With technology evolving at warp speed, corporate directors are ratcheting up oversight of IT risk, with one problem: They admit their technology know-how could use some brushing up.
The explosion in the number of apps for smart phones and tablets, the growing influence of social media and other on-line tools, and the growing threat of cyber attacks are compelling directors to take a more proactive approach to understanding IT risks. “Board directors are taking their fiduciary responsibilities seriously, and that is reflected in the increased time they're spending on this topic,” says Ellen Richstone, a board member at OPEXEngine.
According to a recent board governance survey conducted by PwC, 61 percent of 934 public company directors polled said they want to spend more time considering IT risks in the coming year, while 55 percent said the same about IT strategy. “We hear everywhere we go that directors are very concerned, appropriately so, with the oversight of not just IT risk, but IT strategy,” says Don Keller, a partner in PwC's Center for Board Governance.
Even as directors pay more attention to the risks created by emerging technologies, a considerable gap still exists between the time it takes directors to understand new technologies and the rate of technological change. “The business world needs to address that gap relatively quickly,” says Raj Bector, a partner in the strategic IT and operations practice of management consulting firm Oliver Wyman. There has been some progress made in this area; “just not fast enough,” he says.
During a series of roundtables the National Association of Corporate Directors hosted with directors around the country to gauge their level of technical knowledge, corporate board members expressed frustration with the level of technology sophistication in the boardroom. “Directors said they're least satisfied with the talent on the board in terms of their expertise around IT,” says Peter Gleason, managing director and chief financial officer of the NACD.
A recent governance survey conducted by the NACD found a similar deficit in the IT savvy of directors. Only 25 percent of 1,019 public company directors surveyed said that they have a “high level of technical knowledge.” Another 63 percent said they have “some technical knowledge, but could use improvement.”
According to Gleason, part of the challenge is that many directors that serve on boards today were born in a pre-digital age, so their ability to get up-to-speed on new technologies has proven to be quite a challenge. According to analysis conducted by executive search and leadership consulting firm Spencer Stuart, the average age of independent directors on S&P 500 boards is on the rise and currently stands at 62.6 years.
Others say that the graying of the boardroom isn't necessarily the problem. “I don't think it's an age issue,” argues Bector. Technology evolves so quickly that “it's hard for anybody to keep pace with the changes,” he says.
If anything, the ability to keep on top of emerging technologies has more to do with length that directors serve on boards, he says. “Should there be a faster turnover?” Bector asks. “You constantly need new people and new ideas to fill the boardrooms to essentially be impactful.”
IT Risk Strategy
Another factor that plays a role in a board's overall understanding of IT risk and strategy is management involvement. According to the PwC study, 47 percent of directors stated that they only “moderately” believe that the company's strategy and IT risk mitigation is supported by a sufficient understanding of IT at the board level, while 28 percent said it “needs improvement.” Only 22 percent agree strongly that management provides them with adequate information for effective oversight.
“Directors said they're least satisfied with the talent on the board in terms of their expertise around IT.”
—Peter Gleason,
Managing Director,
National Association of Corporate Directors
“Every director should have a baseline understanding of the company's information technology,” says Richstone. She offers a list of questions that every director should be asking on IT risks:
What is the strategic importance of IT to the company's mission? What role does it play? How has it changed with the utilization of social media?
What systems does the company have, and how do they connect to one another?
How is the security on the company's systems managed? How frequently do security and compliance audits happen?
How are employees trained to understand and identify IT risks and to minimize those risks to the company?
Does the chief information officer have the appropriate level of resources?
“Management needs to take the lead on most of these issues,” says Richstone. Directors also need to be involved, however, and need to be briefed on IT efforts, as well as the results of those efforts. Management should also be providing the board with metrics on the company's IT systems, she says, which should be reported regularly at board meetings by the individual responsible for IT, specifically the CIO.
Some warn, however, against overwhelming board members with too much data at once. “Don't try to force feed too much information,” advises Keller. “Serve it to them in bite-size pieces.” The way to go about doing that, he says, is to prioritize the discussion to focus first on the matters that are most important to the company. One company, for example, might be more interested in cyber-security, while another might have higher stakes in mobile computing or cloud migration, he says.
BOARDS SPENDING TIME ON IT?
Companies were asked to indicate on average what percentage of last year's total annual board/committee hours were spent discussing oversight of IT risks and opportunities:
Source: PwC.
Directors also need a better understanding of how the company's technology risks and strengths stack up against competitors. "You need to understand how you position your business relative to your peers with respect to technology,” says Bector. Without that understanding, you'd have little knowledge about what emerging technologies and innovations could change the business landscape moving forward, potentially giving your competitors a leg up, he says.
Management's efforts to involve the board more in setting IT strategy is growing in importance. In the PwC study, 77 percent of directors believe their company's IT strategy and risk mitigation approach contributes to, and aligns with, the company's overall strategy.
Directors expressed the highest levels of satisfaction with the level of engagement in the status of major IT implementations (80 percent) and annual IT budget (63 percent). Areas where they'd like to be more engaged include the company's level of cyber-security spend (24 percent) and competitors' leverage of emerging technologies (22 percent).
Bector notes that the number of directors who are now directly interacting with the CIO, as opposed to the senior management team, is also on the rise.
Tech Support
Boards appear to be aware of the gap in IT knowledge and more of them are seeking directors with first-hand IT experience. In the PwC study, 75 percent said adding directors with technology or digital media experience is important, up from 68 percent last year.
ecruiting directors with IT experience, however, poses challenges of its own; some individuals may have a lot of expertise in IT, but don't necessary have the desired breadth of knowledge in other areas of the business, notes Beverly Behan, president of board consulting firm Board Advisor.
If you hire an active CIO, you also run into the problem of how much time they can devote to the board. A corporate crisis in the IT world can bubble up pretty quickly, says Gleason. “They have to devote their time to it, and then they don't have time to devote to anything else.”
Hiring a retired CIO may solve that problem, but then they may not be as up-to-speed on new technologies. “Do not assume that because you understand your situation today that you're going to understand your situation one year from now,” says Richstone.
Because technology is so fluid and complex, several boards are also turning to outside consultants to advise them on IT strategy and risk. The number of boards that reported doing so jumped from 27 percent in 2012 to 35 percent this year, according the PwC study. While most of these consultants were hired on a project-specific basis, the percentage of consultants engaged on a continuous basis doubled from last year.
Gaining an overall understanding of a company's IT risk and strategy involves a “continuing thought process and effort,” says Richstone. “This issue is not going to go away; if anything, it's going to become more prevalent.”
No comments yet