Strengthening Boards’ Risk Management in a Rapidly Evolving IT Landscape
Technology and associated risks are evolving faster than most organisations can absorb. This includes cloud migrations, cybersecurity threats, AI‑driven analytics and increasingly complex ERP landscapes, and they are reshaping operational risk at a pace that challenges even the most experienced management and leadership teams.
Yes, I know that you know, but it is worth saying again: – the best D & O liability risk management tool is exercising skill, care and diligence – also in relation to IT.
As a professional board member, you are also aware of your legal duty to ensure that the organisation’s IT environment is stable, secure and capable of producing reliable information, whether for reporting, regulatory or decision-support purposes.
Boards are not expected to be technologists. But they are expected to exercise informed, proactive oversight. That expectation is rising, not falling.
One way is to commission an independent IT risk assessment.
One of my clients did that and focused on 3 IT risks most relevant for their organisation, and I will share extracts of their journey here:
How to improve board governance on 3 IT‑related risks:
1. Operational Stability – can the IT environment support the strategic plan for growth?
From both a strategic, a corporate‑law and D&O‑risk perspective, this is not a technical question; it is a foreseeability and oversight question.
Directors must ensure that:
- The company’s operations are prepared for and can run without material disruption
- Past IT risks and perhaps failures have been understood, remediated and independently validated
- Management’s assurances are tested, not simply accepted
Why it matters legally: If the board allows the organisation to operate on an unstable core system, whilst knowing there is historical evidence of failure, regulators and courts may view this as a failure of duty of care and duty of oversight.
Operational instability in ERP systems has repeatedly led to various issues, such as: – supply chain breakdowns, revenue impact, financial inaccuracies and loss of customers.
Depending on the governing law and jurisdiction, these can trigger shareholder claims, regulatory scrutiny as well as increased insurance premiums or reduced coverage.
2. Cybersecurity Exposure: Which vulnerabilities are there, and could they cause financial, regulatory or reputational harm?
IT environments are high‑value targets. Boards are expected to treat cybersecurity as a strategic risk, not an IT function.
The board of directors were particularly interested in:
- Independent penetration testing and SAP‑specific security reviews
- Confirmation that segregation of duties, access controls and patching are effective
- Evidence that the merged environment does not create new attack surfaces
Legal and liability risks considered:
- Regulatory penalties, e.g. GDPR, NIS2 or from sector‑specific regulators
- Litigation and D&O claims alleging failure to supervise cyber risk – or loss of insurance coverage if the board cannot demonstrate reasonable oversight
3. Data Quality and Reliability – Overall data management – sufficient quality data to ensure the accuracy of the most relevant BI and reporting outputs
Like other boards, the board of directors of my client not only need to ensure financial reporting accuracy, but they also make decisions based on management reporting. If the underlying BI data is unreliable, the board’s ability to fulfil its duties is compromised.
Often this is an internal matter, yet there are advantages in an independent assessment, and in this case, a few areas were chosen:
- Data lineage and data quality controls are independently validated
- Reporting logic, master data and the consistency in integrations
- Preparation and flexibility of financial and operational reporting to enable simulation, scenario planning and selected AI initiatives.
Why this is a D&O issue, you may ask. If the board approves budgets, forecasts or strategic decisions based on incomplete or inaccurate data, it may be an issue, and the amount of available data has increased significantly over the last few years.
Such issues are not just poor decision-making, but could result in claims for failing to exercise informed judgment and approving financial disclosures without adequate assurance.
Depending upon the industry, regulators increasingly expect boards to demonstrate active oversight of data governance.
