At first glance, the UK government’s evolving efforts to tighten up corporate governance look like reading material solely for chief executives, MDs and finance directors. But on closer inspection, the Draft Regulations on the Operating and Financial Review (OFR) and Directors’ Report, released in May 2004, are full of sweeping statements that could mean that UK IT directors at publicly listed companies are facing an unprecedented level of shareholder scrutiny of their operations and mission-critical projects.
With the OFR, the government is trying to get companies to go beyond the scope of their current analysis, to more fully explain the strategy and objectives of their operations and the key activities that drive performance. Although they contain little direct reference to IT, the new regulations make it clear that operations – whether IT-enabled or not – will be put under the microscope. “Certain information is essential to an understanding of the company,” says the OFR draft. “[It] should always be included [in reports to shareholders]: for example information about the company’s business strategies and the principal risks and uncertainties.”
Corporate lawyers, industry analysts and others are drawing the conclusion that the pivotal role IT has within business means that, when the OFR becomes law, management will have a statutory requirement to provide information on the performance of IT and the risks associated with IT. The scope of that information is still to be defined, but it may include details of the business’s disaster recovery strategy, disclosure of a major project implementation that is negatively impacting the business or risk exposure as a result of involvement in a B2B trading network. Certainly, the perception of IT’s central role is there. According to recent figures produced by the IT Governance Institute, 91% of executives recognise that “IT is vital to the success of their business”. At the same time, three-quarters of them are aware they need to apply greater IT governance to establish better visibility and reduce risk of project failure, expose waste and improve efficiency.
For Martyn Emery, director of global operations at IT governance consultant 2020 Governance, the issue is all about protecting the organisation – and, to an extent the individual – from the investor. “Society is getting increasingly litigious and it makes good sense for IT directors to be proactive and make sure they have a good mechanism in place to demonstrate that they have been managing money well. It’s a good insurance policy.”
Tick in the box
As it stands, company directors will be asked to make a judgement call on what they view as ‘critical information’ for inclusion in the OFR and how much information about IT they feel obliged to disclose.
However, for a piece of legislation intended to stamp out corporate fraud, it is difficult to imagine one more prone to manipulation. It provides the opportunity for companies to turn the non-financial aspects of their reports into pure marketing brochures – a temptation that will be too strong for some.
“You need to know where the line is drawn between substantive information and PR,” says David Phillips a partner with PricewaterhouseCoopers. And he adds: “Clearly the directors are going to be required to give due care and inquiry into the process, and the auditors are going to have to sign off that they have been through that process. It is not about creating a marketing document with lots of nice pictures and all the right words.”
It is the government’s intention not to get too prescriptive with this piece of legislation – a criticism often levelled against the US’s Sarbanes-Oxley Act on corporate governance. At the same time, it does not want the OFR to turn into yet another box-ticking activity.
There are plenty of people that view the OFR as an exercise in identifying potential liability situations. “If you’re a conspiracy theorist, the purpose of the OFR is to enable the government to say, ‘Well, you’ve nailed your foot to the floor here, so you’re liable’,” says David Marsh, head of IT and electronic business law at Dickinson Dees law firm. “Without wanting to sound like a Luddite, I don’t believe the OFR is going to change the principles which currently exist in relation to that [civil or criminal liability],” he adds.
Next year, when the regulations are expected to come into force, companies will have to either manage that liability well through the disclosure of appropriate information or have their governance tested in the courts.
* Organisations and individuals have until 6 August to submit comments on the draft regulations. Email: ofr.condoc@dti.gsi.gov.uk.