Leading modern IT has never been easy. The strategic chief information officer (CIO) must keep an eye not only on the evolving technology landscape, but also on evolving leadership and governance trends and their inevitable dilemmas, as these factors shape IT strategy and influence the way IT productively enables enterprise value creation.
Recent developments in the US political landscape - for example, its changes to various tariff regimes - highlight rapidly emerging strategic drivers that not only impact business and government decisions for the affected countries, but their strategic IT decisions too. More than anything, these developments revive the age-old clarion call for strategic foresight and agility, not only in business, but also in IT.
The following leadership and governance trends - gleaned from the National Association of Corporate Directors (NACD)1 and Forbes2 - have significant implications for IT strategy and IT governance in 2025, especially in the context of the above geopolitical developments. Indeed, the importance of these trends are amplified by the imperative for today’s CIO to be much
more than just tech-savvy, but to also be acutely aware of developments in the macro environment and of the risk inherent in shorter response timelines when building and maintaining the IT capability necessary to sustainably operate in shrinking time horizons.
The Macro Environment
Trend
At the macro level, there is no doubt that volatile economic conditions and the new dynamics of the geopolitical environment are currently top of mind for the board and the whole c-suite, including the CIO.
CIO Response
The growing discipline of Application Portfolio Management (APM) – especially when viewed through IT governance’s risk and benefits pillars - can be a valuable tool to help with operational rebalancing (Figure 1) and strategic rebalancing. Appropriately applied, APM can assess the contribution of the application portfolio to the organization’s strategy, which could result in new applications being added, and existing ones being merged or sunsetted. At the enterprise architecture level, this would potentially mean changes to the list of applications approved for use in the organization.
Figure 1—Application Portfolio Management (APM) through an application risk-return lens
Source: Pearce, G.; “The Power of IT Investment Risk Quantification and Visualization: IT Portfolio Management,” ISACA© Journal, vol. 4, 2018
Reduced Time Horizons
Trend
A challenge for the board and c-suite is how to develop and commit to the enterprise and its supporting IT strategies when the time horizons for change have contracted so dramatically (i.e., when significant change can occur without warning).
CIO Response
A significant strategic risk control in the context of reduced time horizons could be to integrate scenario planning — a business strategy discipline — into an organization’s IT strategy. This enables some advance planning for uncertainty, which will help shape flexibility in thinking about the nature of the evolving optimum strategic path for IT. Scenario planning significantly reduces the lag between a strategic issue arising and its response. This is because much of the thinking about the implications of a strategic issue will have already been performed in a much less stressful environment. To facilitate this, a key need is for the field-of-view for IT risk management to be widened significantly, especially in economically volatile times.
AI Governance
Trend
In 2025, 1 in 3 board directors are concerned about artificial intelligence (AI)—not only in terms of the risk of their IT developments falling behind those of their competitors, but also in terms of how to deploy AI and emerging technologies responsibly. Another concern is how to govern AI most effectively, noting that AI governance has an enormous scope that includes both “Corporate Governance” and “Business (Entity) Governance” (figure 2).
Figure 2—The Scope of AI Governance
Source: Pearce, G.; Kotopski, M.; “Algorithms and the Enterprise Governance of AI,” ISACA© Journal, vol.4, 2021
CIO Response
Beyond compliance, there are at least 3 aspects of AI governance: The technology itself, the data used to train the models, and the AI outcomes on which the enterprise would base its decisions – data, algorithms, and outcomes. The governance of AI technology is part of the CIO scope (e.g., ensuring that the AI risk is managed), while the governance of the AI data might be balanced between the business and IT. The governance of AI outcomes—and how the organization acts on them—falls under the ambit of both business governance (business performance) and enterprise governance (legal conformance).
For the data component of AI governance, key operational issues are to be sure that the required data is sourced with consent of the subjects and in alignment with all relevant privacy legislation, and that the data can be shown to be of the requisite quality against dimensions such as accuracy, timeliness, and completeness. These will help reduce data risk.
For the technology component of AI governance, a key operational issue is to ensure that the AI processing mechanism is explainable, and, in some jurisdictions, to ensure that customers can opt out of the automated processing if they so choose. This will help reduce operational risk.
For AI outcomes, some applications of the technology, such as in public health, would need a human to be in the loop given the high stakes of the probability of a poor AI-generated outcome for an individual. A key governance construct would be to define the acceptable bounds of an AI-generated outcome, and to manage cases where those bounds are exceeded. This will help reduce decision-making risk.
Business Model Disruption
Trend
Some board directors are looking to digital transformation to help disrupt their organization’s business models as a means of maintaining their competitiveness—or even just surviving—in an increasingly crowded and competitive marketplace. One organization expressed it as the need for boards to embrace disruption by championing innovation, proposing examples such as elevating innovation as a strategic imperative and incentivizing innovation.3
CIO Response
Big changes to either the business model or the operating model are likely to have a risk profile greater than the board's entire risk appetite, so enacting changes to each simultaneously could incur more risk than the organization could sustainably bear. Some boards, such as Proctor & Gamble, Clariant, and Pfizer have implemented Innovation Committees4 as a means to explore in a controlled manner. Disruptive digital transformation at the business model level will require equally disruptive changes to the organization's operating model, of which IT constitutes a part (figure 3).
Figure 3—Business Model Disruption by Digital Transformation will Require Operating Model Changes to Enable It
Source: Pearce, G.; “Enhancing the Board’s Readiness for Digital Transformation Governance,” ISACA© Journal, vol. 5, 2019
Even without Innovation Committees, the IT governance discipline provides two constructs that can help balance risk and innovation: the domains of IT benefits and risk management.
