Keywords

JEL Classification

1 Introduction

Responsible investing is becoming one of the main trends in capital markets in the twenty-first century, along with interest in information and communication technologies and green energy. In the context of the transition to digital economy, the board of directors of a company needs to identify emering trends and risks and determine their relevance to a company.

On January 1, 2016, 17 sustainable development goals (SDGs) came into effect. They are set out in the 2030 Sustainable Development Agenda that was approved by the global leaders in September 2015 during the historical UN Summit in Paris. The amount of investment in the companies complying with the ESG principlesFootnote 1 in Europe has been growing by a third every two years from 2014 to 2018 (PwC 2019). In this context, continuous transformation of the company governance becomes one of the main objectives of the board of directors (hereinafter also BoD), as digitalization is a never-ending process that does not allow simply setting out uniform principles and approaches just once. It is not a surprise that given the ever-increasing demand to make ICT investment more efficient, their governance, most often being one of the most vulnerable elements of the organization’s corporate governance, started gaining increasing attention (Brown and Grant 2005).

The purpose of this research is to understand how information and communications technologies can help to address tasks related to environment protection and successfully integrate these solutions into the corporate governance objectives.

2 Methods

The research is based on the analysis of the scientific and practical sources in the field of ICT and ESG governance. The statistical studies and open sources of information on practical aspects of ICT and ESG governance were used to identify the main trends in the use of ICT and the role of the board of directors in ESG risk identification. The empirical and comparative analysis, expert assessments, synthesis, deduction, and induction were applied in order to form the guidance for the BoD to provide the right governance for a company.

3 Results

Lack of ICT governance and commitment to ESG principles exposes a company to significant risks (in particular, by causing losses, higher operational expenses, higher cost of borrowed capital, undermining a company’s reputation, poor experience of introducing innovations, etc. [IT Governance Institute 2003]) which, in their turn, may prevent a company from achievement of its strategic goals (Nolan and McFarlan 2005). The BoD shall play the pivotal role in setting up the ICT governance and ESG integration in the business strategy. However, the current corporate practice shows that due to various reasons the BoD does not always manage to give due consideration to the matters related to technological development (Peregrine 2015), while ICT issues are not top priority topics for discussions at its meetings despite—sometimes significant—investment and serious associated risks. ISACA identifies the following reasons for these issues:

  • The need for greater technical knowledge than on other items on the agenda;

  • Look at ICT as a separate matter from the enterprise’s business;

  • The complexity of the topic, especially for enterprises operating in the network economy (IT Governance Institute 2003).

According to the results of PWC’s Russian Boards Survey in 2018, BoD oversees technology adoption only in 7% of companies. In the other companies, it falls within the competence of the management. Another challenge is that 57% of BoD members meet with the Chief Information Officer once or twice a year, which is not consistent with the emerging international practice of having such meetings on a regular basis. The survey authors’ recommendation to BoD members is to improve their digital competence, define their technology priorities and incorporate them into strategic governance as well as to assign persons responsible for cybersecurity risk control (PwC 2018). This practice is a concern since the board of directors is the key governance body in terms of incorporating ICT in the company activities as well as overseeing ICT risks within the company’s overall risk management system.

ESG risk management should become one of the key topics on the agenda for the board of directors. In light of the events that had a critical impact on development of the company strategies in health, safety and environment (HSE) (explosion of oil platform Deepwater Horizon in the Gulf of Mexico at the Macondo field in 2010 and diesel spill in Norilsk), the focus of the board of directors is gradually shifting towards environment protection. In both cases, the accidents caused significant damage to flora and fauna, and the companies responsible for them paid record billion dollar fines.

To make HSE risk management more efficient as well as to demonstrate commitment to ESG, the board of directors should pay attention to digitalization opportunities when developing long-term development strategies. Technology solutions can mitigate risks and contribute to decision-making and resource distribution. A number of technologies can already be widely applied for HSE risk management:

  • Software enablement and advanced analytics: collect larger HSE data points to calculate better performance indicators to meet corporate and regulatory requirements, while anticipating and mitigating risks, and identifying opportunities to reduce incidents and improve productivity.

