CIOs don't have to be told that IT brings risks to organisations as well as value - they are well acquainted with the issues that keep them and their managers awake at night. But are the members of their board of directors similarly informed? Recent research suggests that the very people hired to protect and enhance shareholder value may not have much knowledge about IT risk. They may realise that IT poses risks and should be discussed more fully, but lack the language or experience to do so.

Unlike in the case of financial risk management, which has a fairly mature governance structure (i.e. audit committees supported by internal and external audit groups), the CIO has no obvious allies at board level or in its subcommittees. Even in rare instances when CIOs are on the board (at 3% of large companies), they still need an independent source of governance, just as the CFO is answerable to the audit committee.

Without access to the board, the burden of governing IT risk is shouldered within the IT function, which may not have appropriate support or resources. More importantly, if a disaster should occur, the board may not have the know-how to respond correctly. It is in the CIO's best interest to ensure that their board develops an understanding and appreciation of IT risk.

Through extensive reviews of IT project failures and interviews with board members, we have identified a five-item IT risk dashboard for boards and questions for directors to ask to ensure they are fulfilling a minimum level of IT risk governance*.

1. Board IT competence

One board member should be designated as lead "IT Director" (similar to the leads taken in audit, compensation, legal, etc). If there is no obvious candidate among existing board members, then the next board recruit should be a targeted one. Boards should also ensure that they get regular education about IT within their company. Their CIOs can create short, practical lessons for directors.

2. IT infrastructure risk

There are two areas of infrastructure risk - internal and external. Internal risk is usually well understood and well managed. However, external risk from malevolent internet-based sources such as hackers and viruses can cripple an organisation and put the company on the front page of the news. Board members may only perceive this threat from the perspective of their own personal computer. They need to understand clearly the organisational impact of events such as a prolonged denial of service. Only then can they appreciate the level of risk faced and appropriately fund and monitor safeguards such as external verification and security audits.

3. IT project risk

IT projects, particularly those which change core processes, can destabilise an organisation and halt its operations. Directors should understand what the organisation's track record is on key projects. If this is unsatisfactory, they should enquire about management actions to improve performance - such as a corporate project office and portfolio management processes. In extreme cases, they may want copies of the project dashboard reports. This level of governance needs a lead director for IT or committee, since reports and dashboards often need interpretation before they are useful to untrained board members.

4. Business continuity risk

This risk category refers to more than just plans for internal company operations should there be a local disaster. It also includes risks that partners bring - political, social and technical infrastructure issues that may impact services. For example, the board needs to consider the consequences of a strategic outsourcing supplier being crippled by a financial scandal. Directors should ensure that a comprehensive continuity plan has been prepared, and that the plan has been tested and found to be robust.

5. Information risk

Data loss disasters and privacy laws have created an imperative for organisations to only collect the data that is absolutely necessary and to use these data only in the manner authorised. They must also safeguard the data from unauthorised use or modification. Boards need to satisfy themselves that appropriate policies are in place, that they conform to laws in their place of incorporation, and that, most importantly, a privacy officer has been named who possesses sufficient knowledge, time and authority to enforce these policies.

Many CIOs are not invited to board meetings and have no direct dealings with board committees. How might they gain access and influence? Our CIO informants had several suggestions:

Know your board
Find out who on the board is interested and experienced in IT. These people can be a pipeline into the board.

Network
Get invited to pre-board social events and make a personal and professional connection with potential board allies.

Alarm
If peer companies or other divisions have faced serious risks such as loss of data, circulate this information to board contacts and explain what you are doing (or would like to do) differently.

Inform
Fund a third-party risk assessment and use its findings to secure the resources you require.

Act
If you have concerns about your ability to manage a serious IT risk and are getting no support from your executives, ask to meet with the head of the audit committee.

The worst situation for the board is to learn too late that risks have been under-managed - when key information is stolen or a project halts the work of the organisation. Although it can be risky to involve senior people in IT risk management, it is even riskier not to! l

* Parent, M. and Reich, B.H., "Governing Information Technology Risk", California Management Review, 50:1, Spring 2009

Dr Blaize Horner Reich is RBC Professor of Technology and Innovation at the Segal Graduate School of Business, Simon Fraser University in Vancouver. Her research centres on governing IT risk.

Photo: Corbis