On the whole, boards don’t have a great grasp on technology-related risks, and conveying those threats to nontechnical professionals can prove challenging. Protiviti’s Jim DeLoach discusses how to have the conversation in the context of strategy, risk mitigation and impact to the business model.
We often receive feedback from board members that they are not satisfied that they understand the full picture regarding the technology risks their organizations face. Over the years, many directors have identified technology as one of the key areas for improving both the quality and quantity of information received from management. In the digital era, the stakes have most certainly increased; digital capabilities are now a differentiator in the marketplace as many established businesses face the prospect of new “born digital” competitors. Almost no business is immune to the disruptive wave of digital transformation.
Below, we discuss three contexts for conducting technology briefings with the board: strategic, risk and business model. Each of these contexts provides directional insights for the chief information officer (CIO) in organizing his or her delivery and for directors regarding information they should expect to receive. Simply stated, the board needs to understand technology as a critical enterprise asset, and the opportunities and risks associated with this asset must be communicated in a manner that directors can understand.
Within the Context of the Business
The CIO addresses how the business model leverages technology to deliver the products and services the company offers the marketplace, as well as the opportunities and exposures resulting from disruptive change. The business context briefing answers such questions as:
- Do we understand developments in potentially disruptive digital technologies at the industry level? Are we sufficiently ahead of the change curve such that we are able to integrate new technologies into our business on a timely basis?
- Are emerging technologies being deployed effectively to achieve our business objectives (e.g., achieve customer loyalty, improve quality, compress time, reduce costs and risks and drive innovation – in short, enhance the customer experience)?
- Are we positioning the company’s operations to anticipate and proactively drive the innovative change needed to secure sustainable competitive advantage?
- What emerging technologies could alter the competitive landscape, customer expectations and strategic supplier and/or distribution channel relationships within the value chain in which we operate? To what extent are our operations and the technologies we deploy exposed to disruptive change and being held captive to events in the foreseeable future?
- Are there aspects of our technological capabilities we should be sharing with analysts, shareholders and the street in general in telling and advancing our story, and, if so, are we sharing them? If not, why not?
Within the Context of Executing the Strategy
The CIO articulates how strategic initiatives are driven by critical technologies and how the organization is facilitating the design and implementation of controls over these various technologies to ensure they perform effectively, as well as how strategic objectives are achieved. The strategic execution context briefing answers such questions as:
- What technologies are critical to implementing our strategic initiatives and accomplishing our business objectives (e.g., growth, customer fulfillment, profitability enhancement, innovation and process improvement)?
- How are we ensuring these technologies are functioning effectively?
- How are the CIO organization and the business collaborating to ensure the return on the organization’s investment in these technologies is being realized?
- What challenges are we encountering in implementing these technologies in executing the strategy, and what is the effect of these challenges on the success of our strategic initiatives?
- Do we have reliable and timely information for decision-making along with the supporting data we need to execute strategic initiatives?
Within the Context of Mitigating Risks
The CIO uses a broader business view to identify specific risks that either may be a result of technology or are mitigated partly through the application of technology. Example questions answered in the risk mitigation context may include:
- What are the most significant risks arising from technology, and how do they affect the business, including its reputation and brand image? Have we assessed our tolerance for these risks?
- Are we mitigating the critical risks to an acceptable level? How do we know?
- What critical business risks are we mitigating using a risk response that relies on an important technology component? Is this technology component performing effectively? How do we know?
- Is technical debt limiting our company’s competitiveness?
- Are our existing operations and legacy IT systems failing short of performance expectations set by our competitors, especially competitors who are “born digital”?
In summary, the CIO’s objective is to provide a briefing on technology matters that resonates with directors across all three contexts:
- The business context: Are we managing disruptive change?
- The strategic context: Are we maximizing value contributed and ROI?
- The risk mitigation context: Are we managing the business and reputational impact of our risks?
Underlying the above discussion are two timeless principles: (1) business objectives are also technology objectives and (2) technology risks represent business risks. Using these principles, the above contextual perspectives provide insights to CIOs as to how they should communicate with boards and to board members as to the information they should expect from CIOs.
Citing and then speaking to the above contexts in a crisp, nontechnical manner can facilitate ongoing CIO/board dialogue. In this regard, the CIO should:
Demonstrate an understanding of the business – Using the appropriate context, drill down to the relevant technology-related objectives, plans for achieving those objectives, organizational capabilities to execute those plans and measures by which to gauge progress. In today’s world, technology can facilitate and expedite business transformation and growth through technological innovation (the business context) but can also destroy reputation if not adequately protected and controlled (the risk mitigation context). Board members should be briefed by CIOs on these interrelated contexts.
Focus on the board’s needs – The board has little interest in the intricacies of how the CIO organization is run and managed. Don’t go there unless requested.
Address business impact and metrics, not just technology impact and metrics – The CIO should provide an end-to-end view and focus on business consequences. For example, consider the following metric: “99 percent of our systems are patched within 10 days.” This metric leaves unaddressed the question as to the sensitivity of the data and/or business consequences of service failure of the other 1 percent of systems.
Target the audience – The CIO needs to understand the purpose of the briefing. Ask the board committee chair for direction, and request insights from people who have presented to the board as to the background and personalities of the various directors.
Keep it pithy – Directors don’t want the whole nine yards. Focus on what they need to know and leave it at that. Share sophisticated knowledge carefully. Identify the message points directors should take away and focus on supporting those points. Allow time for questions.
Be prepared for contingencies – Expect to be asked to rush your briefing if scheduled late in the day. It happens.
Boards need to clarify their expectations of the CIO. What are their needs, what is it they don’t understand, and what technology issues and related business risks concern them the most? More importantly, what context(s) do directors desire the CIO to address when presenting on technology matters? In addition, directors need to be realistic with their expectations of the CIO due to technology being a complex aspect of the business. Therefore, the allotted presentation time should be commensurate with directors’ expectations of the briefing.
Directors instinctively know that the opportunities and risks associated with technology have increased in significance over time. Social business, cloud computing, mobile technologies, powerful differentiating digital capabilities and other developments offer significant opportunities for creating cost-effective business models and enhancing customer experiences. They may also spawn disruptive change, increased privacy and security risks and further exposure to cyberattacks. The fresh challenges presented by these changes create, in effect, a “moving target” for companies to manage. While the velocity of disruptive innovation through emerging technologies is not as immediate as a sudden catastrophic event, its persistence of impact is potentially lethal for those organizations caught on the wrong side of the change curve.
Questions for Executives and Directors
The following are some suggested questions that senior executives and boards of directors may consider, based on the risks inherent in the entity’s operations:
- Are opportunities presented by technology and the potential to lead and/or respond to disruptive change influencing the strategy-setting process? Or, alternatively, is technology simply viewed more narrowly as a strategic enabler?
- Does the board devote sufficient time to technology matters, including the related opportunities and risks and the organization’s capabilities and processes in managing those opportunities and risks?
- Is the board satisfied with the CIO’s periodic communications? If not, has the board conveyed its expectations to the CIO so that future communications are on point?
- Is the CIO organization effective in supporting the changing needs of the business and monitoring digital innovations, including how new technology can be deployed by competitors to create disruptive change? Does the CIO assist the board in understanding these issues?
- For significant technology initiatives, does the board understand the underlying assumptions about how each initiative achieves specific strategic goals, as well as how success will be measured? Is there follow-up to ensure that each significant project delivers on promises made?