Boards lack understanding of IT risks

2007

Technology-related risks figure higher on the agenda of UK company boards than ever before. But new research questions whether board members really have sufficient understanding of IT risks to address them adequately.

A report by PricewaterhouseCoopers has found that while almost all large UK companies acknowledge that IT is strategically important to the future success of their business, more than two-thirds (68 per cent) of the heads of internal audit surveyed believe their boards do not understand the IT risks they face.

Three-quarters also said that they would like to provide more assurance over IT risk at a strategic level.

This view is shared by a similar number of senior management respondents who said that boards are looking for more comfort and assurance than internal audit currently provides.

The report, written on behalf of The Institute of Internal Auditors, surveyed business leaders and heads of internal audit in a wide range of companies and public sector organisations on how they manage IT risk.

It found that in three-quarters organisations, IT-related risk, in particular the potential for complex projects to fail, has risen higher up the board agenda. Indeed almost nine out of 10 senior management respondents said that it is a major challenge to respond to the pace of change in IT.

Grant Waterfall, PWC's risk assurance services partner, said that the findings suggest that boards and audit committees may not have all the skills they need to understand and deal with IT risk and that the mechanisms for communicating IT risks to the board may not be effective enough.

The survey also highlights a lack of mutual understanding between the board and IT professionals over how to assess risk. Over a third of senior management respondents and almost half of internal audit heads feel that IT professionals lack the ability to communicate IT risk and its potential business impact in a way that the board understands.

Similarly, well over a third of senior management respondents believe that internal audit departments are also struggling with IT risks because they lack the capabilities to provide the board with assurance over IT risks that it needs.

Some heads of internal audit agreed with this, suggesting they are well aware of the obstacles they face in providing effective assurance.

"Internal audit departments may need to reassess their skills base and the way in which they engage with the business on IT," said Gail Eastbrook, chief executive, of The Institute of Internal Auditors.

"Currently, as the survey points out, two-thirds of internal audit departments are spending less than 20 per cent of their time on reviewing IT risks."

Grant Waterfall, added that in order to make improvements, organisations needed to bring together IT professionals who understand the technology but not necessarily the business impact, and business managers who lack the technical background but could draw out the potential business implications.

"Assessing risk is a team game," he said. "Boards, in particular most non-executive directors, simply don't have inherent practical experience of IT risk, as one of our internal audit heads reminds us, and this means they are unlikely to understand the full extent of the risks and opportunities that technology presents to their companies."