  • Virtual reality: improve training effectiveness by providing organizations with a high-impact, scalable and efficient method to rapidly build the capabilities of workers—particularly those with less experience in high-risk environment.

  • Drones and robotics: perform typically dirty and dangerous jobs by accessing areas that are difficult to reach, such as those collecting data from inaccessible areas of legacy mines for remediation efforts. This technology can also be used to significantly reduce time performing things such as large site scans or map areas of cultural heritage close to the mine (Millet 2020).

Statistically, many BoD members overseeing ICT do not have the required technical and professional knowledge and competences (Deloitte 2017). According to the 2019 National Corporate Governance Index research, in Russia’s 100 largest public companies quoted on the Moscow Stock Exchange, only 3% of the BoD members have expertise in IT, innovations and digital technologies, with the average number of board directors having relevant competences being one (Top Competence 2019). Therefore, sometimes that lack of understanding of ICT governance issues may prevent them from duly performing their duties.

While recognizing that BoD members periodically have to deal with ICT issues, it is important for them not to be overwhelmed with technical details. First of all, they need to identify what is the impact of ICT on strategic business development and monitor the consequences of ICT use by the company. At the same time, companies have to understand what level and scope of ICT expertise is needed for the company’s BoD and management performance.

In the context of swift technological transformations, active involvement of the BoD in ICT governance and oversight over emerging risks become a key to responding to the ongoing technological changes. There appears to be no universal model for ICT governance by the BoD. A balanced approach would require taking into account a variety of factors (Nolan and McFarlan 2005). One should agree that all companies have ICT governance in place, in varying degrees. The only difference between them is that companies that do it efficiently have developed and implemented a set of mechanisms for such governance (board of directors committees, relevant organization chart, to name a few) and encourage behavior that corresponds to the enterprise mission, strategy, values, standards and culture (Weill 2004).

To ensure efficient ICT governance, PwC developed an IT Oversight Framework that represents a six-stage process:

  1. 1.

    Assess the role of information technologies for the company (state of IT infrastructure, IT budget, importance for business model and expected changes from the implementation of information technologies, etc.);

  2. 2.

    Define who will control and monitor the use of IT within a company (BoD, a BoD committee) and whether all the necessary resources are available;

  3. 3.

    Set IT priorities within a company;

  4. 4.

    Define what place IT priorities take in the company’s overall business strategy;

  5. 5.

    Integrate IT risks in the company’s overall risk management process;

  6. 6.

    Continuously monitor the company’s IT development (Cloyd 2013).

Once the relevant approaches are defined and agreed, the development of relevant corporate strategy may begin. For instance, the IT Governance Institute breaks down BoD’s IT governance into five domains:

  1. 1.

    IT strategic alignment—aligning the company’s business and IT strategy enabling to accomplish strategic goals and business objectives;

  2. 2.

    IT value delivery—optimizing the costs and the added value delivered by IT;

  3. 3.

    IT risk management—addressing IT security, understanding the risks and managing them;

  4. 4.

    IT resource management—optimal investment, use and allocation of IT resources (people, applications, technology tools, data) when catering for the needs of the company;

  5. 5.

    Performance measurement—developing and monitoring strategy implementation and IT services (IT Governance Institute 2003).

IT strategic alignment, resource management and performance measurement are seen as the drivers for such activity, with value delivery and risk management as the results. It is noted that most models, structures and standards for ICT governance take these five main areas into account when dealing with IT implementation (Aasi et al. 2017).

As a part of their role as the guardian of long-term corporate performance, boards have a key role in ensuring that companies are aware of, and able to navigate, an ever-evolving risk landscape. Where ESG risks impact—or may impact—the business, it is their duty to exercise risk-related oversight.

