It has to do this while ensuring good corporate governance, including information technology governance, taking into account the various perspectives of stakeholders and balancing technology-related cost benefits – which can often be substantial – with limited resources. For Boards to achieve effective oversight of IT risk, they will need the support of the firm’s Chief Information Officer (CIO), Chief Technology Officer (CTO) and Chief Risk Officer (CRO).
When considering risk management for in Technology, Boards need to know what kind of risks they are looking at. They need a comprehensive, end-to-end view of the technology supporting the organisation, including products, procedures and processes. Because of the interconnectedness of technology nowadays, risks span a wide range of areas, from strategy, finance and operations, to regulatory compliance, reputation and outsourcing collaborations. Boards will find themselves dealing not only with denial of service issues from hacked systems (and the ensuing loss of revenue), but the ire of stakeholders as confidential information is breached, as well.
Most Boards prioritise the safety, health and security of the organisation’s workforce but today’s dynamic business environment means they will have to go beyond this. First and foremost, they will have to examine their organisational strategies to gauge suitability of purpose. They should ask themselves if the technology currently used in the business needs expansion, upgrades or more security, and if so, how. Regulatory requirements should also be a consideration, particularly if the firm operates in more than one jurisdiction. The cost of what will be required to get systems up to speed, or keep operations on an even keel, should be determined.
Board members do not need to be technological experts but they should understand the role of technology and risk management technology trends in their respective business environments comprehensively enough, to make effective decisions. The role of the Board is generally to oversee the firm’s policies, ensure are fit for purpose and duly followed. It is the same when it comes to risk management in technology. Board oversight should extend over legal compliance of policies, management of information including security and disaster recovery, confidentiality of information and the quality of data provided in support of decision-making.
13 The IERP® Monthly Newsletter September - November 2021