Information technology is a fast-paced environment, and most directors are playing a game of catch up. In the past, technology was reserved for providers, such as Apple or Microsoft, or Internet leaders, such as Google or Amazon. Today, every business relies on technology through a constantly evolving list of options, such as increasing operations efficiency or social media. As expected, this increased reliance on technology entails a higher risk profile, evidenced in security breaches or system malfunctions. Despite these increased risks, recent studies have found that many boards need to refocus how they view information technology (IT).
NACD and Oliver Wyman’s Global Risk Center recently conducted a study to address the issue of IT risk oversight titled Taming Information Technology Risk. According to the survey, nearly half (47%) of directors are dissatisfied with their board’s ability to provide IT risk oversight. Almost a third of directors believed failure to properly provide IT risk oversight stemmed from insufficient expertise at the board level.
A substantial number of corporate boards feel they have not yet met the level of oversight the topic requires. A recent report from the Deloitte Center for Corporate Governance found that while directors should examine IT projects with the same level of scrutiny as any other major capital expenditure, this is rarely the case. The same report also recommended that boards add “tech-savvy directors” who can provide the board with expert oversight.
While every board member will not be an expert in IT, all directors should be well-versed on the subject and able to discuss IT risk oversight in relation to their company’s strategic planning. In Taming Information Technology Risk, six questions are provided that should be on every board’s agenda:
- How do you determine the strategic importance of IT to the business?
- How do you evaluate the evolving IT capabilities of competitors that could threaten our industry position?
- How do you allocate dollars across the portfolio of IT investments to ensure an efficient risk return?
- What trade-offs are you making in managing the IT portfolio?
- How are you effectively executing major IT programs?
- How do you ensure that a breadth of best practice capabilities and processes are in place to protect the firm from operational and security risks—both now and in the future?
The above six questions provide a foundation of the questions boards should ask regarding technology-related decisions. Directors should also take into consideration the ways technology touches their specific company when scrutinizing IT projects. Also, just asking the right questions will only get boards halfway to the finish line. Understanding what constitutes as an acceptable answer is just as critical.