Control or be Controlled: 5 Problem Areas for Boards
Compliance is evolving, and board members may now be unsure of their related responsibilities. Board members are more and more reliant on the data obtained from information systems to make their decisions. How can they use this information, and what are the traps they need to avoid?
The role of the board of directors is increasing in importance and complexity. One major aspect is the oversight of compliance. Compliance has continually evolved, making board members unsure of the nature and span of their responsibilities. It is more necessary than ever for boards to be actively engaged in their compliance functions and more sensitive to the corporate tolerance for risk and how it is monitored. With this, board members are increasingly dependent on technology, the information it provides and the impact on their businesses. With the rapid movement in compliance oversight, there are several areas where boards prove their worth or hold the organization back.
#1: Failing to Pay Attention to Culture
The board drives corporate culture. If it does not, get a new board. When it comes to corporate compliance, establishing the desired corporate culture is the critical first step. However, board members may not realize they have an essential role to play in establishing that culture. Decisions made by the board about finances, compensation or other matters directly impact the corporate culture and thereby impact financial results. Failing to establish a strong culture where compliance plays a prominent role can be a major flaw. Promoting a culture where quality corporate governance and compliance are ingrained will lead to a self-policing organization with greater awareness, few compliance issues and more substantial return for shareholders.
#2: Persecution of the CEO
The CEO is often the sacrificial lamb for the board. However, to move the organization forward, the board should create a secure atmosphere for the CEO to provide feedback to the directors. CEOs must be able to bring forth difficult issues and propose innovative solutions without the fear of reprisal. The CEO needs to propose policies the board can either approve, modify or reject. To succeed, CEOs must be adept at supplying the board with the appropriate level of detail. Information must be presented with the appropriate business context and in language that is readily understandable by board members. If the CEO cannot comfortably provide compliance-related metrics and propose compliance solutions, the organization will suffer.
#3: Held Back by Dead Weight
Often, directors have limited experience in compliance oversight. This can lead to a lack of confidence in making decisions and providing oversight on risk and compliance matters. At times, directors can become “dead weight,” not adding any insight, avoiding decisions and kicking the can down the road. There is a natural inclination for people to gravitate to matters they understand, but a consistent lack of direction can cause frustration, missed opportunities and significantly more risk for the company. Organizations need to pare board members that are consistently refusing to add value and provide direction.
#4: Lack of IT Knowledge
According to Accenture1, most directors lack a technology background or IT expertise. This is at a time when some of the most significant challenges facing organizations are centered around technology. Directors have the task of identifying existing risks and trying to forecast future risks while planning for corporate growth. As the pace of business increases, the associated technology risks are that much more complicated and are central to ensuring corporate compliance. However, reporting about IT risks is often done using technical jargon. This can be beyond even the most tech-savvy board members and can lead to misunderstandings and improper guidance. It is a challenge for both the CEO and CIO to provide sensible reporting to directors in a manner that is in line with business activities. For their part, board members must be either recruited with the appropriate level of technology knowledge or must be trained on technology-related compliance risks. Now more than ever, directors need an understanding of technology to make informed decisions.
#5: The Missing Risk Assessment
Often, board members are provided details and metrics on risk assessments. However, these assessments are often focused solely on either operational or financial risks. Compliance monitoring requires assessments that examine the specific regulatory risk areas based on the scope of corporate compliance policies. A control framework must be established to address these risks. Controls must be measured and tested periodically to ensure adequate maturity levels of protection for specified risks. Board members must receive periodic risk assessment reporting from management to identify new risks and report on the effectiveness of controls over existing risks. The reports must provide suitable levels of detail in a well-understood business context to enable directors to gauge the health of the business, as well as the effectiveness of the organization’s efforts in compliance management.
Boards have the interests of the organization as their focal point, but directors do not always have the experience, training or business context metrics to produce the proper guidance, guard against excessive risk or make decisions to move the organization forward. Boards must be actively engaged in compliance oversight, not passive bystanders. For its part, the organization must provide board members with the tools and contextually pertinent data to make decisions. Done properly, directors will have the insight and understanding to steer the ship. Done poorly, it is like putting on a shackle and walking the plank.
1 https://thefinancialbrand.com/60578/technology-expertise-banking-Boardrooms/
Joe Santangelo currently serves as the VP of Business Development and Principal Consultant at Teleran. He has been a technology professional for over 20 years, focusing on compliance, privacy, IT management and IT efficiencies throughout his career. Prior to joining Teleran, Joe was the Data Masking Sales Manager at Delphix Corp, where he spearheaded security solutions sales to the financial, health care and retail industries. At Delphix, Joe increased security solutions sales from 10 percent to 40 percent of total company sales.
Prior to Delphix, Joe was the top producing Sales Manager at Axis Technology, which was acquired by Delphix. While at Axis, Joe drove Security and Compliance solutions through partners and direct sales efforts. Before joining Axis, Joe was CIO of Citi Private Bank in the Americas where he led a team of over 150 IT professionals. While at Citi, Joe successfully executed a strategy to upgrade infrastructure and migrate legacy applications to modern platforms while reducing overall expenditures by 10 percent. In addition, Joe introduced a project metrics and management system enabling the bank to improve on-time project delivery from 20 percent to 80 percent.
Joe is a member of the Society for Information Management (SIM), the Information Systems Security Association (ISSA) and the Healthcare Information and Management Systems Society (HIMSS), where he was chairman of the Privacy and Security Toolkit Task Force. Joe earned a B.A. from Baruch College in Business Administration and has a Master of Science degree from Steven’s Institute of Technology. 
