Home > Risk > The danger of an arrogant board

The danger of an arrogant board

I worry when I see consultants and thought leaders say the board needs to include experts on cyber or other topics.

I agree that cyber is one of today’s hot topics and represents a risk to pretty much every organization.

But is the answer to have a director who is considered a cyber expert?

After all, that usually means having one director who understands information security issues, probably because they served as an IT executive or had a leadership position with a consulting organization.

One person who is limited in the amount of time they spend talking to management, a part-timer who is unlikely to fully understand the complete range of technology used by the organization, how it is used, the process for managing it, and the people relied on to address related risk.

One person who is almost certainly spending the great majority of his or her time running their own consulting business – or is retired and may no longer be current and up-to-date. After all, this is a dynamic technology environment.

For example, I have what many would consider a strong technology background. I was a senior IT audit manager with one of the Big 4 audit firms, was the executive responsible for information security and governance for a major financial institution, and had both the IT audit and IT quality assurance functions report to me.

But while I still understand the principles of technology use and related risk, I would not position myself as an expert.

I would not be comfortable having any board rely on me for assurance on technology risk.

I would only be comfortable if I was able to surround myself with experts on whom I could rely. (I was fortunate to have several during my time as CAE.)

Boards should, in my opinion, take the same approach.

Rather than relying on the mistaken belief that a single board expert (who may not be current) can cover a critical topic, they should ensure that management has the personnel they can rely on.

The board should question management with an appropriate level of professional skepticism in discussions about cyber.

Management presentations and the ensuing discussions are opportunities for the board members to seek and gain assurance that management has a good handle on technology-related risks.

The goal should be to get comfortable with management rather than to decide themselves whether cyber is properly managed.

Cyber is just one of the topics requiring specialized experience and insight. Others might include commodity and/or currency hedging; compliance with anti-bribery and other regulations; conducting business in China and other nations; the activities of competitors; and so on.

The board cannot be an expert in every area of risk.

They cannot have an expert on everything.

Believing that they can discuss cyber and all other specialized areas and decide whether risk is at desired levels is, in my opinion, both arrogant and unwise. One former CIO who talks to the company’s technology people once a quarter is insufficient

Boards are generally composed of current and former CEOs, CFOs, and similar. The directors are experts in the specialized area of hiring good people and monitoring their performance.

I would much prefer that board members not just once but continuously assess the executives individually and as a team.

Are they competent and capable of managing the organization to success, including addressing issues like cyber, economic disturbances, and so on?

So while I would be happy to serve on a board as their technology or risk management expert, sadly that is not the answer.

The answer is to have confidence in the people who run the organization every day.

Some may say that the board needs a technology person to ask the right questions and know when the answers are poor. My answer to that is that I need a CEO who can ask the CIO and others on his team the right questions. I need a CEO who can be comfortable that cyber is being addressed every day, not just once a quarter.

The board should be able to assess the CEO and how he or she works with the CIO, CTO, CISO, and so on to manage cyber risk.

I welcome your comments.

  1. Jai
    August 7, 2016 at 5:39 PM

    Whilst I agree that we do not need cyber or IT experts on the board I do believe that board members should have some understanding of IT issues in the same way as they are expected to have some understanding of finance. However, having some IT expertise on board would, in my view, be an advantage and not necessarily lead to arrogance.

  2. Peter Westerhof
    August 8, 2016 at 2:32 AM

    Indeed. Manage the risk, not the subject matter!
    As one’s partner’s pregnancy is a risk, do *not* start managing her pregnancy!

  3. August 8, 2016 at 5:46 AM

    Good article that through the perspective of Cyber Security opens up a more general point on how boards handle risk areas those on the board may be unfamiliar with. The challenge being to have members with sufficient knowledge to recognise risk or opportunity, question management and where necessary engage SME’s. Your suggestion of continual review at board level is necessary to ensure the board remain competent and capable of understanding and adapting to the complex and dynamic environment on which they depend in terms of threats and opportunities.

  4. August 8, 2016 at 7:31 AM

    Thank you Norman. This is a real issue for boards. Directors want to help. It’s a human response. But good governance demands separation from the operations of the governed organization. Instead, ask the CEO to report on how the risk is being managed and whether he/she trusts that the management team and its resources are adequate to allow everyone to sleep nights.

