Developing an Effective IT Steering Committee
As your institution navigates the changing world of IT, you need a strategy to ensure effective IT management and a secure, compliant environment. A holistic strategy to strengthen your cybersecurity posture, plan for future needs and ensure alignment to your institution’s goals should include the creation of an IT Steering Committee.
What is an IT Steering Committee?
Providing strategic direction for IT-related projects, an IT Steering Committee is a group of high-level stakeholders who are tasked with establishing an institution’s IT priorities, as well as a governance framework to support these projects and initiatives. According to the Federal Financial Institutions Examination Council (FFIEC), many boards of directors elect to delegate the responsibility to monitor IT activities and progress to such a committee. Your committee should be empowered to “steer” IT to successful outcomes and ensure alignment with your business objectives.
An IT Steering Committee adds value by clearing hindrances from the pathway to success for the achievement of IT-related business objectives while ensuring initiatives remain on track and aligned with their original intent. This function often requires decisive action as the committee works to identify and mitigate issues before the project encounters trouble or suffers meaningful setbacks. However, many IT Steering Committees lack effectiveness because they fail to realize this critical function, or they are not empowered or prepared to embrace this role.
It is crucial that the board of directors, senior leadership and committee members understand that steering is not managing. While managing is a matter of overseeing the execution of specific jobs, steering determines the job. Therefore, your IT Steering Committee is more closely related to your institution’s overall IT strategy and vision.
Learn more about how IT governance strengthens your IT and information security strategies by downloading our white paper.
IT Steering Committee Charter and Composition
Many of the challenges that prevent a committee’s success can be avoided through implementation of a strong IT Steering Committee charter. Your charter should specify the mission and provide guidance on the organization and operation of your committee.
A strong charter and clear understanding of the roles and responsibilities of the committee and its members is foundational to maintaining an effective IT Steering Committee. A formal charter will also serve as a mechanism to improve productivity, save time, minimize conflict and set expectations.
As you consider your committee’s composition, keep in mind that your IT Steering Committee should be representative of the institution, and such representation should extend to all stakeholders. But this does not mean that the committee should be so large that it becomes dysfunctional.
The most important consideration when selecting members for your committee is that various areas of the institution are adequately represented and have a voice. The cross-functional makeup of the IT Steering Committee membership makes the committee well-suited for balancing and aligning your IT investment and the achievement of your strategic business objectives.
Role of the Board of Directors
While the board is not responsible for day-to-day management activities, it should set the tone for your institution’s use of IT and hold the committee and senior management accountable. The board’s role is oversight, and the IT Steering Committee helps facilitate this oversight via committee minutes, other reports, and presentations delivered to the board.
Effective communication and reporting should inform the board’s decisions, especially as it relates to approving the strategic plan, information security program and other IT-related policies. Execution and management of such policies should fall to the senior leadership.
To effectively carry out their responsibilities, the board should understand IT activities and risks by performing the following:
- Approve an IT strategic plan: The board should review and approve an IT strategic plan that aligns with the overall business strategy and includes an information security strategy to protect the institution from evolving cybersecurity threats. By partnering with industry experts for IT governance services, your institution will receive guidance on this alignment after an extensive review of your business strategy.
- Promote effective IT governance: One of the primary roles of an IT Steering Committee is to promote effective IT governance for your institution. In this aspect, the Steering Committee serves as an agent on behalf of the board to drive implementation of strategy and provide insight to the board as to the progress and challenges faced by the institution concerning IT.
- Oversee processes of third parties: The board should also oversee processes for approving your institution’s third-party providers, including the third parties’ financial condition, business resilience and IT security posture.
- Receive critical IT-related updates: The board may need to approve certain projects and activities, which makes oversight of updates on major IT-related projects, budgets and overall performance critical. While this does not imply the board should attend IT Steering Committee meetings or become IT experts, it is a matter of clear communication about such topics from the committee. It is the responsibility of senior management and the IT Steering Committee chair to ensure the board is adequately informed, and it is up to the board to ask questions or seek clarification on anything unclear to them.
- Monitor the allocation of IT resources: Just as it approves the overall budget, it is the board’s responsibility to guarantee that adequate resources within the budget are allocated to fulfill the mission of IT and meet the strategic objectives outlined in the IT strategy. This ultimately helps support the broader strategic business objectives of the institution.
- Review reporting policies: In a well-choreographed and collaborative effort, the IT Steering Committee should work with other relevant committees within the institution, such as the Audit Committee and Incident Response Team, to ensure policies are approved and to escalate and appropriately report significant security incidents to the board, government agencies and law enforcement.
- Hold management accountable: Senior management should be intricately involved in the leadership of the IT Steering Committee and must be held accountable for identifying, communicating, measuring and mitigating IT risks.
- Provide audit coverage of IT controls: The board should provide for independent, comprehensive and effective audit coverage of IT controls. Since independent audits and exams are singular events, it is critical that institutions engage where appropriate with independent consultants and other experts, taking a proactive stance concerning the application of control and risk mitigation.
Benefitting from an Effective IT Steering Committee
Creating an IT Steering Committee should not be another box for your institution to check, but rather a fully involved entity that works with your board to guide IT initiatives to success. If your institution views IT as simply a cost center, you will not have an effective committee, and it will become increasingly tricky to establish alignment with FFIEC guidance—especially as regulators begin placing greater weight on the activities of steering committees.
Without an effective committee, achieving strategic business alignment will be all but impossible.
Download our white paper—Your Institution’s Guide to IT Governance—for insight into the benefits IT governance delivers to financial institutions.
Steven Ward leads the Strategic Business Consulting Team for CSI Advisory Services. In his role, he sees and analyzes the alignment of IT with business strategy and security needs for financial institutions across the nation. An experienced financial services executive, Steven brings his expertise to CSI clients and regularly speaks on information security, cybersecurity, IT and IT audit and business and IT strategy topics.