Do You Know How Your Company's Computers are Behaving?
from March/April 2008
by Randy Myers
Mention IT risk to many directors and they quickly think of things that can go wrong: the multimillion-dollar installation that fails to deliver promised efficiencies, the accounting-software snafu that creates faulty financial reporting, the security breakdown that exposes confidential customer data to potential identity thieves. But holding such a narrow view of IT risk management has itself become risky. “Technology used to be the thing that ran the back office—the accounting and inventory systems,” says Bob Golden, executive vice president in charge of corporate operations and systems at Prudential Financial Inc. and chair of the financial-services giant’s operating-risk committee. “Today, for us and most companies, it’s part of the strategic business system; it allows us to develop and create new products and execute our strategy.”
The idea that IT risk management must focus on active as well as preventive measures is catching on. Ohio-based Park National Corp., for example, a medium-size bank with $6.5 billion in assets, last summer offered business customers the ability to scan and deposit checks electronically, a service that had begun to creep into the marketplace only two years earlier. Failing to embrace new technology like this, its directors feared, might drive customers away. “In our industry, you have to remain competitive or lose a slice of your business,” says Park National chairman and CEO C. Daniel DeLawder, 58. “Younger-generation customers have very high expectations. If you don’t keep up, they’ll find another bank that will.”
In a 2006-07 survey conducted by the Audit Committee Institute of Big Four accounting firm KPMG and the National Association of Corporate Directors (NACD), audit committee members identified IT governance as a top oversight priority for 2007—and fully 80% worried that their own management’s IT governance processes were only somewhat effective or needed improvement. Results from other surveys suggest that those concerns were well founded.
No laws require that directors monitor IT risk specifically, or that they be experts in information technology. But Kenneth Daly, CEO of the NACD, notes that New York Stock Exchange listing requirements do state that audit committees must discuss the guidelines and policies a company has in place to assess and manage risk. Attorney Geoffrey Vance, a partner in the trial department at McDermott Will & Emery LLP in Chicago, says that in certain legal situations—for instance, when companies involved in litigation fail to preserve electronic communications such as e-mails—“there could be some derivative liability on the part of directors.” Beyond all that, paying attention to IT-risk oversight just makes sense, since the goal is to prevent mishaps and promote innovation (a dual process known as enterprise risk management or ERM). “If you’re running a business and the failure of your IT platform could cause you to lose money or production capabilities, and you haven’t properly assessed and managed that risk, I think you’re underperforming your duties as a director,” says Jim Rosener, managing partner in the New York City office of law firm Pepper Hamilton LLP.
The security-software and consulting company Symantec recently defined IT risks as those relating to an organization’s use of information technology that could lead to the loss of data, productivity, or business opportunities. Management’s job is to identify these risks, develop processes and procedures to mitigate them, ensure that the processes and procedures are being followed, monitor the results, and report them to the board. The board’s job is to make sure the steps are being properly taken. “But many times boards don’t have an adequate skill set when it comes to these matters,” Daly says. “I suspect some board members don’t know the right kinds of questions to ask, and if they did ask them wouldn’t necessarily understand whether they were getting good or bad answers.”
One solution, of course, would be to enlist directors with expertise in information technology, as Apria Healthcare Group, a provider of home health care, has done. In 2006 it invited Mahvash Yazdi, 56, chief information officer of energy-services company Edison International, to join its board. Apria is now implementing a number of major IT initiatives, including ways to deliver information more effectively and to automate various customer-information systems, and IT risk appears regularly on the board’s agenda.
Even if you’re a technology neophyte, you should be able to tell if your company isn’t paying enough attention to IT risk. “Look at your board agendas and see how much time has been spent on the subject,” Daly suggests. “Inquire as to the last time you had the CIO in front of the board or the audit committee, and what that person said about the risks associated with information quality. Our experience is that many times the CIO has never come to an audit committee or board meeting, and the directors rely on the CFO or someone else to respond to their inquiries. I do not believe there is a whole cadre of CFOs out there who have an in-depth understanding of putting in an ERM system.”
John M. Farrell, national lead partner of KPMG’s enterprise risk management services practice, says directors should worry if management hands them a list of the company’s top 10 or 20 risks and none is related to IT. The board should get an analysis of the company’s use of and investment in technology relative to its peers’, as well as whether the company routinely misses target dates for IT projects. Daly says directors should ask about IT project-management capabilities. And Yazdi says they should determine whether day-to-day IT services are reliable. “If the organization isn’t able to deliver on routine IT services,” she says, “what guarantee could they possibly offer that they can deliver on the bigger projects?”
A good way for the board to start an IT risk-management discussion, says Prudential’s Bob Golden, is to ask the executive team if the company has a process for making technology risk assessments. In those assessments, business units and functional departments such as finance, IT, and human resources should be cataloging the risks they face and the measures they’ve taken to mitigate them.
“Assuming that is going on, as a director I would ask to see a copy of the report of each of those assessments,” Golden says. They should be written in plain English, he adds; if they’re too technical, not only won’t the directors understand them, but neither will the business-unit heads who need to be able to act on them. Once the board has checked over the reports, says Golden, it must make sure the business heads have read them and agree with them. “If the company has a separate risk-management department, make sure it’s read them too.” If you’re uneasy about what you find—say you get a two-page outline and are told that’s the entire risk report—Golden says you should probably call in a consultant to assess the situation and, in all likelihood, develop a template for more thorough self-assessments.
It might also be a good idea to solicit outside help in assessing IT security risks in general, says Allen Goolsby, a partner with the law firm of Hunton & Williams in Richmond, Virginia. “I think there’s a natural tendency,” he says, “for people on the inside to be potentially defensive about their security precautions—to say, ‘We’ve got it all covered.’” He recommends that a board or one of its committees have an IT security risk assessment done at least annually, preferably by an independent third party.
Managing IT risk may not be within the board’s scope of responsibilities or capabilities, but making sure someone at the company is managing that risk clearly is.
Read more about IT Oversight and Risk Management.
