to 68 percent of IT projects fail.4 IT failures destroy shareholder value by wasting resources and by the missed opportunities successful IT could have enabled. No doubt this rate of failure will continue, if not increase, for initiatives branded as digital transformation.

The need for boards with IT competencies to mitigate the risk of IT failure is becoming clearer globally, especially where the organization’s strategic success and sustainability depends on the organization’s IT success. Figure 1 illustrates the evolution of IT governance.

That formal IT governance ultimately materializes as IT committees is demonstrated by the growing number of very large organizations that have IT committees. However, at a recent board retreat, which included a day of corporate governance training from a directors’ institute, the consensus was that IT committees are still almost unheard of in the training session’s host country, Canada.

There Is Still a Major Problem With Directors’ Digital Literacy

Disappointingly, the almost unanimous answer to a question of directors at a recent BoD event was that neither the scale of their IT spend nor IT’s contribution to operational risk was deemed significant enough to warrant a separate board IT committee. Could this be because that, to date, “boards of directors may appear to have done well in leading and governing firms without IT expertise among their ranks”?15

These same board directors talk publicly about digital transformation and digital innovation, seemingly oblivious to the huge organizational impact and risk involved in such a journey, which, by definition, includes IT. This risk increases when boards fail to recognize their role in IT (and data) governance. There is much behind this wholly inadequate response.

Most board directors in the United States are independent, a condition driven largely, since 2002, by the Sarbanes-Oxley Act (SOX).16 Indeed, in the S&P 500, Spencer Stuart finds that 85 percent of board directors have been independent since 2007 and, in 2017, the average age of these directors was 63.1 years.17

A question the World Economic Forum asks of directors is whether their boards are digitally literate, multigenerational, and have sufficient expertise to advise on fast-moving business and technology topics.18 On digital literacy, Mckinsey finds that few boards have enough combined digital expertise to have meaningful digital conversations with senior management,19 while, at 63.1 years, the average S&P 500 board director would hardly qualify as multigenerational.

This complements the findings of a survey by the Harvard Law School Forum involving 860 public company directors.20 many board members are uncomfortable with IT oversight because, with an average age of 63.1:

  • Most board members’ professional experience is predigital.
  • Very few directors actually have any IT background.

So it is not that boards in general do not want increased IT governance, it is rather that incumbent directors simply do not have the skills or experience necessary to recognize why or when they need IT governance or even an IT committee. Could boards be negligent by not having IT skills on board and, therefore, not being able to ask probing oversight questions of IT beyond general audit questions typical of the audit committee? The answer is “yes;” boards have a fiduciary duty to be competent in IT.

The vice-chair of Delta Air Lines’ board safety and security committee put it succinctly: Boards need to be prepared with proper talent, proper technology and proper process, and most boards fail on most or all of these components.21 It is time that shareholders rethink how they vote for board members at their annual general meetings (AGMs).

The response of directors to the question posed at the beginning of this section is hard to swallow. However, another dimension of understanding—not that any proponent of IT governance would find it agreeable—was hidden within the director responses, as discussed in the next section.

Digital Transformation Governance Concerns More Than Just IT Cost

A key to further understanding the directors’ answers to the question posed in the previous section is a specific word they used: “spend” (cost). Cost is more aligned with operational IT than it is with digital transformation. The implications are that these directors seem to see IT through the lens of cost, not (cost and) opportunity, which is why they find it acceptable to “govern” IT within the audit committee. Building on the findings cited in figure 1, though, governing IT in the audit committee is unsatisfactory, more so if digital transformation is an objective.

That directors manage by costs is outdated and suggests that there is, perhaps, no real digital transformation going on at these organizations in spite of the apparently forward-thinking public commentaries they make.

Cybersecurity, competitiveness, strategic integration and even digital transformation: IT has long been much more about organizational sustainability and strategic positioning rather than (the cost of) process automation. If this is still the board’s governance focus, then it is doubtful that many directors are actually able to discern IT’s role in achieving Deloitte’s previously noted, potentially utopian “concern for long-term value.”

Recommendations and Conclusion

IT governance, driven by king III, ISO/IEC 38500 and COBIT, has been formalized since 2008 by means of ISO/IEC 38500. If IT is merely operational in an organization, then IT governance need not extend beyond the audit committee charter of cost and risk. But if business is strategically dependent on IT to deliver, including in a digital transformation context, then according to ISO/IEC 38500, the board has three key responsibilities:

  • To continually evaluate IT’s performance in the context of the organizational strategy
  • To continually redirect IT if its performance compromises the organization’s strategy
  • To continually monitor IT’s performance to ensure that the organization’s strategy will be delivered as committed to shareholders

Business-critical issues such as these are time-consuming enough to govern effectively that they deserve a home in an IT committee. Undeniably, the IT conversation has long since extended beyond the basic audit topics of cost and risk, as organizations such as Walmart have found (it has a dedicated board-level IT committee). And before coming to the conclusion that an IT committee is technical, it is not; the responsibilities listed in the previous paragraph, as well as topics such as IT-enabled competitiveness, transformation and sustainability, are clearly strategic.

