Partner, Center for Board Governance
Information technology (IT) continues to change the way many companies do business. And more companies are relying on technology to get ahead of competitors and better engage with customers. But the pace of change in IT is rapid and the subject matter can be complicated.
Often, highly technical jargon is used to describe emerging technologies and the related risks and rewards. Add to that the fact that the average age of directors is 62, which means they likely developed their careers in the pre-digital age and may need to get themselves up to speed.[i] And less than 1% of Fortune 500 directors have been or are currently Chief Information Officers.[ii] All of this makes overseeing a company’s IT activities a significant challenge for many boards of directors.
So what can boards do? Given that nearly 60% of directors who responded to our 2012 Annual Corporate Directors Survey want their boards to spend more time this year on IT oversight—up from 38% the previous year—a good way to start is to think about IT oversight as a process. Using a structured process can help ensure an effective approach to IT oversight.
How important is IT to the company's success?
As board members think about technology, it is helpful to understand how critical IT is to their company’s success, which includes considering the role IT plays in the company's industry. Directors should also understand any planned changes to the company's business model. For example, whether there are plans to merge with or acquire another company, install new enterprise resource planning systems, or adopt new emerging technologies like cloud computing.
Directors will also want to consider the current state of the company’s IT infrastructure and budget for IT spend. The recent economic downturn caused many companies to delay upgrading their IT systems. This has resulted in deferred IT maintenance, another factor that directors should consider when thinking about the current status of IT at their companies. Directors should also evaluate the IT budget and spend on security compared to company peers, including the allocation of IT spend for maintenance versus emerging technologies.
Who will “own” IT oversight?
Determining who is responsible for IT oversight is also an important consideration for boards. Results from our Survey show that most directors (56%) say it’s the audit committee’s responsibility, with 25% assigning IT oversight to the full board.
A few boards assign oversight to specific committees:
- 7% of directors use a separate board-level risk committee
- 2% of directors say they assign oversight to a separate IT committee
Directors will also want to determine whether the board or committee has the appropriate resources to oversee IT. Some boards might consider adding a director with first-hand IT or digital experience to the board, although only 30% of directors believe adding this skill to their board is “very important,” according to our Survey. Another option is to engage outside technology consultants, which more boards are doing. Our Survey showed that 26% of boards engaged outside consultants last year, an increase from the 15% that did so the previous year.
Boards can leverage the company’s CIO and should determine how often to meet with that person. Most directors in our Survey are meeting with their company’s CIO at least once or twice a year, while 18% communicate with the CIO at every formal board meeting. Directors may also want to evaluate how much of their annual board hours should be spent discussing IT issues.
What IT subjects are most relevant to the company?
Because new technologies surface regularly, boards should be sure to understand which IT subjects are most relevant to their companies. Possible subjects include data security, mobile computing, data privacy, social media, cloud services, and streamlining business processes using digital means, among others.
In considering these subjects, and any others that might be relevant to their companies, boards should obtain sufficient information to understand them and ask the right questions. Examples of the types of considerations boards may need to undertake include:
- Data security – understand how management tests resistance to attacks
- Mobile computing – understand the company’s policy for allowing employees to use personal mobile devices to access corporate data
- Data privacy – ask management about privacy policies related to data exchanges with third parties
- Social media – understand how the company and its competitors use social media to engage customers, develop markets, recruit talent, and monitor employee activities
- Cloud services – discuss security and privacy risks associated with using the cloud, including backup and recovery
- Streamlining business services using digital means –understand the use of data analytics to give the company a competitive edge
Board members should decide which subjects deserve the most attention and prioritize them for specific focus and discussion.
What is the impact of IT on strategy, and what risks does it create?
Nearly a quarter of boards discuss the continued viability of their company’s strategy only once a year, according to our Survey. Yet technology and the company's use of technologies may change more quickly. So boards may want to determine if they should evaluate the company’s IT direction and overall strategy more frequently. Directors should ensure that any considerations about IT be integrated into the board’s ongoing review of the company’s strategy. Depending on its importance, IT strategy may need to be an essential part of the company’s overall strategy.
It is important for directors to understand the company’s key technology priorities for the short- and long-terms. Investing in the right technologies can help position a company ahead of the competition or improve its position in the marketplace. Thinking about IT as a tool for innovation can also provide directors with greater incentive to address what can be a complicated subject.
It is equally important for directors to understand the risks associated with IT and that such risks are included in both the company’s overall risk management process and the board’s risk oversight process.
Some of the more enduring IT risks include cyber risks, the failure to execute on strategic IT goals, lack of compliance with privacy laws, and breakdowns in IT systems that limit the company’s operations. Boards should also ask management whether the company intends to use technologies like social media when it communicates in a crisis.
Effective risk management entails identifying the most significant IT risks, the probability of a negative event occurring, and its potential impact. Boards should ask to receive regular risk assessment reports from management.
How should boards monitor or revise their IT oversight process?
Directors will want to know about any changes to the company's IT plans, including any potential new strategic initiatives. Boards should also be sure to receive regular IT updates and IT metrics from management to gauge if the company’s IT program is working and successful.
Boards should also understand the changing nature of business and technology and recognize that the level of IT expertise of the board may need to change due to changes in technology, company direction, and board composition. After putting an oversight process in place, directors should regularly evaluate their oversight process to make sure it’s effective.
[i] Spencer Stuart US Board Index 2011.
[ii] Diamond Management & Technology Consultants, “How does a CIO become a Fortune 500 board member?” 2009.
Partner, Center for Board Governance
Since 2009, Don has been a partner in PwC's Center for Board Governance, which provides thought leadership, points of view on contemporary governance issues, and training to prominent boards of directors and the governance community. He provides practical governance perspectives and personal insights, as well as evaluating and benchmarking activities relative to his personal experience and leading practices. With over 35 years of cumulative knowledge and experience, and having served as the lead engagement partner of several of PwC's Global 100 clients, Don's career has spanned a wide variety of industries from technology and software to industrial products and oil and gas.
Don served as PwC's Global Software Industry Leader for five years, and he uses his information technology background to address related board considerations regarding emerging technologies. He was the chief architect of the firm’s research on board oversight of information technology and the resulting publication Directors and IT - What Works Best. He has also worked on several investigations. This experience gives him a unique perspective in discussing relevant board oversight considerations, including mitigating related fraud risks.
As a recognized public speaker at conferences and forums, Don has addressed a variety of topics, including corporate governance, industry business practices, SEC reporting, and emerging technologies. He recently presented at the annual national conferences of Corporate Board Member and the National Association of Corporate Directors (NACD). He has served as a faculty member and written many courses for NACD's professional development director training programs, programs sponsored by the Colorado State Society of CPAs, and the Professional Development Institute.
Don has frequently been quoted in the press and in periodicals, such as The Wall Street Journal, Bloomberg Businessweek, Investor's Business Daily, and CFO Magazine. He has also authored or co-authored a number of other works, including Audit committee effectiveness—What Works Best; Software Industry Accounting, published by Wiley & Sons; and PwC's User Friendly Guide to Software Revenue Recognition.
Don was the managing partner of the Austin office. He is a Certified Public Accountant and a graduate of the University of Notre Dame.