The board’s role in IT oversight
I recently interviewed Bill Arend, Regional Manager for Oracle's North America Applications business unit. He is an advisory board member of the National Association of Corporate Directors - Texas Tri-Cities Chapter. He facilitated the chapter's January 2011 meeting titled "The Board's Role in IT Oversight."
Q: What is driving the need for a meeting dedicated to IT and risk at the board level?
Fact: Information has value - attacks can come from both inside and outside and are profitable.
Today, technology is so pervasive in business, yet there is no manual to help a board member ask the 'right' questions that would ensure technology is not putting the company at risk. The meeting addressed the idea that compliance is fundamental but data is everywhere - how can the board know when there is a system in place for continuous monitoring that will provide early detection. This requires a dramatic increase in awareness that involves a culture shift. Security is across all fronts of business and is extraordinary complicated. The real story is driven by the fact that technology is ubiquitous combined with ever-changing regulatory requirements and risk tolerance levels - it is dynamic environment and takes a very proactive approach.
Q: What are the key areas in IT and risk that directors need to be informed?
• What is our IT risk exposure
• What should it be
• How can IT lower the company's risk
Q: How can the board ensure IT risk governance oversight is in place?
The board has a choice to step up and learn, bring someone to the table or put some form of structure in place for oversight. If the board is working from an 'it will not happen to me attitude' they could be inviting trouble. Media covers IT security problems that have external threats yet the majority is from people within - trusted individuals from within. A balance approach includes understanding of both internal and external threats.
It is critical that boards recognize that IT Governance, Risk, and Compliance (GRC) has evolved with all of the regulatory mandates and M&A activity in the marketplace. By enforcing proper segregation of duties protecting application configuration integrity, continuously monitoring material transactions and taking a layered approach to preventative, embedded security controls, boards will ensure that embedded security, oversight, visibility and enforcement are woven into the DNA of the organization. Ignorance is not a control.
Q: What are some questions that directors can ask to ensure IT risk oversight?
1. Do we have the right expertise to understand how technology affects this company going forward?
2. What do we need to have the right blend of offensive and defensive tactics leveraging technology to safeguard the company and optimize our potential?
3. Do we have the right IT infrastructure to compete and preferably have a sustainable competitive advantage:
- Sharing of critical information
- Ability for easy collaboration of teams, globally if necessary
- The ability to use technology for products, pricing, mktg/distribution, customer service with flexibility and speed?
- Is there a sea change in technology which we should/must consider that will change the nature, dynamics of our industry and business?
4. What can IT do to help us identify and track key business and risk areas? Data mining?, product/segment profitability, analytics, dashboards?
5. What do we as a board need to do to get the right support to help us and the company manage better by leveraging technology?
Q: Is it time to put IT expertise in the boardroom?
Directors can no longer sit back and think they have IT risk taken care of. It takes a certain level of savvy to not only ask the right questions but know when the company has the right answers. Some companies may want to consider a director that has an IT background that also includes executive-level experience. Some may want to have a subcommittee under the audit committee to address issues.