Effective ESG risk management can be achieved by the board using the recommendations in Table 1.

Table 1 ESG risk identification questionnaire
Full size table

Boards need to be able to understand how to oversee ESG risks through their overall oversight of the risk identification, prioritization and mitigation processes using IT. Boards also need to understand how to adequately structure and disclose their ESG oversight to investors and other stakeholders through application of effective IT Governance (Ramani and Saltman 2019).

Since ICT becomes an increasingly important tool for maintaining the organizational resilience of enterprises, it is imperative that the level of corporate governance and the agenda of board meetings are in line with the ongoing changes in terms of the strategy and the improvement of the company’s competitiveness (Peregrine 2015) as well as ESG issues. The time between 2010 and 2015 demonstrated that security-related issues (cybersecurity, data confidentiality, etc.) remain the main information technology topics discussed by the boards of directors. A more proactive approach to examining the implications of technology adoption could provide more space in the activities of the board of directors for discussions about technology-related business opportunities and digitalization of the company as a whole (Deloitte 2017). To help companies define IT priorities, we list the most common topics in this area that can be included in the agenda of board meetings:

  • Use of new technologies;

  • Data security;

  • Mobile devices;

  • Data confidentiality and information security issues;

  • ICT-related capital and operating costs;

  • Emerging compliance issues;

  • Social media;

  • Cloud services and software rental;

  • Optimization of business processes with the help of digital tools (Cloyd 2013; CPA, n.d.).

At the same time, the list of priorities can expand and in any case should be determined depending on the needs of the enterprise and its development strategy.

Evolution of the BoD agenda drives changes in the company’s organizational structure. Many digitally mature enterprises at the operational level focus on having a Chief Digital Officer (McDonald and Rowssel-Jones 2012) or a Chief Information OfficerFootnote 2 in their organization, while at the strategic level they opt to set up dedicated BoD committees (e.g. FedEx, United Stationers, Proctor and Gamble, etc.).

In its study, Spencer Stuart highlights that neither a single board member specializing in digital technology nor a chief digital officer are an efficient solution that could substitute for the remaining board members not being digitally savvy enough. The study argues that this approach of the board of directors to addressing digital challenges needs to change given that the board members themselves often fail to fully understand which type of executive possessing which skills and capabilities they are looking for. In reality, many “digital” BoD members may not have the requisite board experience and fail to fit in, which, for one, would prevent them from contributing to the company’s business. This leads to the suggestion that in the digital age all board members should be digitally savvy to this or that extent and bear collective responsibility for the end result. This approach implies continuous training of BoD members, engagement of external experts for joint discussions, acquisition of interest in technology start-ups, etc. The same approach favors the establishment of advisory boards, e. g. to cover a broad range of matters related to digitalization. A case in point is the VTB Bank Shareholders Consultative Council that was set up in 2009. Experience shows that the most effective BoD members are those who are broad business thinkers able to influence and educate other BoD members on the impact of technology on the business as well as clearly articulate the ways that technological and digital advancements affect business strategy.

In this context, the role of board committees increases significantly. They are generally set up to look after a subject matter that requires special expertise beyond the scope of its regular activities. As evidenced in practice, as a rule, the audit committee addresses ICT-related issues (CAQ 2018)Footnote 3 (less frequently—the risk committee). Given the committee specifics, some issues like cybersecurity fit logically within its agenda. However, taking into account that with digital solutions it is not always possible to assess and mitigate potential risks, such a committee’s main focus may prove to be limited when it comes to a broader range of emerging technology-related topics including, inter alia, innovation and company competitiveness. One should recognize that in the digital age risks cannot always be forecasted, which may hinder the use of financial control methods. In addition, the audit committee is also prone to consider technological issues through the financial, operational and control frameworks and views technologies as an operational cost item rather than a tool to create strategic opportunities (McDonald 2013). This may also result in an excessive focus on technological risks (e.g. cyberrisks) and compliance-related issues.

