Edit ModuleShow Tags

The board’s role in IT oversight


Published:

I recently interviewed Bill Arend, Regional Manager for Oracle's North America Applications business unit. He is an advisory board member of the National Association of Corporate Directors - Texas Tri-Cities Chapter. He facilitated the chapter's January 2011 meeting titled "The Board's Role in IT Oversight."

Q: What is driving the need for a meeting dedicated to IT and risk at the board level?

Fact: Information has value - attacks can come from both inside and outside and are profitable.
Today, technology is so pervasive in business, yet there is no manual to help a board member ask the 'right' questions that would ensure technology is not putting the company at risk. The meeting addressed the idea that compliance is fundamental but data is everywhere - how can the board know when there is a system in place for continuous monitoring that will provide early detection. This requires a dramatic increase in awareness that involves a culture shift. Security is across all fronts of business and is extraordinary complicated. The real story is driven by the fact that technology is ubiquitous combined with ever-changing regulatory requirements and risk tolerance levels - it is dynamic environment and takes a very proactive approach.

Q: What are the key areas in IT and risk that directors need to be informed?

• What is our IT risk exposure
• What should it be
• How can IT lower the company's risk

Q: How can the board ensure IT risk governance oversight is in place?

The board has a choice to step up and learn, bring someone to the table or put some form of structure in place for oversight. If the board is working from an 'it will not happen to me attitude' they could be inviting trouble. Media covers IT security problems that have external threats yet the majority is from people within - trusted individuals from within. A balance approach includes understanding of both internal and external threats.

It is critical that boards recognize that IT Governance, Risk, and Compliance (GRC) has evolved with all of the regulatory mandates and M&A activity in the marketplace. By enforcing proper segregation of duties protecting application configuration integrity, continuously monitoring material transactions and taking a layered approach to preventative, embedded security controls, boards will ensure that embedded security, oversight, visibility and enforcement are woven into the DNA of the organization. Ignorance is not a control.

Q: What are some questions that directors can ask to ensure IT risk oversight?

1. Do we have the right expertise to understand how technology affects this company going forward?
2. What do we need to have the right blend of offensive and defensive tactics leveraging technology to safeguard the company and optimize our potential?
3. Do we have the right IT infrastructure to compete and preferably have a sustainable competitive advantage:
- Sharing of critical information
- Ability for easy collaboration of teams, globally if necessary
- The ability to use technology for products, pricing, mktg/distribution, customer service with flexibility and speed?
- Is there a sea change in technology which we should/must consider that will change the nature, dynamics of our industry and business?
4. What can IT do to help us identify and track key business and risk areas? Data mining?, product/segment profitability, analytics, dashboards?
5. What do we as a board need to do to get the right support to help us and the company manage better by leveraging technology?

Q: Is it time to put IT expertise in the boardroom?

Directors can no longer sit back and think they have IT risk taken care of. It takes a certain level of savvy to not only ask the right questions but know when the company has the right answers. Some companies may want to consider a director that has an IT background that also includes executive-level experience. Some may want to have a subcommittee under the audit committee to address issues.

{pagebreak:Page 1}

Edit Module
Tracy E. Houston

Tracy E. Houston, M.A. president of Board Resource Services, is a board advisory consultant and executive coach headquartered in the Denver area. She conducts board evaluations and assists boards with a variety of issues that increase effectiveness. She can be reached at hello@eboardmember.com  or  http://www.eboardmember.com
www.eboardmember.com ;eBooks: www.amazon.com/author/www.eboardguru.com


 

Get more of our current issue | Subscribe to the magazine | Get our Free e-newsletter

Edit ModuleShow Tags

Archive »Related Articles

What leaders need to know about emotional intelligence

It’s not good enough to be smart. That may get you into a leadership role, but it is emotional intelligence (often abbreviated “EQ” or “EI”) that will allow you to succeed. As an executive, there are some things that you should know about emotional intelligence.

Should you invest in Denver's hot real estate market?

The potential rewards may make Denver real estate difficult to resist – but be cautious. At some point, supply may catch up to demand, sales may slow and values may stabilize or potentially decline. And without careful financial planning, an investor can be put into a complicated cash crunch.

Best of Colorado Business Choice 2016 lifestyle winners

Here are the Best of Colorado Business Choice 2016 winners and finalists in the lifestyle category.
Edit ModuleShow Tags

Thanks for contributing to our community-- please keep your comments in good taste and appropriate for our business professional readers.

Add your comment: