Facing up to technology risk: implications for corporate governance
On Thursday, September 30, Stikeman Elliott hosted a client seminar featuring Abhilash Bhachech from the Office of the Superintendent of Financial Institutions. Richard C. Owens and Mihkel E. Voore joined Mr. Bhachech as speakers with Wesley Ng serving as moderator.
The seminar began by exploring risks faced by companies in an era of technology dependence. Because of the multiple points of intersection between modern business and technology, these risks emanate from a number of sources. Threats could be posed by the regulatory environment, such as non-compliance with IT control provisions of financial reporting regulations (such as Sarbanes-Oxley in the United States) or with data security legislation. Threats can arise from service providers (for example, unmanageable expenses arising from a poorly drafted outsourcing contract) and competitors (for example, IP infringement claims). Threats can also arise from catastrophic events such as 9/11, following which some companies were unable to promptly access their back-up data. In addition, the corporation itself could be a source of technological risk if its IT infrastructure is not properly managed. The rapid pace of technological advances and the inability of the development cycle to keep up means that technological change is also a major risk to IT systems.
The severity of these risks depends on how important technology systems are to a company’s revenues and its internal dependence on those systems. All organizations which utilize technology bear some risk. A food manufacturer, for example, might have significant vulnerability if its enterprise resource planning software and just-in-time communication channel were to become unavailable. Thus the boards of all companies should evaluate technology-related risks and implement IT governance policies tailored to the specific risks faced by their companies.
Mr. Bhachech and Mr. Owens each concluded by outlining some best practices that boards of directors can consider depending on the severity of particular risks faced by companies. A fundamental problem with the complexity of information technology and corporate governance is that the board is often dependent on the very people it is supposed to oversee. In other words, some boards rely on a company’s IT group to understand and to oversee their work. In the same way that boards often include legal and financial experts, technology experts can be added to a board’s membership to ensure that the board has some independent expertise. Boards can also strike IT committees with a mandate to implement and oversee an IT governance plan. A C-level executive office can be added or modified to oversee the management of technology risks. Importantly, however, all of these measures are more effective if a culture of communication between the various departments of a corporation is fostered. It is also important that managers be willing to engage with risks and opportunities.
You can view the presentation slides here
