Information technology (IT) and data play important roles in driving business nowadays. It can help companies respond better to social changes and evolving business environment. That is why it becomes crucial matter being discussed by the Board.

However, IT and data do not only bring about opportunities but also new form of risks that businesses have never encountered before. They also lead to the development of corporate governance principles as well as new laws and regulations.

Therefore, understanding principles, guidelines, and roles of the Board concerning IT and data governance would help the Board establish clear governance direction to ensure IT and data management and eventually, generate utmost benefit to stakeholders and the enterprise.

This guideline comprises two sections including 1. Key Principles and 2. Practice Guidelines.

Key Principles:

1. The Board should have knowledge and understanding about information technology (IT) and data as well as recognize their significance in value creation and the achievement of enterprise success. It should also encourage the management to apply IT and data in operations and innovation development as well as business opportunity enhancement to support enterprise strategies, goals, and sustainable growth.

2. The Board should set IT governance policy framework that aligns with enterprise strategies and goals.  The policy framework should cover the application of IT and data for value creation, IT risk management, system and data security, and IT resource allocation and management.

3. The Board should review Board Composition to ensure appropriateness in performing duties concerning the determination of IT governance direction.

4. The Board should identify accountable persons and responsible persons for IT operations and ensure the organizational structure matches IT objectives and aligns with three lines of defense mechanism.

5. The Board should ensure existence of participation, communication, and reporting processes that accommodate stakeholder participation and delivery of essential and necessary information that is accurate, complete, and in timely manner.

6. The Board should determine IT strategy that supports and aligns with enterprise strategy by considering roles and priorities of IT as well as external and internal factors.

7. The Board should ensure that data can effectively support value creation and enterprise strategy while stakeholders are taken into account by establishing processes to control and manage data life cycle, data quality, data security, and data privacy.

8. The Board should ensure IT risk management is part of and in alignment with enterprise risk management.  It should also set appropriate IT risk appetite that does not exceed the enterprise level.

9. The Board should put in place cybersecurity plan that aligns with IT risks so that the enterprise can properly protect and tackle cyber threats.

10. The Board should see that IT resource allocation and management align with enterprise strategy and requirements to ensure sufficient and appropriate resources for present and future operations.

11. The Board should drive organizational culture that recognize the significance of IT and data, risk management, and system and data security to enterprise success and achievement of enterprise goals which will accommodate successful IT operations.

12. The Board should regularly monitor and evaluate performance of IT operations.

13. The Board should arrange IT audit to ensure IT governance and management are effective and comply with laws, regulations, and industry standard.

14. The Board should regularly review IT governance and management policies to ensure alignment with enterprise strategy, effective operation framework, and achievement of value creation target.

 For full "Guideline on Board's Role in IT and Data Governance " please download below