Archive for the ‘Risk Management’ Category

Cybersecurity – Improvements Needed in the Boardroom

January 30th, 2014 | By

Cybersecurity is undoubtedly a critical aspect of board oversight, but an overwhelming majority of directors rate their and their board’s knowledge of IT risk as “in need of improvement.” More than three quarters of directors believe their personal IT knowledge could use a boost and nearly 90 percent believe the same of their board’s IT knowledge. A lack of cyber knowledge at the board level can lead to overreliance on C-suite experts and difficulty by directors in judging an appropriate level of involvement.

Recognizing the disconnect between the need for effective cybersecurity oversight and the boardroom’s lack of IT acumen, NACD, supported by Protiviti and Dentons, convened three roundtable discussions, bringing together directors, executives, and experts in the field of cybersecurity. These meetings provided insight into the numerous and significant risks presented by cybersecurity, while experts pinpointed deficiencies in board responses to threats and possible solutions. Key statements from participants prompted NACD, Protiviti, and Dentons to address issues demanding director attention and action:

  • Boardroom cyber literacy: “Cyber literacy can be considered similar to financial literacy. Not everyone on the board is an auditor, but everyone should be able to read a financial statement and understand the financial language of business.”
  • Identifying high-value information targets: “Do not just harden the perimeter, because hackers will get in. Accept that they can get in, and then design the strategy with the assumption they are already ‘inside.’”
  • Formulating detection and response plans: “When your company is hacked, do not start spending money like a drunken sailor.”
  • The human factor: “People are the constant weakness. Cybersecurity is a human issue. Often the biggest problems are caused by an inadvertent actor.”

Cybersecurity: Boardroom Implications contains information on these issues and more, including questions directors can ask when planning for a breach and when a breach is discovered. Click here for your complimentary copy of the report.

What I Wish the Board Knew: CIOs Speak

October 25th, 2013 | By

The best CIOs don’t just support the business, but use technology to drive value within it. In this session, CIOs and directors spoke about the ideal role that IT can play—not to simply support strategy but to actually drive innovation. In a world of rapidly changing technology, business processes must be fully integrated with IT across all business units so that capabilities can be delivered most efficiently. Thus, IT is becoming a top priority for boards, and as such, boards recognize that they need to better understand IT risks. The CIO can help educate directors about how business and IT are linked.

1. Today, an effective CIO is one who understands how technology can provide a competitive advantage. An emerging trend in companies is to establish the role of a chief digital officer, and not all, but some existing CIOs will be able to perform this role.

2. Companies recognize that traditional service models are changing in today’s interconnected world. Leading companies are focusing on building a holistic customer experience from start to finish through technology. It is important for senior management to work closely with the CIO and other technology leaders to understand how technology can be used to drive strategic goals and stay ahead of the competition.

3. Directors should be discussing with management how the company compares to “best in class” digital competitors, and whether it is doing enough to impact the top- and bottom-line results. In addition, they should discuss IT’s role in helping to foster innovation.

Speaker quote: “Technology is the great equalizer but it is also the great differentiator.”

F. Thaddeus Arroyo

Tamra Hall
Vice President and Executive Partner, Gartner Executive Programs

Virginia Gambale
Director, JetBlue; Managing Partner, Azimuth Partners LLC

This summary provided by PricewaterhouseCoopers.

Supply Chain Management: Risk-Based Due Diligence

October 25th, 2013 | By

Today, more companies are using third-party suppliers. Does using them make your company more or less exposed to compliance failures and brand or reputational damage? The recent increase in corruption investigations and indictments of companies that used third parties suggest that the answer is more. This panel discussed risks associated with third parties, and addressed questions that boards and companies should consider. Is placing trust in the hands of a third party, a risk that companies must take to do business in today’s global economy? Or can a company take steps to effectively and significantly reduce this exposure through a risk-based due diligence process, coupled with contractual protections, oversight, training, and other means?

1. As globalization increases, so does use of third parties in company supply chains. A recent survey by NAVEX Global showed that 45 percent of respondents are experiencing problems with third parties, and such problems could cause brand damage to the companies. Nevertheless, 25 percent of respondents plan on increasing their use of third parties in the coming months.

2. It’s incumbent on boards to know who is managing the supply chain risk and where the high risk links exist. Also, having a working knowledge of entire export and import supply details is paramount.

3. Doing a risk assessment of the supply chain is an important element in third-party review. Boards should do a crisis audit plan for the supply chain, and question if a crisis drill has been executed.

Andrea Bonime-Blanc
CEO and Founder, GEC Risk Advisory LLC

Randy Stephens
Vice President, NAVEX Global

Carl C. Straub Jr.
Vice President and General Counsel, FLIR Commercial Systems Inc.

This summary provided by PricewaterhouseCoopers.