[By David Walker] There can be no doubt that technology has changed our lives and the way in which business operates.

In early commercial society, one person owned and operated their business and did whatever was necessary to run that business.

With the passage of time, businesses have become larger and more sophisticated and their owners have employed others to manage them. This has evolved to the stage where fundamental aspects of businesses are often outsourced or subcontracted to third-party service providers.

Though these arrangements often result in efficiencies and cost savings, they also pose considerable risk. This is particularly evident in contracts that deal with the development, maintenance or outsourcing of IT systems.

Most reasonably sized companies are fundamentally dependent on IT for key functions, including procurement, sales, orders, stock control, invoicing and payroll. When these IT systems fail, crisis ensues.

Despite this, a significant percentage of companies outsource or subcontract the development and maintenance of these IT systems to independent third parties, without fully considering the inherent risks.

These arrangements are normally governed by complex agreements that contain sophisticated service levels and penalties. Though there is significant merit in these arrangements, they result in a reliance on third parties for services that are critical to the success of a business. These arrangements therefore give rise to significant business risk and need to be very carefully managed.

SA’s King Committee on Corporate Governance acknowledges the fundamental impact of IT systems. The upcoming King 3 codes on corporate governance state that although a board should delegate to management the implementation of an IT governance framework, the board must be responsible for IT governance and must monitor and evaluate all significant IT projects.

In fact, King 3 goes so far as to state that IT must form an integral part of a company’s sustainability and risk management strategies and processes.

It is therefore imperative that companies give proper attention to their IT arrangements and the agreements that govern them. It is not sufficient for board members to rely on IT managers to fulfil this role.

Though software development agreements contain detailed specifications and acceptance criteria, the very nature of these agreements implies that it is difficult for the company or the service provider to know exactly what the final IT system will “look like” before work begins. These agreements are therefore inherently risky from the perspective of the company that is engaging the software developer.

Many companies adopt a “tick-the-box” approach to these contracts, in the sense that they check very carefully to ensure that the legal agreements contain appropriate clauses regarding the availability of key resources, intellectual property ownership, and so on. However, experience has shown that a substantial proportion of these transactions “go wrong”, in relation to there being significant cost overruns, migration or integration failures and delays in completion.

Once a company has decided to contract a third party to develop software or perform a key IT function on an outsource basis, it should understand that it is entering into an inherently risky contract.

Even if a software developer is required to document fully all development and make all documented source code available, this is often cold comfort if a dispute arises and the software developer or outsource service provider is unable or unwilling to continue to provide the service, or even to assist with a transition period.

Companies frequently find themselves in a situation where they are required to accept substantial project cost increases and delays, or terminate an IT project and begin again. Though the company could have a damages claim, this is difficult to enforce and it is of little help when the business is in a crisis situation.

It is therefore important for companies to evaluate the track record of any outsource partners or software developers at an early stage. Thereafter, any significant IT projects must be properly evaluated, documented and managed on an ongoing basis.

As part of the evaluation process, companies should have contingency plans in place to ensure that their businesses are not substantially prejudiced if things “go wrong”. Though this may appear to be a negative approach, one should bear in mind that a significant proportion of these arrangements do in fact “go wrong”.

One must therefore consider the worst-case scenario before embarking on any significant IT project.

Once appropriate contracts have been negotiated, senior representatives of the company should ensure that they are aware of all significant progress — or lack thereof. Though it is imperative to involve IT departments in these processes, it is equally important for senior managers and directors to be fully involved.

Directors should be aware that it is not sufficient for them to rely on IT departments for the management of these arrangements. If the IT arrangement in question results in a significant aspect of a business being outsourced, or the development of software on which a company will be fundamentally reliant, directors should be fully involved in the selection and evaluation of the contractor.

They should also conduct appropriate due diligence on that contractor and be involved in the management of the relationship. If this is not done, and the company suffers a loss as a result, directors could face personal liability under the Companies Act.

This act states that a director must, as part of complying with their duty to the company, make sure they are reasonably informed and that there is a rational basis for believing that each decision is in the best interests of the company.

Directors must ensure that they have access to all relevant facts, and make all reasonable enquiries, in respect of each significant IT project. If they do not, they run significant business risk, as well as the risk of personal liability under the Companies Act.