While IT governance has continued to mature over the last decade, it still has a long way to go. Not only is there no major conversation about digital leadership occurring within the world’s corporate governance codes, board directors do not yet seem to have the skills and competencies to properly govern digital transformation initiatives.

What can be done about this situation? Generally speaking, and for starters, directors are voted in at the annual general meeting (AGM) by shareholders and, in those organizations where term limits exist, there should be a rotation of directors with fresh blood and fresh perspectives on the role and risk involved in digital transformation. So, shareholders generally hold some of the power needed to replace the current directors on the boards whose shares they own with IT-literate directors.

The question is whether they want to, or whether the drivers of short-term gain (share price growth) are more important than long-term sustainability.22 For all intents and purposes, these two objectives seem incompatible, which is where some of the problem begins.

As a little bit of light at the end of the tunnel, the board on which the author serves has unanimously found that sustainability through digital transformation demands more than just a slot within the broader audit or risk committee agendas. Instead, it has found that, in the context of digital transformation, IT is deserving of a specialized degree of governance that can be afforded it only by means of a dedicated IT committee.


1 The Board’s Role in Shaping Digital Transformation,” Deloitte, 2018,
2 Leblanc, R.; “Enhancing the Effectiveness of the 21st Century Board of Directors: part II,” International Journal of Disclosure and Governance, vol. 10, iss. 4, p. 287-294
3 De Haes, S.; A. Joshi; T. Huygh; S. Jansen; “Exploring How Corporate Governance Codes Address IT Governance,” ISACA Journal, vol. 4, 2017,
4 Krigsman, M.; “Study: 68 percent of IT projects Fail,” TechRepublic, 16 December 2008,
5 Nolan, R.; F. W. McFarlan; “Information Technology and the Board of Directors,” Harvard Business Review, October 2005,
6 International Organization for Standardization, ISO/IEC 38500:2008, Corporate Governance of Innovation Technology, 2008,
7 Institute of Directors in Southern Africa, King Code of Governance for South Africa 2009, 2009,
8 Basel Committee on Banking Supervision, Principles for Effective Risk Data Aggregation and Risk Reporting, Bank for International Settlements, January 2013,
9 Chou, T.; “It’s Time for Boards to Have Technology Committees,” CFO, April 2015,
10 ISACA, COBIT 5, USA, 2012,
11 De Grazia, R.; B. Estevam; S. Neto; “Four Steps to Integrate IT and Corporate Governance,” COBIT Focus, 1 December 2014,
12 Dickstein, M.; J. R. Visbal; “Cybersecurity: The Board’s Role,” Spencer Stuart, 2015,
13 Ibid.
14 Lankton, N.; J. Price; “Board-Level Information Technology Committees,” ISACA Journal, vol. 2, 2016,
15 Op cit Leblanc
16 Levenshohn, P.; “How Have the Demographics of Public Corporate Boards Changed Over the Past 25 Years?” Pascal’s View, 2011,
17 Spencer Stuart, “2017 Spencer Stuart U.S. Board Index,” 2017,
18 World Economic Forum, “Digital Transformation of Industries. Demystifying Digital and Securing $100 Trillion for Society and Industry by 2025,” 2016,
19 Sarrazin, H.; P. Willmott; “Adapting Your Board to the Digital Age,” McKinsey Quarterly, July 2016,
20 Cloyd, M.; “Directors and Information Technology Oversight,” Harvard Law School Forum, 2013,
21 Nash, K. S.; J. Lublin; A. Andriotis; “Boards Seek Bigger Role in Thwarting Hackers,” The Wall Street Journal, 10 January 2018,
22 Tanden, N.; B. Effron; “How to Foster Long-Term Innovation Investment,” Global Policy Journal, 12 July 2015,

Guy Pearce, CGEIT
Has served on boards in banking, financial services, retail and a not-for-profits over the last decade. He also served as chief executive officer of a multinational retail credit business where he led the organization to profitability after the 2008 global financial crisis. He has published numerous articles on data and IT, and consults in corporate governance, IT governance, data governance and risk.


Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.