Step 5: Risk

“Bake” IT into risk management oversight

IT risks need to be included in the company’s overall risk management process and its risk oversight process, even as new technologies change the profile of risk over time. Some of the more enduring IT risks include the risk of:

  • failure to execute on strategic IT goals,
  • an inability to protect personal and sensitive data,
  • breakdowns in IT systems that limit the company’s operations,
  • missed opportunities from emerging technologies,
  • failure to keep up with competitors’ use of IT, and
  • noncompliance with IT laws and regulations. 

Effective risk management entails identifying the most significant IT risks, the probability of a negative event occurring, and its potential impact. Boards should make sure that key individuals outside IT have input into the IT risk management process. These may include the Chief Risk Officer, Chief Privacy Officer, Chief Information Security Officer, business unit leaders, internal and external auditors, or even outside consultants.

It is helpful for boards to communicate to management about the specific information they would like to receive to effectively oversee the IT risk management process. Such a list can include:

  • data from key performance indicators and mitigating internal controls related to IT,
  • reports on IT security breaches,
  • the scope of internal audit's plan and related audit findings,
  • IT laws and emerging regulations, and
  • whether the company has, or is considering, IT cybersecurity risk insurance coverage.

Companies should consider how the top IT risks can best be mitigated through effective internal controls. Risk reduction procedures are effective only if they are woven into the fabric of the entire organization. Directors should ask management whether company policies and training programs are updated to reflect the changing IT risk environment. Often, employee communications may need to be enhanced, including how to report IT policy violations or issues.

Things can go wrong far too easily (and do go wrong far too frequently) for directors not to discuss crisis management as part of their risk management oversight. One aspect of crisis management planning is how the company communicates in a crisis, including how it intends to use technology. Boards should ask whether it makes sense for the company's crisis communications plan to embrace social media to react quickly when a negative event arises. Doing so may ensure the company's version of the story gets heard. Our research finds only one-third of directors are more than “moderately comfortable” that their board understands the company’s social media crisis communications response plan.