SureStep - GRC/ESG Advisory, Consulting and Implementation Solutions. Canada, USA, Singapore, Hong Kong
How Corporate Boards Should Handle Technology Governance
Blog

How Corporate Boards Should Handle Technology Governance

Harvard Law School (HLS) identified risk management as one of the key issues for corporate governance in 2023. Citing some examples of cases in which courts pointed out a lack of board engagement with safety issues, HLS emphasized that “Boards are expected to oversee significant and critical risks and to document their oversight of the strategies, policies, and procedures adopted to address those risks.”

However, many boards lack the technology expertise needed to understand and control the risks associated with technology initiatives. This knowledge deficit is becoming a greater liability for companies as digital transformation takes on a larger role in business strategy.

When corporate boards are knowledgeable about technology and play an informed role in making decisions about technology projects, companies avoid risk, have a better sense of progress, and successfully align their business and technology strategies.

Why Boards Need to Play a Role in Technology Governance

Boards are at the highest level of decision making for organizations. IT leaders must get approval from the board and the C-Suite to carry out digital transformation initiatives. When boards don’t understand technology, they risk endorsing implementation plans that are more expensive and complex than is necessary.

Boards that are armed with the necessary knowledge can help guide company leadership in its approach to technology by asking the right questions, encouraging technological innovation, and establishing the correct metrics to measure progress. The board needs to provide leadership now that technology plays a strategic and operational role across the business.

4 Models for Board Engagement With Technology

Depending on the type of company and how large a role technology plays in business strategy, boards must choose and follow the appropriate engagement model for technology governance.

While McKinsey & Company found that the most common engagement model for boards is the technology committee, the research firm identified 4 models for board engagement and their use cases:

  • Regular, Full-Board Engagement
  • Standing Technology Committees
  • Temporary Committees and Third-Party Expertise
  • Informal Board Engagement

Regular, Full-Board Engagement

When technology drives or impacts every aspect of a business, the board must have a high level of engagement with technology governance. Regular, full-board engagement is the appropriate model for companies in the software, commercial internet, or communication services industries.

Every director on the board should have the expertise to understand how technology affects the business. Directors should be capable of navigating issues related to technology, such as company strategy, operations, and governance. The board can be supplemented with a technology committee to examine specific areas more closely.

Standing Technology Committees

A standing technology committee is the appropriate engagement model for companies with larger boards where technology is important but not at the highest level. For example, companies in finance that rely on technology or retailers that use e-commerce benefit from this model for governance.

At these types of organizations, technology presents a competitive advantage, so boards need a standing technology committee to help directors understand how corporate and technology strategy are connected. Technology committees help prioritize decisions by explaining the implications of key metrics related to risks, such as cybersecurity.

Temporary Committees and Third-Party Expertise

Corporations where technology is at a lower priority benefit from engaging with technology through temporary committees or third-party expertise. These temporary committees can help boards make decisions related to cloud migration, new digital business initiatives, and technology integrations after mergers and acquisitions, as well as after cyberattacks.

Temporary committees may be formed from board members or prior IT leaders, such as CTOs or CISOs. Third-party expertise can be gained by bringing in external advisors. These committees should be formed to handle a specific initiative or issue related to risk after engaging in deep discussions about the time and resources needed for the committee.

Informal Board Engagement

For companies where technology has a lower level of importance and the board has a lower level of understanding about technology, informal engagement is the correct model. At these companies, business units may want to leverage technology, but management has difficulty conducting board-level discussions about items on the agenda related to technology.

In this model, an experienced board director gives part of the management team regular and focused guidance through training and mentorship on technology topics or how to position the progress of technology initiatives to the board. Informal engagement works for companies that have boards with one or two directors that understand technology and have management that needs guidance and support for technology.

Choosing the Right Model for Board Technology Governance

When it comes to technology governance, even top corporations need to do better. While research from McKinsey showed that boards recognize the importance of technology, only 12% of Fortune 500 companies have technology committees on their boards. Often, technology is a minor topic of discussion on risk and audit committees.

Before choosing a model for engagement with technology governance, your board of directors needs to figure out what relationship your company has to technology and what the board’s level of technology expertise is.

If you need help making these determinations or want to leverage outside expertise for targeted decision making regarding technology risk management, SureStep can help. As part of our Advisory Services, we offer consultations for governance, risk, and compliance (GRC).

SureStep can work as a trusted advisor to your company, helping you understand how risk affects your company and guiding your leadership in assessing and managing risk.

Get advice on how to improve corporate board engagement with technology risk management. Ask for an Integrated Risk Management Consultation from SureStep.

Up Next