A solid business case developed as part of demonstrating the potential value add of a new technology must include consideration for the costs of implementation, integration, and deployment, otherwise the business case would not be strong enough as a management instrument. Of particular interest would be the people (staffing and skills), process, technology integration, and governance implications of the new technology.
Identifying, analyzing, and quantifying these would go a long way to understanding the risk of the new technology and thus the nature of the risk controls needed when transitioning from the organization’s current operating model to a new proposed target operating model long before making the decision to go with the technology.
IT Operations
Trend
The increasing emphasis on demonstrating the value of IT is interesting because value delivery has been an element of IT governance (in the form of International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 385005) for almost 2 decades. Whether this means that IT governance has been poorly practiced until now, or the uptake of sound IT governance has been slow to date, is not known.
CIO Response
A key task of the strategic CIO, in collaboration with their business counterpart, is the ability to demonstrate that IT has created the business value expected of it in alignment with the organization’s strategy. A good business case explains the business benefits of the proposed IT in the context of the organization’s strategy. It presents an argument for why organizational resources should be diverted or allocated to procure, develop, integrate, and deploy the technology in the context of its proposed revenue, cost, risk, and customer satisfaction benefits. Once the technology is deployed, the actual benefits generated by the technology should be tracked against the benefits proposed in the business case. A negative deviation should be explained, and corrective actions taken before value is destroyed.
People and Culture
Trend
Succession planning remains a key trend in organizational sustainability and has been integral to good corporate governance for decades.
CIO Response
Succession planning does not come up often at the IT level, but it should certainly be a mandatory discussion, at the very least as part of enterprise business continuity planning.
Figure 4—Aspects of organizational culture that enable effective IT governance
Source: Pearce, G.; “The Sheer Gravity of Underestimating Culture as an IT Governance Risk,” ISACA© Journal, vol. 3, 2019
It is also important to recognize that the performance of every function in an organization, including IT governance and IT itself, is enabled or compromised by the organization’s culture. From figure 4, tone at the top and accountability are key board instruments that shape IT governance’s mandate and the levels of accountability expected within that mandate. The CIO with an executive seat has the power to influence organizational culture in a way that best serves all the organization’s stakeholders.
Enterprise Governance and Digital Trust
Trend
There is a rising need for boards to govern technology with an eye on reversing and improving the declining state of trust in organizations and in technology. In other words, the active pursuit of digital trust is now a board imperative.6
CIO Response
With trust dependent on transparency, business and government need to be clear about what exactly they are doing with customer and citizen data respectively. This means advocating for transparency in data collection, data storage, and data processing within the organization. Trust is also dependent on accountability, and there is no more visible a place for accountability than during a data breach, when quick and transparent communication is of the essence for digital trust.
Alternatively, it's interesting to ponder who has the most power in the digital trust conversation. Is it the organization, or its stakeholders? While ethics as a foundation of trust can seem to be a nice-to-have from the internal perspectives of both business and government – e.g., the Volkswagen emissions scandal7 despite governance instruments such as the board, and a Prime Minister’s ethics violations8- perhaps growing external pressure from customers and citizens will drive the most change. The growing number of active and successful external citizen and customer advocacy will increasingly hold public and private organizations accountable for their fiduciary failures.
Conclusion
Current geopolitical developments remind CIOs of the need to be vigilant and to be able to respond appropriately. Today’s leadership trends also highlight how CIOs need to navigate a volatile macro environment and compressed time horizons while balancing continuity with agile innovation as well as any business leader would. Based on these trends, it is clear that the CIO’s mandate extends further beyond traditional IT management than ever before.
A key task of the strategic CIO is to revisit how IT strategy is developed, perhaps looking to scenario analysis as a means to encourage flexibility in strategic planning, which is especially relevant in a dynamic economic milieu. AI governance, risk management, and evidence of value delivery continue to be key responsibilities of the modern CIO, as is the need to help organizations improve digital trust with customers and the general public. As always, the strategic CIO is instrumental in an organization’s pursuit of sustainable enterprise value while building bridges between technological potential and business strategy like never before.
Endnotes
1 Van der Oord, F.; Sikora, T.; “Directors Should Prepare to Address Five Board Dilemmas in 2025,” NACD, 12 November 2024
2 Peregrine, M.; “ Top 10 Governance And Leadership Trends For 2025,” Forbes, 30 December 2024
3 Oven, C.; Golden, D.; “Embracing Disruption: The Board’s Role in Championing Innovation,” Harvard Law School Forum on Corporate Governance, 6 August 2024
4 Brish, A.; “Innovation And Board Of Directors,” Forbes Technology Council, 23 February 2023
5 International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), Joint Technical Committee on Information Technology (ISO/IEC JTC 1), ISO/IEC 38500:2024 Information technology — Governance of IT for the organization, Edition 3, 2024
6 Van der Oord; Sikora; “Directors Should Prepare to Address Five Board Dilemmas in 2025”
7 EPA, “Learn About Volkswagen Violations,” 30 August 2024
8 Grenier, É.; “Trudeau's Past Ethics Transgressions Hurt the Liberals. Will it Happen Again?” CBC, 12 July 2020
Guy Pearce, CGEIT, CDPSE
Has served in strategic leadership and governance roles in sectors including banking and healthcare. He has led digital transformations involving IT and data for most of his career, focusing on building sustainable enterprise capability to fully enable them. An industry thought leader with over 100 published articles, he received the 2019 ISACA® Michael Cangemi Best Author award for contributions to IT governance. He serves on the ISACA Ottawa Valley Chapter board in Ontario, Canada.