There is a saying that a week is a long time in politics. Well, the rate of change in the business world is becoming almost as challenging and many corporate boards are not keeping up. According to the Oliver Wyman study, the largest 500 U.S. companies lose in excess of $14 billion a year because of failed technology projects. And this does not include the massive financial and reputational damage done through breach of security systems or data loss. With such significant value at stake, it is concerning to learn that nearly half of board members do not have confidence in their company’s ability to provide IT risk oversight. Put simply, many boards are unable to provide much needed governance and oversight in this important area.
Managing the risks associated with technology has always been a management prerogative. As technology becomes more intertwined with the corporate entity and business strategy, boards have had to step-in and provide greater oversight of the various systems and implementations. This, however, presents a challenge to our boardroom directors. In a recent survey conducted by the NACD, in conjunction with Oliver Wyman, it was found that 46% of respondents were not satisfied with the ability of their board to provide IT risk oversight. The survey also indicated one major reason for this deficiency: there is insufficient IT expertise at the board level.
Unsurprisingly, 38% of survey respondents indicated that the most effective approach to improving board IT risk oversight was to increase the frequency and detail of communications about IT from management. There is obviously some room for improvement and directors believe information management is the right place to begin.
The many aspects of technology can quickly become overwhelming and confusing. Management and boards need an organized method to convey each aspect in a meaningful and effective way. One such method is the Framework for IT Risk developed by Oliver Wyman. The Framework divides the aspects of IT risk into four categories: competitive risks, execution risks, portfolio risks, and service & security risks. Each category has a defined arena of issues with ways to present information.
NACD and Oliver Wyman recently released a white paper addressing the Framework and its application in the boardroom. The white paper highlights many of the issues and red flags boards should look for when considering IT risk.
Technology is not only changing the way we do business but the way we talk about it too. Boards and management need a common language to effectively run their IT systems. A focus on information and its effective presentation will start to remove those communication barriers.