Richard Leblanc, a governance expert who teaches at York University, knows a number of directors who don’t use the Internet. One board member at an energy company carries around a wooden phone—as a joke mocking his colleagues’ smartphone dependency. “This is the chair of the board! This is how that person treats technology,” says Leblanc.
But technology ignorance on the board isn’t funny. Many companies today, from retailers to financial institutions, are de facto technology businesses. New digital rivals and security breaches can put their very survival at risk. “There’s been a tremendous emergence of IT as a governance concern,” says Matt Fullbrook, manager of the Clarkson Centre for Business Ethics and Board Effectiveness (CCBE) at the University of Toronto. “But many boards have absolutely no idea how much risk there is here.” No board he’s aware of has tackled the issue comprehensively, partly due to a lack of perceived urgency and because directors simply don’t know what they don’t know. “The risks are so new and so fluid that it is extraordinarily difficult for boards to provide effective oversight, even in a very general strategic sense,” says Fullbrook.
Steve Mallory, a corporate director and risk management expert, recommends boards start by appointing a lead director for IT. “Lead directors are appointed regularly for special projects, risk management, HR. If this is one of the top issues facing boards, and in most cases it is, it should have a lead.” Then the board needs to identify the mission-critical systems that must be protected at all costs. “It’s virtually impossible to protect everything,” says Mallory, but every company has crown jewels essential to its operation—safety systems, if you’re in mining, or e-commerce data for a retailer. Boards should create a kind of dashboard of those key IT issues and “start asking pointed questions,” says Mallory: Is the organization’s staff sufficiently trained? What are the risks to our infrastructure? Do we have a business continuity plan in the event of an attack? “The best things most boards can do is ask as many questions as possible and insist on high-quality information from management and outside advisers,” says Fullbrook.
Hackers aren’t the only threat posed by technology. Scandals spawned by social media can lead executives being ousted and vast reputational damage. Staff using their own devices at work endangers privacy and security, yet fewer than one in five companies have BYOD (bring your own device) policies. All these issues are reasons boards need age diversity, as well as why technological literacy has become an essential new management skill. When McKinsey & Co. took on the task of upgrading the firm’s digital capabilities, notes global managing director Dominic Barton, the partners realized it was the “new joiners” whose perspectives mattered most, not the seasoned veterans’. Barton’s own solution has been to tap reverse mentoring: A 26-year-old is helping him learn how to write code.
Technology isn’t just a risk, of course, but potentially a vast opportunity. A decade ago, when China’s rising economy was a hot topic, it was popular for CEOs to take their boards on junkets to Shanghai and Beijing. “The big fad over the past 24 months is taking the board to Silicon Valley,” says Barton. The reason is partly fear: Technology is transforming many sectors of the economy at speeds and scales unprecedented in history. How many banks anticipated a few years ago that they’d now be competing with Apple and Google? And how many have put themselves in a position to beat that competition? Peter Hinssen, who helps companies prepare for the digital era, urges boards to form disruption committees to identify both threats and opportunities beyond their core business, and to disrupt their own businesses before others do it for them.
Directors who don’t even use the Internet don’t see any of this coming. “We need more pain to occur for this to become more mainstream,” says Leblanc. “Boards are stepping up, but not fast enough.”
MORE IN OUR SERIES ON BUILDING BETTER BOARDS: