Is Your Board Effectively Managing Risk?

By, Stuart R. Levine

Published in, Forbes

Prioritizing risks is critical for any organization. Disruptive innovation is driving cyber threats and having cultures that are resistant to change is a major risk as well. Although evolving risks may vary based upon industry, there are risks that are shared across organizations globally. And the importance of having open conversations that share evolving risks that change every day is critical.

Organizations must establish clear communication that begins at the top . The executive team is responsible to explain why there is a need for change and to encourage behaviors that include knowledge sharing. This effective communication will help to adjust business models focused on values that lead to better outcomes.

The board owns the responsibility to monitor risks . These risks include ensuring that trusted partners are vetted and understanding what threats look like to make sure the organization is protected. Board members need to ask the right questions around ERM (enterprise risk management) policies and ensure that an accountability dashboard is in place. It can help if a third party with expertise in risk management can begin a conversation with the board.

If organizations don’t embrace disruptive technologies, they could be put out of business. If you embrace too early, you might be at risk and waste resources. These are conversations way beyond the IT department. How are these business risks controlled? Experts can frame the discussion around business, finance, technology, risks and threats. These can help to establish key metrics to think about every 6 months and recalibrate for new environmental factors.

Scott Laliberte, author of HACK I.T. and Defend I.T. as well as Managing Director of Global Information Security Practice at Protiviti, a global consulting firm with deep expertise and technology insights, recently joined me for a Passageway’s webinar on this very topic. When the audience was polled to ask what they considered their #1 top risk for 2018, the answers were not surprising. The number one risk was an organization’s ability to identify and escalate issues. The following were also top concerns: rapid speed of disruptive innovations 22%, our culture is resistant to change 20%, cyber security threats 20% and regulatory changes 11%.

From a board level, when the question was asked on the webinar, “Is there a system in place for regular cyber reporting on the board?” the answers were a little more surprising. 54% of those surveyed answered that they rely upon their internal IT/Cyber expertise and 38% answered that there is not enough time dedicated to education to navigate risks effectively. Only 5% responded that they bring in cyber experts on a regular basis and only 3% answered that they have a dedicated board member with cyber expertise. Additionally almost one third of all participants believed that their business risk environment was either monitored, but not effectively or not monitored at all.

The bottom line is that organizations need to step up their strategies and education around these mission critical threats. Having response plans in place to both government authorities and key stakeholders is essential. According to a new report from Marsh and Microsoft, “By the Numbers: Global Cyber Risk Perception Survey,” only 19% of the 1,300 senior executives polled said they were highly confident in their organization’s ability to sufficiently respond to a data breach. Knowing the right questions to ask and establishing the right culture where people are not afraid to share for fear of retribution is critical.Advanced machine learning, virtual reality, intelligent apps and digital technology platforms all carry complex and potentially dangerous security situations as well. According to a November 2017 Gartner report, only 45% of IT professionals believe that IT spending should be controlled by the IT organization.

The use of machine learning will have a profound impact on both our workforces and our organizational efficiencies with better customer insights through the leveraging of data.   Boards should be asking about the data their organization’s own, what can be done with it and understanding its value. As a fiduciary duty, they need to review emerging technologies and their associated processes.   According to Ajay Agrawal, Founder of the Creative Destruction Lab, “AI makes things faster, better and cheaper. And sometimes, rather than just enhancing the ability to execute, it changes the strategy itself.”   As prediction gets better through AI, however, the importance of human judgement and taking action becomes accentuated.   This is a very positive and hopeful way to view and understand our role in technological disruption.

We are challenged to make better strategic decisions that are more accretive to the people we serve, including making ethical judgements about how systems are used.   Boards need to not just look back ensuring a level of satisfaction with the quality of the information they are obtaining, but they need to look forward.   The future is now more important than the past according to Vivienne Ming, Founder and Executive Chair of Soccos Labs, because you can do something about the future. Good governance from boards and greater interdependence and strategic communication between the C-suite officers, strategic officers, IT and other leadership becomes critical for navigating these new waters.