This report, I am afraid, is one of the d'oh variety. The issue of understanding complex information technology is not new and has lasted for a very long period of time. What is complicating the matter is that the understanding of technology and the business impact/usage is becoming more more younger (i.e. technological knowledge becomes obsolete faster and faster), more distributed and diffuse (more offshoring and outsourcing means that the knowledge of applications and technology is being spread far and wide) and more concentrated (the locations where applications and technology developments are being carried out is concentrated heavily in only few locations).
All this leads to a situation where the senior management and boards do not understand what technology is doing to their business, what risks they face, what can they do and what questions to ask. This is the reason why boards are very rarely able to manage reputational risk arising from technology led operational risk. Such as loss of customer data, downtime of customer service technology (such as POS terminals, ATM machines, etc.). very difficult to manage.
I would think a solution would be to have the CIO brief the board regularly along with the CEO if the firm has a large technology component.
I quote from the report
It found that in three-quarters organisations, IT-related risk, in particular the potential for complex projects to fail, has risen higher up the board agenda. Indeed almost nine out of 10 senior management respondents said that it is a major challenge to respond to the pace of change in IT.
The survey also highlights a lack of mutual understanding between the board and IT professionals over how to assess risk. Over a third of senior management respondents and almost half of internal audit heads feel that IT professionals lack the ability to communicate IT risk and its potential business impact in a way that the board understands.
"Assessing risk is a team game," he said. "Boards, in particular most non-executive directors, simply don't have inherent practical experience of IT risk, as one of our internal audit heads reminds us, and this means they are unlikely to understand the full extent of the risks and opportunities that technology presents to their companies."
All this to be taken with a grain of piquant salt!!!
No comments:
Post a Comment