TechTalk Blog: Elevating Technology Governance to Board Level: Managing Material Risks

By Brad Monterio posted 04-01-2015 11:05 AM

  

Recent Wall Street Journal blog posts are highlighting the board-level attention technology and material risks, such as cyber security, are garnering. In her March 27th WSJ blog, “Corporate Boards and CIOs are Seeing a Lot More of Each Other,” Kim Nash points out that boards are waking up to the scary realities of technology risks to companies that they oversee. Boards are asking CIOs for less jargon/more plain language explanation of material risks, strategy and resource needs around technology within the organization. In some cases, technology committees are being formed at the board level to put these risks front and center. This is an interesting new trend in corporate governance. However, a mere 5% of public companies now have technology committees on their boards, as cited by Nash. Has your organization formed a technology committee at the board level?

Nash goes on to cite recent research from the National Association of Corporate Directors (NACD) that indicates 40% of boards do not feel they receive adequate disclosure about technology within the organization. Hmmm, ‘you can’t manage what you can’t measure’ comes to mind when thinking about risks posed by technology. In order for board governance to be possible, let alone effective, they need to have relevant, timely and meaningful information about how, where and why technology is used, descriptions of the controls and monitoring systems in place, an understanding of how the people and processes fit with the technology, and a risk assessment of the gaps and vulnerabilities surrounding technology.

Nash authored another blog the day prior, “Morgan Stanley Pushes Emerging Area of Tech Governance,” in which she points out an interesting paradigm – although only a small number of boards currently have technology committees tasked with oversight of technology risks, most companies today rely heavily on business models that use a wide variety of technologies for advanced analytics, CRM, ERP, ERM, sales management, accounting and finance, reporting and the list goes on and on. Seems to me that there are significant potential gaps and vulnerabilities to the typical business today due to the commonplace use of technology. Yet most companies do not seem to equate those risks with good corporate governance at the top ranks.
And it gets worse. As my recent IMA TechTalk Blog post on developing a data governance strategy points out, most organizations are also lacking plans in this area as well.

So technology permeates most companies. There are potential risks associated with those technologies. Data and information are the lifeblood of business today and a critical asset. Companies generally lack data governance strategies. And boards are at the earliest stages of recognizing these weaknesses. Sounds like a potential for disaster to me.

Where does the CFO sit in all of this? At the very least, the CFO has an opportunity to become a key figure in helping the organization to develop an effective data governance strategy as well as help educate and inform the board about possible risks associated with technology. In fact, I think the CFO has the potential to take on a great role beyond finance and accounting, as pointed out in my earlier IMA TechTalk Blog, “Rise of a Hybrid in the C-suite: the CFTO?.” This is not to say that the CIO has no role – this is a chance to foster greater collaboration within the C-suite itself and start to plant the seeds of a culture of integrated thinking that can trickle down to the rest of the organization as well as up to the board.



#CIO #NACD #IT #materialrisk #materiality #vulnerability #tech #integratedthinking #corporatedirector #process #oversight #board #director #risk #datagovernance #CFTO #TechTalk #governance
3 comments
96 views

Permalink

Comments

04-04-2015 11:33 AM

I have 21 years experience in accounts & finance

04-01-2015 12:14 PM

I have seen IT steering committees that sort out the priorities for tech implementation and project portfolios, but having at least some board-level discussion on a formal basis would not just address the risks inherent in today's plugged-in world, but also the benefits. I also see lost opportunities for competitive advantage as a kind of risk - your organization risks falling behind competitors or missing "the next big thing" that could revolutionize the firm.
I like to look at the bright side too, although the risks of tech-driven disasters are mounting, in that an entity that is paying attention to Brad's advice on the downside risks is likelier to mature to a proactive technology stance to both protect assets, but also project their mission, vision, and strategies forward.

04-01-2015 11:58 AM

Not only does technology governance need to involve the board – a company also needs to integrate its key management functions. For example, the Chief marketing Officer (CMO) and Chief Information Officer (CIO) C-Suite functions will need to integrate as internal and external information becomes increasingly important in helping a company expand its market share. As the Deloitte study on C-Suite 3.0 documents -- this increasing interdependency between these two critical C-Suite functions will be vital to a company as Big Data, Internet of Things, Cloud and Mobile Computing/ Predictive Analytics become “best practices” of a sustainable organization. http://deloitte.wsj.com/cio/2015/02/02/navigating-c-suite-3-0/