Some companies (Procter & Gamble, Wal-Mart, FedEx, etc.) started creating board-level IT governance committees alongside their audit, remuneration and risk committees in the early 2000s. Composition of such a committee was traditionally a focus. The committee chairperson plays the pivotal role. It makes sense for the committee to be comprised of independent directors similarly to audit and remuneration committees. Understanding of not only the technology solutions that the company currently needs but also a general comprehension of the company’s goals and insight into the trends in the industry(-ies) that the company operates in is key for success. It makes sense for such a committee to cooperate with other board committees to shape and implement the company’s overall development strategy. In addition, it appears to be in the company’s best interest to have at least one member of each committee included in other committees (Nolan and McFarlan 2005).

The Bank of Russia recommends that boards of directors consider whether they need to create an IT committee. If they decide in favor, it is suggested that the committee be chaired by one of the BoD members who has relevant competences and experience. It is further suggested that the committee’s scope should include developing recommendations for the BoD in terms of approving IT strategy and policy, overseeing the arrangement of IT management processes, keeping up with and responding to evolving information technology (Bank of Russia 2019).

In the light of increased attention to ESG factors the creation of ESG Committees has become a significant tendency in corporate governance.

As such the determination of whether the set of responsibilities for ESG risks oversight should be added to the agenda of existing committee or incorporated in a more focused newly created committee will depend on factors including the type and magnitude of issues, the terms of reference of the existing committees and the culture of the board. For example, the board of directors of Nike, Inc. formed a Corporate Responsibility and Sustainability Committee which includes in its Charter the following responsibility: “Review and provide guidance to management on sustainability issues and impacts, and the integration of sustainability into Nike’s business, including innovation, product design, manufacturing and sourcing, and operations” (Nike, n.d.). According to Bloomberg LP’s in 2015 123 S&P 500 companies had assigned responsibility for oversight of ESG/CSR to a board committee up from 116 in the prior year (KPMG 2017).

It would be sensible to reflect the changes in the BoD agenda in the organizational structure of the company and BoD committees. However, in real world scenarios, dedicated committees, assisting the BoD to focus on a specific subject matter are established rather rarely (Bankewitz et al. 2016). According to the U.S. Technology Spencer Stuart Board Index 2019 research, only 8% of 200 surveyed major US technology companies have established a BoD committee on science and technology (Spencer Stuart 2019). It should be noted that establishing a BoD committee is not always the best practice that has to be followed by every company. It all depends on the specific company (industry, level of IT development in the company, etc.), and for some of them it may result in a waste of time and resources (Nolan and McFarlan 2005). Therefore, the issue of establishing a dedicated IT committee needs extensive advance consideration (McDonald and Rowssel-Jones 2012).

4 Conclusions

The ongoing digital transformation gives rise to new and diverse business challenges. A company’s BoD and management could delegate or ignore ICT and ESG decision-making in the past, but now in many sectors of economy this behavior would undermine the strategic business development since for many companies ICT and environment protection have turned into a tool for survival and growth. At the same time ICT governance being a part of the corporate governance is becoming more and more important for their functioning, since it helps getting to their strategic objectives, while ESG principles incorporation becomes a necessary tool for investors attraction, corporate image and market value protection. This is reflected both in organizational changes and in the evolving BoD meeting agenda.

BoD members’ capability to raise the “right” questions and find systemic solutions is taking an important role in improving the efficiency of ICT governance and ESG principles adherence by the BoD. What needs to be understood is that efficient ICT governance in one entity is not a guarantee of the same result in another. It depends on a multitude of factors to be taken into account when developing and taking on board existing models, structures and standards for governance. Thus, ICT governance and ESG principles application, as one of the most important task for BoD and management today, require them to follow a systemic ICT governance procedure based on specific features of their company and its development strategy.