Press "Enter" to skip to content

PwC on Corporate Governance: IT Risk Oversight – NACD BoardVision

Announcer: Welcome to NACD BoardVision,
where leading boardroom advisors, governance professionals and seasoned
directors discuss critical issues related to your responsibilities in the boardroom. Peter Gleason: Welcome to NACD’s Board Vision. I’m Peter Gleason, Managing Director of the
National Association of Corporate Directors. And I’m joined today by Catherine Bromilow, a
partner in PwC’s Center for Board Governance. Today we’ll be talking about the board’s role
in the governance of information technology. Welcome, Catherine. Catherine Bromilow: Thanks, Peter. I’m really happy to be here. Peter Gleason: Catherine,
the board’s responsibility for IT oversight always generates a
number of questions for board members. First, bearing in mind that the
“I” in IT stands for information, are directors spending enough time on this
critical information element of IT risk oversight? Second, with the pace of change and the complexity
of IT systems, keeping up with the technology part of this equation can be a challenge, especially if directors don’t have a
strong background in technology. So it’s not surprising that technology
issues tend to make directors uncomfortable. Members also question whether IT risk
oversight is a committee-specific responsibility or full board responsibility. Can you share some insights on that with us? Catherine Bromilow: Peter, we know this is
an area that makes directors uncomfortable. So we recommend approaching the topic of IT
by looking at it a little more strategically. We suggest that directors consider a few
questions that will help them decide if they need to increase their level of
involvement in IT oversight. Peter Gleason: Can you share
them with us, Catherine? Catherine Bromilow: Well, first, it’s just a given that companies today depend
on information technology. So we suggest that directors
consider questions such as, does the company have a particularly
high volume of transactions? Say like a financial institution. Does it collect and store particularly
sensitive data about third parties? And that could be any kind of
things like healthcare companies. Does it allow individuals who are
outside the company to enter its systems? Or does it maintain propriety know-how,
processes or other intellectual property? And if the answer to any of
those questions is yes, then we believe that more director
involvement in IT is warranted. Peter Gleason: Okay, Catherine. I’m guessing that probably
includes a fair number of companies. The IT span at companies can be very
large, even in smaller companies. How are you seeing directors
being active in IT risk oversight? Catherine Bromilow: Well, the most obvious
other reason to become more active is if there’s a major IT project underway, one
that’s either transformational to the business or that helps enable a new company strategy. And it’s vital, we believe, for directors
to understand the scope of such projects and the costs associated with them, because
they really can present some significant risks to the company. Peter Gleason: Without a doubt. These are areas where boards
that might not usually be focused on technology can find themselves needing
technology expertise, in order to offer oversight on things like business continuity. This specific technology expertise may not rest
with the board, and it may be hard to acquire. Catherine Bromilow: That’s probably right. And that’s also one of the reasons why directors
often are just so uncomfortable with this topic. In fact, in 2010, PwC analyzed the backgrounds
of all directors in the Fortune 500 companies. And fewer than one percent of these directors had
any kind of chief information officer background. Furthermore, in PwC’s annual corporate director
survey from 2010, 50 percent of directors agreed that it’s either somewhat or very
difficult to add new directors to their boards who bring technology expertise. Peter Gleason: Well, I’m not surprised by that. In fact, NACD just issued a whitepaper. In a survey we did for the paper, almost
half of the companies surveyed indicated that they were dissatisfied with their
board’s ability to provide IT risk oversight. As I indicated earlier, when you
consider how much is riding on IT, its cost and the company’s ability to use it to operate efficiently, the
statistic is very alarming. Catherine Bromilow: It is a challenge for boards
today, but it is not an insurmountable challenge. Peter Gleason: I’d like to leave the audience with
a few takeaways on how boards can get comfortable with overseeing information and
technology risks to the company. Catherine, what do you suggest? Catherine Bromilow: Well, Peter,
here are three ideas for directors. First, if IT is strategically significant to your
company, and you don’t have someone on your board that has reasonable technology skills,
really focus on adding those skills. It might not be easy, but it’s
definitely worth the effort. Second is to make sure you
devote time in the boardroom to discussing the company’s technology program. Get the answers you need and seek
corroboration that things are okay, even if you need to use another source,
such as an independent board advisor. And third, make sure you understand
the full cost of technology. And that means the consulting fees to install
the system, as well as the licensing, equipment, training, maintenance and other kinds of expenses. And make sure that management is able to explain
to you whether there are significant variations in the budgeted cost of those and
the actual costs that are coming in. And as you get regular updates from management
on project status, you’ll know then — or have a better sense then — of
whether a project is in trouble or not. Peter Gleason: Thanks again for
joining us today, Catherine. As always, we appreciate your
insights on this important topic. That wraps up another edition
of NACD’s BoardVision. On behalf of NACD and PwC, I’m Peter
Gleason, and thanks for joining us.

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *