Straighten Up and Fly Right: IT Risk Governance for Non-Techie Directors

Published by

 

Virginia Gambale

Jet Blue Director Virginia Gambale heard the news about the airline’s fed-up flight attendant—the one who exited the plane via the emergency slide, cursing passengers as he touched down on the tarmac—well before some of the company’s senior executives. Social media savvy Virginia uses a web tool to track all mention of companies on whose boards she sits, and as soon as someone tweeted news of the incident, she was on it.

 Virginia, a former CIO with Merrill Lynch and Bankers Trust, shared the story at NACD’s Director Professionalism®—The Master Class, held this week in Clearwater, FL. She was one of a number of dedicated NACD members honing her board leadership skills and using peer expertise to identify and explore innovative solutions to persistent and emerging challenges.

Virginia urged her peers with non-IT backgrounds to become more involved in oversight of the company’s technology strategy. “Ask questions,” she said. “If people tell you that deadlines are being missed, that delivery of services isn’t possible, or that it’s just too complicated to get something done, then you don’t have the right strategy and you may need to change your CIO. Ask the CIO to talk about allocation of resources and find out how the dollars are spent between maintenance and innovation. You can make the same judgments as you would on any other area of the business.”

 “Ask ‘What is our model for technology leadership?’” advises Virginia, and ask to be walked through the governance model and strategy for partners and communications with customers. “Read the company culture: Is IT a partner or service provider? How closely integrated is it with your lines of business? What, why and where are you outsourcing, and what effect is that having on your risk? Virtual roads and highways need to be maintained, but you can outsource a lot of this and pay only for what you use,” she said.

Virginia urges boards to make sure they have at least one person charged with asking these and other questions. “It can be helpful to have a technology and operations
sub-committee sitting under audit or risk,” she recommends, especially if the company needs to find a new CIO. Failing this, the board should consider hiring an outside consultant.

“Security breaches, brand tarnish, information leaks or, at worst, a death can do your company real harm,” said the director who joined the Jet Blue board around the time of the Valentine’s Day “Ice Incident.” And, she added, “You can’t risk disintermediation—the business boneyard is filled with companies where the strategists at board and C-suite level failed to ask the right questions and fooled themselves for too long.”

“Today, every man, woman and child has access to instant information,” she reminded the group. “Use social media intelligently—it can supply you with useful information about what your customers think. And remember, if a mind created it, a mind can break it. Be mindful of the need for ongoing vigilance and sound practice in information security.”

Other directors sharing their expertise with peers attending NACD’s Master Class included Office Depot Compensation Rear Admiral (Retired) Chairman Marty Evans, Winn Dixie Director Charlie Garcia, who discussed the implications of America’s growing Hispanic population for board composition, and Major General (Retired) Hawthorne “Peet” Proctor, who spoke about the characteristics of exemplary board leadership.

To learn more about NACD’s Director Professionalism-The Master Class in 2011, click here. Already attended the Master Class? Contact fellowships@NACDonline.org to find out how you can become a 2011 NACD Board Leadership Fellow.

2 Comments

  • jn miller says:

    Re: NACD’s Liz Barron’s 12/13/10 posting of Jet Blue director V. Gambale’s action (Flight attendant/passenger incident).

    The lead in for the story implies we will hear about the action taken by director Gambale and not HOW she obtained the information. Kudos for her preparation to FIND OUT about incidents – however, I would be interested in what she DID with the information at the Board level as implied by the Barron posting which provided nothing in that regard. (Sorry if I missed a “go to” link to that key part of the story)

    i.e. You got my attention with the lead-in to the story but did not provide the story – only that the director had the information. As Paul Harvey would have said, “And now here’s the rest of the story”. I’m sure it would have been interesting reading.

  • A good proactive approach of getting relevant information through social media websites / Twitter.

    I have observed some Board members create pubic profiles on Twitter in order to respond to any negative & inaccurate information Tweeted. A bold step but never the less the tweeting community takes it as Investor confidence and transparency on behalf of the Board.

    Another phenomena is the creation of media departments responding to Reputational Risk matters being tweeted about the organization.

    My predication for next year it’s only going to get more visible and something the Board needs to discuss and plan.