| Booklet:
Management Section: Roles and Responsibilities Subsection: IT Roles |
|||||||||||||||||||||||||||
| |
|||||||||||||||||||||||||||
Action
Summary 
BOARD
OF DIRECTORS / STEERING COMMITTEE
The board of directors should approve IT plans, policies, and major expenditures.
To carry out their responsibilities, board members should be familiar
with information technology and data center concepts and activities.
Many boards of directors choose to delegate the responsibility for monitoring
IT activities to a senior management committee or IT steering committee.
The IT steering committee’s mission should be to assist the board
in overseeing IT-related activities. The committee should consist of representatives
from senior management, the IT department, and major end-user departments.
Members do not have to be department heads, but should know IT department
policies, practices, and procedures. Each member should have the authority
to make decisions within the group for his/her respective areas. Risk
management staff should participate in an advisory capacity. See Risk
Management Functions on page 9 for more information.
The committee should regularly report to the board on the status of major
IT projects or issues. In addition, the committee should ensure the board
has adequate information to make informed decisions about IT operations.
The board should define the responsibilities of the IT steering committee
within a committee charter.
The steering committee should provide general reviews for the board regarding
major IT projects. The overview the committee provides enables the board
to make decisions without becoming involved in routine operations. The
committee helps to ensure business alignment, effective strategic IT planning
and oversight of IT performance. The committee may also:
|
|
Oversee the development and maintenance of the IT strategic plan; |
|
|
Approve vendors used by the organization and monitors their financial condition; |
|
|
Approve and monitor major projects, IT budgets, priorities, standards, procedures, and overall IT performance; |
|
|
Coordinate priorities between the IT department and user departments; and |
|
|
Review the adequacy and allocation of IT resources in terms of funding, personnel, equipment, and service levels. |
The steering committee should receive the appropriate management information
from IT departments, user departments, and audit to coordinate and monitor
the institutions’ IT resources effectively. The committee should
monitor performance and institute appropriate action to achieve desired
results. The committee should also maintain formal minutes of its meetings
to document its decisions and inform the board of directors of its activities.
CHIEF
INFORMATION OFFICER / CHIEF TECHNOLOGY OFFICER
Senior management should ensure IT systems meet the needs of the organization.
Management should also ensure the institution complies with board policies
and the board’s strategic plan regarding acquisition or development
of IT systems. The senior IT manager or Chief Information Officer (CIO)
is responsible for the key IT initiatives of a company. The CIO focuses
on strategic issues and the overall effectiveness of the IT organization.
This position typically oversees the IT budget and maintains responsibility
for performance management, IT acquisition oversight, professional development,
and training. In addition, the CIO is responsible for a company’s
IT architecture and strategic and capital planning. The CIO should be
a member of executive management with direct involvement in key decisions
for the company and usually reports directly to the CEO. The CIO should
play a key role in the strategic technology planning as well as supporting
activities of peers in various lines of business. The position often has
a leadership role on the IT steering committee.
Some institutions hire a Chief Technology Officer (CTO) to more narrowly
focus on tactical issues and the efficiency of the IT organization. The
CTO should report to the CIO. The CTO is responsible for understanding
the evolution of current technology and how to maximize the value of institution
investments in technology. Many institutions combine the roles of CIO
and CTO due to their complementary roles.
IT LINE MANAGEMENT
IT line managers supervise the resources and activities of a specific
IT function, department, or subsidiary. They typically coordinate services
between the data processing area and other user departments. They report
to senior IT management on the plans, projects, and performance of their
specific systems or departments. Some IT functions that often rely on
line managers include data center operations, network services, application
development, systems administration, telecommunications, and customer
support. Front line managers coordinate the daily activities, monitor
current production, ensure adherence to established schedules, and enforce
corporate policies and controls in their areas.
BUSINESS UNIT MANAGEMENT
Managers in the institution’s various business lines also have IT
responsibilities. Examples of these responsibilities include:
|
|
Establishing processes for on-going communication of business needs and strategy; |
|
|
Determining MIS needs and product development plans and communicating them to IT support or line management; |
|
|
Establishing processes to test compliance with IT related control policies within the business unit; |
|
|
Ensuring IT development efforts are prioritized/funded and aligned with business continuity planning within the business unit; |
|
|
Ensuring that required backup IT resources are available; and |
|
|
Ensuring that participation in testing processes is ongoing. |
The
specific roles of IT and business unit management, with respect to technology,
may vary depending upon the institution’s approach to risk management
and policy enforcement. Institutions can approach technology management
from either a centralized or a decentralized strategy.
In a centralized IT environment, IT management typically acquires, installs,
and maintains technology for the entire organization. They have a much
greater ability to control and monitor the organization’s technology
investment. A centralized approach promotes greater operational efficiencies.
The business line managers retain the responsibility for enforcing internal
controls within their area.
In a decentralized IT environment, IT management only has an advisory
role in some departments’ acquisition, installation, and maintenance
of technology. The decentralized approach is most prevalent in complex
institutions where it can expedite the availability of IT services by
transferring decision-making authority to strategically significant departments.
Business line management has a much greater responsibility for ensuring
technology investments are consistent with organization-wide strategic
plans. Companies need to ensure system compatibility and the enforcement
of organization-wide policies in a decentralized environment. IT management
should still have a role in defining the organization’s control
requirements, but enforcement is more difficult.