Board oversight should be the safety net for ensuring that a comprehensive IT program supported by the chief executive officer and senior management is followed by the company. However, the rapid pace of IT change can cause previous conclusions about the board's approach to IT oversight to become stale quickly. Directors will want to know whether there are any changes to the company's IT plans or new strategic initiatives and their underlying risks.
Decisions about how critical IT is to the company (Step 1), the board's approach (Step 2), identification and prioritization of the most relevant IT issues (Step 3), and the integration of IT into strategy and risk management (Steps 4 and 5), should be revisited at least annually. To assist in ongoing monitoring, directors may want to:
The key is to initially define a process that works best for your particular board and then put the process in place. Ongoing monitoring of the effectiveness of the company's IT activities should be supplemented by a continuous evaluation of the board's oversight process. Not only does the business change and technology evolve, but the composition and level of IT expertise of the board fluctuates. Periodic “fresh looks” at the framework will provide directors with confidence in their IT oversight.
The bottom line
As technologies continue to evolve, directors will likely face more IT oversight responsibilities. Therefore, implementing a defined process for board oversight can provide distinct advantages over an ad hoc or poorly defined approach. Following an agreed-upon methodology provides thoroughness, discipline, and rigor to satisfying a board duty that is concerning many directors. We believe that use of the IT Oversight Framework enables directors to bridge the “IT confidence gap” and rest more comfortably knowing a robust oversight process is in place.