  5. Olayimikah, France
    August 8, 2016 at 8:33 AM

    I cannot agree more with you that the board cannot be an expert in every area of risk. Assurance on risks especially strategic risks is first obtained from the collective system of assurance that has been put in place. The Board should focus on the “big” picture i.e. the shape of the forest and have management focus on the species of individual trees in the forest (report of individual or sets of trees will be reported up to the board where an identified “disease” may affect 40% or more of the entire forest).
    There are two key areas to examine. 1. The Board must be knowledgeable enough to ask the right questions – this presupposes they know what to ask for; and 2. The existing system of assurance.
    On the first area, how do we ensure the Board is knowledgeable to ask questions that are pertinent to strategy attainment? How do we ensure our Board remains proactive and not reactive in issues of strategic risks? This is where the Board development programme and the engagement of subject matter experts, typically consultants, come into play.
    Once an emerging risk that would impact strategy attainment is identified, the Board needs to be brought up to speed on what the risk is, and how strategy attainment may be negatively impacted if not contained, including a synopsis of “what good looks like”. Once equipped with what to look out for, the Board can collectively carry out its oversight duties, and not have to rely on one individual (who may get hit by a bus before the board meeting!).
    The second key area is the system of assurance in place and by this I refer specifically to the Three Lines of Defense (LOD) model, working in tandem. Using the example of the technology risk, we have the CIO (1st LOD), the CRO (2nd LOD), and the CAE (3rd LOD), each with their respective team of experts.
    The CIO with team of technology experts are the operational managers of technology risk, and they ensure the risks are identified and mitigated as the case may be, and attest to this (Attestation Model). The CIO will also give assurance to the Board IT Committee (Institutions with IT as key strategic risk should have this board committee constituted, where independent IT experts may be engaged).
    The CRO and team of risk experts (including technology risk expert) gives assurance that technology risks (existing and emerging) are adequately identified and treated as documented, and gives its attestation to the CEO and Board Risk Management Committee.
    The CAE and team of experts (including technology / information security expert) gives assurance to the Board Audit Committee, in addition to that given by the External Audit team on technology risks.
    The several committees – BITC; BRMC; BAC will each give its report to the Board, where further questions may be asked (since the Board collectively knows what “good looks like”).
    In summary, where the risk governance structure is well established, and all parts are working together as a well-oiled engine, having an individual as identified “expert”, who will be relied on for assurance may well be a recipe to enhance “silo” mentality (arrogance as Norman puts it) …..and ultimately …failure….

  6. August 8, 2016 at 11:30 AM

    Having a cyber expert on every board is not a good idea and not possible, there are not enough real cyber experts available.

    In today’s world, board should be focused on “connecting the dots” (dots include: systems, department personnel, location personnel, resources, pre-incident indicators, social media leakage, situational awareness, etc.) because the evidence clearly reveals the key to successfully intervening and preventing incidents and tragedies is eliminating the common excuse “we failed to connect the dots”, not adding more silos, egos, arrogance, etc.

    For Boards, having vetted resources and MOUs in place with experts and resources (internal and external) and making sure a “connecting the dots” platform is in place for their organization is vital.

  7. August 10, 2016 at 1:13 PM

    Boards should be made up of individuals with diverse backgrounds; it helps if collectively they have expertise in areas such as finance, administration, technology, compliance, risk management and the business of the company, but diversity in race, age, gender and religion is also critical. A well balanced board will look to its members for insight, but no member should be considered to be “the” expert for a particular subject matter. Train your boards in ERM and use the ERM process to manage the risks.

  8. August 10, 2016 at 5:40 PM

    The “expert” discussion is one we’ve heard before with regard to “financial experts” in the boardroom. Here’s a post that explains what I mean, but ultimately Boards need cognitive diversity that reflects the complexity of the businesses they govern, including director cybersecurity skills given the persistent and pervasive nature of this risk, and the competitive risk of IT more broadly.


    • Eng. Misana Mutani
      September 4, 2016 at 7:31 AM

      Well versed Bob. Lacking those skills, BODs can be dragged to dreadful endings, or woke up when it’s too late. Many of current tech guys will try to cheat around their ways to accomplish very little value to selves instead of actually securing the organization. We don’t have many with a necessary certain integrity so to say, instead of just trying to be smarter.

  9. Anthony Padilla
    August 18, 2016 at 8:39 AM

    The position expressed reflects traditional thinking which gives boards a pass to continue their old ways. Bring in the cronies, the prestigious, the unknowing that too often comprise boards. Has the time not come for boards, given their expanding risk profile, to bring on a corps of experts, trained in effective board governance, who in effect bring expertise that mirrors that which should exist in the firm? They would be most capable of evaluating, disseminating and recommending effective board actions on areas such as ERM, Technology, Financial, and other cornerstone activities that drive the business. Strapping on consultants, who have no stake in the outcome other than fees, to educate part timers on key issues, will result in deficits in board effectiveness, and create an ongoing revolving door of paid outsiders every time a new issue or industry challenge surfaces.

  10. Anthony Padilla
    August 18, 2016 at 8:45 AM

    As a quick follow on, those expert board members I refer to are compensated professional board members . It is their job to be on boards as experts in their field. They stay current on events, latest literature and bring in that knowledge as current and relevant. So I advocate 3-5 or 25% of positions on boards be populated by professional board members who will expand the boards knowledge and understanding of current events and issues, and thereby be able to not only question but to support and understand management’s activities.

    • Norman Marks
      August 18, 2016 at 8:49 AM

      Anthony, nobody has ever before said I thought in a traditional way!

      My point here is that there are so many areas of concern, each requiring specialized knowledge, that it is impossible to have a sufficient number of experts on the board – especially since it is probably not good practice to rely on a single individual for oversight of a critical area.

      In addition, the board members are only active with the organization occasionally and these critical areas need to be managed every day.

      The board should have the ability, perhaps by bringing in expert advisors from time to time, to obtain assurance that Management has the ability to address each and every critical area.

      The time for cronies is passed. The time for professional and competent skeptics on the board is now.

      Noses in, fingers out.

      Does this clarify my position?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: