Ensuring Technology Fluency in the Boardroom
Every company is a technology company today. With business and technology inextricably intertwined, directors need to possess sufficient knowledge of technology issues to execute their duty of care responsibilities. Research indicates there is a financial performance payback from a technology-savvy board. An analysis of the boards of U.S.-listed companies determined that companies with boards of directors that have at least three technology-savvy members outperform other companies. These outperforming companies reported notably higher profit margins, revenue growth, return on assets and market capitalisation.
It’s also beneficial to have one or more individuals with deep technology expertise serving on the board or as advisers to the board, independent of management. But the pervasiveness of technology suggests that every director should at least understand how technology enables the organisation’s strategy and business model as well as the implications of disruptive innovations to their industry. The bottom line is that every director today should be technology-engaged. No director gets a pass.
According to a recent global survey by Protiviti and NC State University’s ERM Initiative, risk concerns for the next decade drive a stake in the ground on technology. More significant worries for companies over the next 10 years, according to the survey, include the risk that the rapid speed of disruptive innovations enabled by new and emerging technologies may outpace the organisation’s ability to compete without significant changes to the business model. Technology is an underpinning to all of these risks.
To stay abreast of technological developments, the most prominent suggestion from a recent National Association of Corporate Directors (NACD) Master Class session3 is also fundamental to other complex matters: Bring outside experts into the boardroom and invite them to keep the board apprised of technological trends. Many publications and subscriptions also offer strong technology content presented in relevant ways. Directors should take the initiative to select the ones they find most useful.
Beyond the basics, the real insight from the session was that it helps to view technology as a strategic enabler rather than a shiny object implemented for its own sake. Focus on the organisation’s long-term strategic goals and how technological innovation can help reach those goals. Consider the capital deployment ramifications alongside the related upside opportunity. Understand how existing legacy technology in the organisation might hamper goal achievement. Recognise the risks emerging technologies can pose — for example, the risk of improper algorithms and bias inherent in artificial intelligence (AI) — and ensure management has implemented mitigations to address them.
Technology fluency is also about learning, and learning comes from asking the right questions and obtaining input from the right subject-matter experts. Critical questions for the full board to consider include the following:
- Is technology identified as an integral part of the company’s strategy and key initiatives? Does the CEO dashboard monitor technology investments that enable improvements to customer engagement, process efficiency, products and services, and competitive position?
- Are the organisation’s digital transformation efforts properly prioritised to deliver the expected value and results? (For example, are multiyear plans reevaluated every three to six months in view of changing markets and customer needs?) Are plans resourced with the requisite skill sets, or is help needed?
- What are the long-term plans for hybrid work environments? How will the company enable access and connectivity to ensure productivity, safety and security in the future, considering the next generation of mobile connectivity and systems as well as data access?
- What programmes are management considering to protect the organisation’s critical data and information assets and to comply with global data privacy requirements?
- What are the company’s business continuity, crisis management and disaster recovery plans? Are contractors and outside services aligned to support them? Does the technology infrastructure enable or hinder business resilience? How would operations be affected if a security breach were to occur, and how quickly could the company respond?
- Are the processes that management chooses to automate focused, streamlined and simplified enough that automation makes sense? Is selecting a process for automation a strategic decision (for example, to focus employees on more complex, value-added tasks)?
The board should expect management to consider these questions and the accompanying resources needed to be successful.
Technology fluency is also about understanding the implications of digital disruption. For example, the NACD session pointed to the positive and negative impacts of remote work on the workforce. Employees have experienced new opportunities in terms of team dynamics, collaboration and culture-building. Remote work has also enhanced well-being by reducing commutes over long distances. However, technology has implications for relationships, and it has become increasingly intrusive to everyone’s personal space. There’s also the related impact on organisational culture.
Dependence on technology has led to talent availability as a critical issue for boards and executive management to address. Over the long term, the limited pool of technology professionals will be drained quickly by overwhelming demand for skilled and experienced talent as new technologies take root in the execution of business models. This market reality creates an obligation to provide learning opportunities related to emerging technologies. How is the organisation thinking about upskilling and reskilling its workforce to help address what many see as a dwindling availability of talent? The proverbial “search for the purple squirrel” — finding the candidate with the requisite education, experience, and range of qualifications and skills that perfectly fit a job’s requirements — has become even more challenging.
This has been a discussion point for well over a decade. The focus of such a committee varies by company, and these committees remain relatively uncommon. It’s up to each board to decide how best to provide strategic oversight regarding technology. That said, every director should be technology-engaged.
The view discussed at the NACD Master Class session was that while a technology committee may be appropriate under certain circumstances, technology oversight responsibilities should ordinarily not be entirely relegated to a small handful of board members. And knowledge of and attention to technology shouldn’t be limited to a separate board committee — whether that committee is a technology, audit or risk committee. As technology often drives overall business strategy, knowledge of technology-enabled opportunities and risks is relevant to many board discussions with management.
Cybersecurity is an integral part of the technology conversation. Four points from a recent NACD Master Class discussion:
- The cyber incidents of today are very different from the incidents of a few years ago. The landscape changed dramatically during the pandemic as organisations transitioned to remote workforce models. Many people worked — at least for a time — on less secure or even unsecured networks and modems, necessitating a planning process to protect these assets.
- Cyber insurance companies are more demanding and discerning in underwriting policies and settling claims in the event of an incident. The high bar requires extensive organisational resources to obtain coverage. Boards should consult with management to ensure that appropriate steps are being taken.
- Organisations should have a cyber response team in place and ready — with legal, forensics, communications and other resources. Such teams should be steeled through preparation and practice. To that end, there’s a difference between a cyber incident and a cyber breach. This distinction is important when drawing up contracts, as their terms dictate the actions required of the contracting parties. Ordinarily, a cyber breach must be reported publicly. General or outside legal counsel should be engaged to determine the appropriate courses of action depending on the circumstances in each case.
- Finally, there are many services and products available to protect the organisation from incidents and breaches. Multifactor authentication is an example.