Risk Management in Technology: The Board’s Role
While it is usually management which designs and implements the organisation’s risk management framework, it is the Board’s role to ensure the soundness and usability of the framework for which it is ultimately responsible for. It is no different when it comes to risk management for information technology (IT). Boards are as accountable for IT risks as they are for all other risks that may prevent the organisation from attaining its objectives. The firm’s technology will include its critical IT infrastructure, its development, systems design, implementation, management, maintenance and upgrade.
Given that the current environment is one of unprecedented disruption, it is not surprising that organisations are simultaneously increasingly dependent on technology but often overwhelmed by the need to deal with it. The copious amounts of data and new information now available, coupled with the speed at which businesses must transform or risk being left far behind, may be particularly taxing for the Board to deal with as members may already be fully preoccupied with existing challenges. It is imperative therefore that Boards find a way to cut through the clutter and zero in on the actual issues that confront them when developing strategies for risk management in technology.
Among the Board’s most pressing roles is that which sets the risk appetite of the organisation where managing its technological risks are concerned, both in a way that allows it to manage or mitigate adverse effects while taking advantage of potential opportunities. It has to do this while ensuring good corporate governance, including information technology governance, taking into account the various perspectives of stakeholders and balancing technology-related cost benefits – which can often be substantial – with limited resources. For Boards to achieve effective oversight of IT risk, they will need the support of the firm’s Chief Information Officer (CIO), Chief Technology Officer (CTO) and Chief Risk Officer (CRO).
When considering risk management for in Technology, Boards need to know what kind of risks they are looking at. They need a comprehensive, end-to-end view of the technology supporting the organisation, including products, procedures and processes. Because of the interconnectedness of technology nowadays, risks span a wide range of areas, from strategy, finance and operations, to regulatory compliance, reputation and outsourcing collaborations. Boards will find themselves dealing not only with denial of service issues from hacked systems (and the ensuing loss of revenue), but the ire of stakeholders as confidential information is breached, as well.
Most Boards prioritise the safety, health and security of the organisation’s workforce but today’s dynamic business environment means they will have to go beyond this. First and foremost, they will have to examine their organisational strategies to gauge suitability of purpose. They should ask themselves if the technology currently used in the business needs expansion, upgrades or more security, and if so, how. Regulatory requirements should also be a consideration, particularly if the firm operates in more than one jurisdiction. The cost of what will be required to get systems up to speed, or keep operations on an even keel, should be determined.
Board members do not need to be technological experts but they should understand the role of technology and risk management technology trends in their respective business environments comprehensively enough, to make effective decisions. The role of the Board is generally to oversee the firm’s policies, ensure are fit for purpose and duly followed. It is the same when it comes to risk management in technology. Board oversight should extend over legal compliance of policies, management of information including security and disaster recovery, confidentiality of information and the quality of data provided in support of decision-making.
As they broaden their understanding of these issues, a clearer picture of their organisational assets that need the most protection, will become evident, allowing them to prioritise and determine where the firm’s greatest exposures and vulnerabilities lie. This due diligence will go a long way in developing a better perspective of emerging risks, and identifying opportunities that the organisation may be able to capitalise on. Due diligence will inevitably produce more data; the Board needs to be aware of the necessity of managing this, and the risks that come with it, as poor data management may result in fraud and documentation irregularities that will lead to poor reporting.
A major portion of data management includes keeping it secure and confidential, and because many firms today outsource their data storage and retrieval systems to specialist providers, Boards will find themselves extending their oversight over third parties as well. It is worth noting that regulators are becoming increasingly concerned over how data is managed, stored, transmitted and manipulated, and legislation in many jurisdictions now have stricter governance mechanisms in place to regulate data creation, manipulation, storage and disposal. Organisations should have appropriate policies in place to ensure that there is compliance.
Again, the Board can only do this if it is up to speed on what is required, and has put in place the necessary checks and balances for effective governance, regulation and compliance. There are a number of ways it can do this; establishing a Board-level committee specifically for technology risks is one, particularly if the organisation envisages a growing dependence on technology in the future. This committee could comprise Board members with the prerequisite skills, or be authorised to access external expertise for consultation on developing the appropriate strategies, frameworks and policies. The committee should also try to ascertain best practices and benchmarks for its industry.
If Boards have not yet turned their attention to managing technology risks, they must start now or risk being left behind by both technology and their peers. Technology risks will not decline anytime soon; getting a handle on the issue of technology and cyber risk management now will help organisations weather the disruptions that lie ahead.