What is IT Governance and Why Does Your Board Need It?

The Gap Most Boards Don't Know They Have

Ask a board chair to describe their organisation's IT governance framework and you'll often get one of two responses: a blank look, or a confident reference to the IT budget approval process. Neither is IT governance.

Technology now underpins almost every function of modern organisations — service delivery, data management, financial systems, communications, and increasingly, client-facing platforms. In the not-for-profit and local government sectors, it also underpins compliance obligations, funding acquittals, and the privacy of vulnerable people's data.

Yet the majority of boards in these sectors have no structured mechanism for overseeing how technology investments are made, managed, or measured. That's not a technology problem. It's a governance problem.

What IT Governance Actually Means

IT governance is the framework through which a board ensures that technology investments align with organisational strategy, are managed responsibly, and deliver measurable value.

It is not the same as IT management — that's the CEO and CIO's job. IT governance is the board's responsibility to ask the right questions, set the right expectations, and hold leadership accountable for outcomes.

A mature IT governance framework covers four domains:

Strategic alignment — Are technology decisions driven by organisational strategy, or are they driven by vendor relationships and legacy systems?

Value delivery — Are technology investments delivering the outcomes they were funded to achieve? How do we know?

Risk management — What are our technology risks (cybersecurity, data privacy, system failure, vendor dependency) and how are they being managed?

Performance measurement — What metrics are we using to evaluate technology performance, and are they reported to the board in a meaningful way?

Why Most Boards Are Flying Blind

The absence of IT governance in many organisations is not a reflection of negligence — it's a reflection of how the sector has evolved. Technology was once a back-office function. Boards delegated it entirely to management, and that was broadly appropriate when the stakes were low.

The stakes are no longer low.

Cybersecurity incidents are now the most common cause of significant operational disruption for Australian NFPs and local councils. The Office of the Australian Information Commissioner (OAIC) reported a 19% increase in data breach notifications in the 2023–24 financial year, with health and government sectors among the most affected.

At the same time, digital transformation programs — cloud migrations, new CRM platforms, AI-assisted service delivery — are consuming significant portions of organisational budgets with inconsistent governance oversight.

Boards that don't have a structured approach to IT oversight are not just leaving value on the table. They are carrying unquantified risk.

The Five Questions Every Board Should Be Asking

You don't need to be a technologist to govern technology well. You need to ask the right questions and expect credible answers.

1. Does our technology strategy align with our organisational strategy? If your organisation is focused on expanding community services, does your technology roadmap support that? Or is it focused on maintaining legacy systems that management is reluctant to replace?

2. What are our top three technology risks, and how are they being managed? This should be a standing agenda item. If your CEO or CIO cannot answer this clearly and concisely, that is itself a governance finding.

3. What did we spend on technology last year, and what did we get for it? Budget approval is not the same as value oversight. Boards should expect a plain-language summary of outcomes against investment — not just a list of projects completed.

4. Are we meeting our data privacy and cybersecurity obligations? This includes compliance with the Privacy Act, the Notifiable Data Breaches scheme, and any sector-specific obligations (NDIS, aged care, health). Boards carry personal liability exposure here.

5. Do we have a plan for AI? Artificial intelligence tools are already being used by staff in most organisations, whether or not the board has approved them. A governance framework for AI adoption — covering risk, ethics, and accountability — is no longer optional.

What Good IT Governance Looks Like in Practice

Effective IT governance doesn't require a dedicated technology committee (though that can help in larger organisations). It requires three things:

A board-level technology risk register — maintained by management, reviewed by the board at least annually, and updated whenever a significant technology decision is made.

A technology report to the board — a standing item at each board meeting covering the top risks, any incidents, and progress against the technology roadmap. It should be written for a non-technical audience.

An independent technology review — conducted every two to three years by an external specialist, assessing the organisation's technology maturity, risk exposure, and strategic alignment. This is the IT governance equivalent of an external audit.

For organisations that don't have internal CIO-level capability, engaging an experienced external IT governance advisor on a part-time or project basis is a cost-effective way to close the gap.

A Note on AI Governance

Artificial intelligence deserves special mention because it is moving faster than most governance frameworks can accommodate.

The Australian Government's voluntary AI Ethics Framework and the emerging mandatory guardrails for high-risk AI applications are creating a new layer of board responsibility. Organisations that are using AI tools — even commercially available tools like Microsoft Copilot or ChatGPT — need to understand the data privacy implications, the potential for bias in automated decisions, and their obligations under the Privacy Act.

Boards that are not asking questions about AI are not fulfilling their governance responsibilities in 2026. This is not a future concern. It is a present one.

How Signal & Strategy Can Help

Warren Read-Zorn brings 25 years of technology leadership experience across some of Australia's most complex operating environments — the National Disability Insurance Agency, Qantas, Transit Systems, and CIMIC Group. He has designed and implemented IT governance frameworks for large government agencies and private sector organisations, and provides board-level IT governance advisory services through Signal & Strategy.

Our IT governance services include:

- Independent IT governance reviews and maturity assessments - Board technology risk register development - CIO advisory services (part-time or project-based) - Digital transformation governance - AI governance framework development - Cybersecurity governance and risk oversight

If your board is not confident it has adequate oversight of technology risk, or if you are about to make a significant technology investment, we would welcome a conversation.