island

Risk does not exist in a vacuum. Considering it as such is a sure path to poor performance.

A Governance Model for Risk ...

The National Association of Corporate Directors counts among its members a great many members of corporate boards (large and small) and their advisors and over time has contributed some excellent guidance on corporate governance.

Recently it made available a paper written by one of its members, Gerald Czarnecki, chairman and CEO of The Deltennium Group Inc. Cyber Threats Necessitate a New Governance Model reflects what I believe to be the personal opinion of its author. While this isn't noted, I am assuming (and hoping) that these opinions do not reflect the opinions of the NACD.

Czarnecki makes some solid points.

The paper's theme is that technology-related risks, including cyber:

  • Are the most significant risks to organizations, in general and
  • They are not getting sufficient oversight by the board and its committees, both in terms of time allotted and the technical proficiency of the board members and advisors.

I have some sympathy for this.

That Has Some Flaws

Czarnecki believes that just as businesses establish a separate and specialized committee to provide oversight of financial reporting, including the performance of the external and internal auditors, so should they establish a separate committee to provide oversight of technology-related risks.

At a superficial level, this makes sense.

Financial reporting is an activity somewhat isolated from business operations. It can be viewed and managed as what I would call a siloed activity.

But technology-related risks are not. In fact, it is better to call them technology-related business risks. They are not critical for their own sake; they are critical because failures to manage them directly affect the achievement of organizational objectives. They impact the business and its success.

  1. All risks should be managed and reviewed within the context of the objectives and strategies they affect.
  2. Discussions by the board on strategies and performance need to include risk.
  3. Considering risk in a silo, whether technology-related or something else, is the path to poor performance.
  4. Technology-related risks are not the only risks to any objective. Board and top management need to know whether the totality of risk to any objective or strategy means that they should take action. The level of any single risk may not be cause for action, but when all related risks are considered it may be prudent to change strategy or take other steps.

On the other hand, the board does need to find the time to obtain assurance that technology-related risks are being appropriately addressed by management.

For that reason, I can see a need — at some, but not all organizations — to have separate discussions, perhaps with a specialized committee established for this purpose, with technical advisors, to give cyber and other technology risks appropriate attention. Each board will have to decide the best approach given its structure, the level of risks, and so on.

But, and this is a big BUT, having separate discussions or even a separate board committee should not distract the board from integrating the discussions of risk — all risks — with strategy and performance.

I welcome your views.

Title image by Andrew Phillips