Managing Risk from a Board`s Eye View

Intensified concerns about risk management, auditing and fraud detection, and corporate governance have sensitized boards and top management teams to adopt an even more active role in the oversight of business strategy and key enterprise activities. Significant regulations such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act and the Patriot Act have further raised the stakes.

The failure to meet the required attestations, the unintended violations of privacy and confidentiality, or the heightened vulnerabilities to identity thefts are likely to invite adverse reactions from regulators and from the stock market. As business technology becomes embedded in core organizational processes, control systems and decision support systems, it is vital that boards appreciate the material risks due to technology and understand the risk-mitigation strategy.

An enterprisewide perspective is needed to guide the use of business technology in implementing effective, economical enterprise risk management systems that facilitate both management control and performance auditability. With greater complexity in the processes and structures for managing business technology (as a result of outsourcing, offshoring, and applications and Web site hosting, for example), there is a need for more sophisticated models of enterprisewide risk assessment that factor in not just the internal risks, but also the risks inherent in sourcing and external partnering.

Boards and top management teams must provide active oversight over the impact business technology risks have on the business, and ensure the effectiveness of the governance systems in mitigating these risks. Boards must remain vigilant, always looking at both the business and technology sides of their organizations.

Dr. Leslie Willcocks, professor in technology work and globalization at the London School of Economics, observes many companies, and has a deep understanding of the risks they face and how well they manage them. According to Willcocks, one of the most common risk-related issues organizations face is strategic in nature, caused by a disconnect between technology and the business. He explains:

A frequent problem I see is that the business doesn’t understand how technology can be used. They don’t have a technology view of their business. People very often accuse IT people of not being business-focused. But I think there’s an alternative accusation: Business managers and business strategists don’t really have a technology view of their business, and yet this stuff is absolutely in the skeleton of the operation. It’s a two-way thing, and quite frequently, technology gets blamed for things that business people are not actually doing themselves.

Strategic risk refers to the vulnerabilities companies face because of poorly envisioned or executed business strategies. Within business technology management, the focus is on risks at the intersection of business technology and business strategy. Regulatory compliance refers to corporate adherence to different regulatory expectations related to financial reporting and data management. Poor regulatory compliance invites liabilities of civil or criminal punishment and shareholder lawsuits. Other forms of risk include systems and sourcing risks. Although business and technology executives are likely to manage those forms of risk, the management of strategic risk and regulatory compliance must reside at the board level.