IT Oversight: Who on the Board Should Do It?
from March/April 2008
by Randy Myers
“If it’s dull, involves a lot of risk, or takes a lot of time, give it to the audit committee.” That’s the CEO of the National Association of Corporate Directors, Kenneth Daly, talking about how some boards handle the question. He’s only half-joking.
IT risk management may not be dull, but it certainly involves an element of risk, and many boards do assign oversight responsibility to their audit committees—if only because NYSE listing requirements mandate that those committees discuss the guidelines and policies affecting how risk is assessed and managed. Nevertheless, it is hard to imagine any company where all the issues relevant to IT risk can safely be vetted by this committee alone. “While audit committees have a responsibility to be knowledgeable about risk oversight, they are not the only ones that need to be involved,” Daly says. “Your board might need a technology committee.”
At the media and marketing-research company Arbitron Inc., according to Lawrence Perlman, 69, who retired as non-executive chairman in 2007, the tech committee “is a standing committee, strategic rather than operational, and it shares responsibility for IT risk with the audit committee.” The two groups hold joint meetings.
How do you decide whether to give responsibility for IT risk management to the audit committee or a more specialized technology committee? Governance experts at KPMG say the decision depends on the degree to which IT is a driver of your business and your business strategy. The more important it is, they say, the more having a technology committee makes sense.
