Boards Should Ask IT About Overlooked Risks - As seen in AgendaWeek February 8, 2016
Wayne Sadin
CIO of PriceSmart, the only operator of membership warehouse clubs in Central America, the Caribbean, and Colombia
While cyber security has been an important issue for boards to monitor, too much focus on this area can distract directors from a potentially bigger issue: risks lurking within the IT function.
They don't garner headlines, but other IT risks can be even more severe than those related to cyber security. IT risks generally have two causes: either IT departments are doing their work poorly, or there are things IT should be doing but isn't.
For example, IT executives and boards may underweight the risks embedded in Enterprise Resource Planning (ERP) systems. Such systems process the millions - or even billions - of transactions that make up the beating heart of most organizations. If the heart stops, or even flutters, organizations could suffer great distress.
Some organizations have invested heavily in developing proprietary ERP systems. Others have purchased and customized ERP systems from vendors such as SAP and Oracle.
As organizations change and technology evolves, however, so too must these systems. Yet, every change introduces risks that could be catastrophic. In one well-documented incident, Hershey's 1999 ERP project upgrade failure crippled the company during a key season, and caused an 8% stock price drop.
Even more insidious, however, is the accumulated operational risk (sometimes called 'technical debt') created by deferral of system maintenance and associated documentation.
For example, software changes should be made thoughtfully, and should blend into a system's overall architecture. Every change must be thoroughly tested and properly documented to provide adequate control.
But budget and time pressure can lead to rushed design, poor programming and skimpy or no testing and documentation. Over time, this could lead an organization's critical systems to tangle into a poorly understood mess of badly made changes.
Even if a company spends millions on a vendor ERP system, the risks will remain present because budget pressures may prompt it to defer installing releases. Deferring vendor software releases can force IT departments to implement their own changes to vendors' systems when critical problems arise. But those changes could be as poorly wrought as changes to in-house systems.
To address the inherent murkiness of IT risks, boards should question CIOs during regular reviews about the state of the organization's core ERP systems. Ask about the age of ERP systems and the amount of time elapsed since the last major version was installed. Old systems, or those that haven't been upgraded in a long time, could increase the risk of problems such as those that afflicted Hershey's.
If vendor systems are involved, directors should also ask questions about the degree of in-house customization, which also increases risk. Boards should also review the way changes in business process and technology are monitored and integrated into ERP systems. Workarounds can weaken controls.
Ask about maintenance management and upgrade strategies to assess the risk of falling behind on technology. And ask how much of the relevant IT budget goes toward maintenance versus adding new business capabilities.
Another type of IT risk arises when IT doesn't assume the important role of scanning the horizon for disruptive technologies.
In order to adapt to these emerging technologies, boards need to ask more pointed questions that relate to how IT fits into various business units.
In doing so, directors may find themselves engaged in a discussion with management about the relationship between IT and the rest of the business.
Boards should also probe how the marketing, sales, and customer service channel investments are shifting as more consumers go mobile-first, and they need to find out how IT is planning to adapt with apps and responsive websites.
Some disruptive technology, such as cloud technology, also raises the risk of employees' using technology outside of the purview of IT. Boards need to find out how IT can handle cyber-security and data integration risks if, for example, the sales department goes around IT and implements a cloud CRM to track leads.
By keeping a wide view of risk rather than just looking at cybersecurity, boards can provide better oversight of threats facing a company and be prepared to seize opportunities that disruptive technology creates.
Award-Winning CEO Coach/Assessment Expert/Helped 3000+ Leaders Excel Even Further
8yApplause-thanks for an excellent post. Boards need to look more broadly at IT risk and be better prepared to provide oversight as you stated. Hopefully boards will continue to increase the number of directors who understand technology.
Chief Data Officer | Human Design | Coach | Digital Architect | Investor
8yWell said, Wayne. Continuous development (as opposed to finite development projects) feels like one of the most promising strategies to reduce IT risk going forward. Your thoughts and the thoughts of your readers?
Advocating for submarine veterans nationwide.
8yWayne, thank you for this insightful and timely post. Many times in the past I have seen companies become so concerned with the financial bottom-line that they react in haste to cut the most expensive department, IT. Little do they realize the plethora of negative business impacts, and the multiplication of IT related costs this decision incurs. I've even observed some which were driven to bankruptcy or out of business for failing to consider the business risks associated with cutting IT costs. You could not be more accurate in your assessment that failing to consider these risks will have very often a profound negative impact on the business. We within the IT community need to identify ways to better communicate this to our customer, the business, and it needs to start at the top with the CIOs and Directors of IT. We only damage ourselves and our reputations when we remain silent and do not raise the flags of caution.
CXOGLOBAL100 Executive Recruitment & IT Staffing. Help mitigate Staffing pain points, bottlenecks. Delivering the best, brightest business Technology C-Suite/Critical Thinkers inside the Fortune based/enterprise markets.
8yWayne, I enjoyed your article, found your content relevant & interesting. The end result of Corporations & BOARD Rooms requiring their leaders, to be SME's well versed in all aspects. Not only INFORMATION TECHNOLOGY, not only Business opperations. In order to compete intodays + next generation commerical environments. Our leaders must become a hybrid.."Business Technology" SME. The demand for the well balance BT CXO is well exceeding current market supplies. CXOGLOBAL100 recieves calls on daily basis looking for this rare breed. Combination of Customer/Market demand, advice from our private advisory group members. CXOGLOBAL100 service offering now includes the ability to identify, qualify, deliver BOARD OF DIRECTORS Seat opportunities for the best companies worldwide. Talent knows talent! Way to be insightful. Keep it coming. Greg Raymond CEO CXOGLOBAL100