Read this interesting blog about Virgin Group’s Risk Management Strategy.
(Extracted from PWC’s ‘To the Point’ series – Spring 2011)
Some directors may be uncomfortable with the subject of information technology. Given how complex companies’ enterprise systems are, directors may be unclear about the questions they should be asking or the answers they should expect. But for some companies, where IT enables the company’s operations, it represents a major risk that boards should oversee.
How does a director know whether to step up the level of IT oversight? Much depends on the company and its complexity. Greater director oversight of IT is likely warranted if your company:
- has a high volume of transactions; for example, a financial services company
- collects and stores sensitive data about third parties (customers, patients)
- has an open access network or open databases, allowing entry to the system by outsiders
- maintains proprietary know—how, processes, procedures, or other intellectual property
- has a multi—national scope
Even if your company doesn’t have these environmental factors, you should consider the need to increase director oversight when the level of IT risk increases, such as when:
- major IT projects are underway—new systems, technologies or platforms
- integrating programs from more than one platform—using “best of breed” products from different providers that require “bridging” programs to pass data from one platform to another
- integrating an acquired business—especially one on a different IT platform
- technology is enabling a new corporate strategy
So, how can boards be comfortable they are in a position to oversee IT risks that are important to the company? By
- having someone on the board with reasonable technology skills,
- asking the right questions and applying skepticism when considering the answers, for example, by asking follow—up questions and seeking corroboration through other sources, possibly an independent board advisor
- understanding the full cost of technology, including the consulting fees to install the systems, as well as the licensing fees, equipment, training, maintenance, etc., and assess the implications of any cost variability
- getting regular updates on project status and understanding the factors that would signal when a project is in trouble
IT oversight often falls to the audit committee, though strategically significant technologies might be overseen by the full board. And it’s important to realize technology oversight doesn’t end with major systems as we’ve discussed here. Directors should be aware of and comfortable with the company’s web presence, as well as its use of social media and its policies governing such use (see also To the Point, “Social Media: What Directors Need to Know,” Summer 2010).