Board oversight of digital strategy lagging, report suggests
A new report – issued amid the fallout from a cyber-security breach potentially impacting 143 million Equifax customers – suggests boards are not doing enough to prioritize the evolution of their IT set-ups. Companies that are lagging on new digital technologies may be leaving the door open for a cyber-attack and missing out on new revenue opportunities, according to the PwC paper.
Only 52 percent of executives surveyed by the accounting firm describe their company’s digital capacity as ‘strong’. This marks a significant decrease from last year, when 67 percent of respondents were confident in their companies’ digital efforts.
The proportion of IT budgets going toward emerging technologies has remained stagnant over the last 10 years, increasing only 1 percent since 2007. The average spend last year in this area was 18 percent of the total IT budget, according to PwC’s research.
Board directors must ensure digital strategy is effectively incorporated into broader corporate strategy, the authors of the report write. They also suggest that boards need to consider whether they have the right balance of skills to engage with digital strategy and risks.
‘As you look around the board table, you might wonder whether your board is ready for the digital revolution,’ the authors note. ‘The technologies companies are investing in are blurring industry lines and creating new business models and competitors… Does your board have the right mix of skills and experience for the company’s future?’
Director respondents rank IT strategy expertise as the sixth-most important attribute for board members, behind more traditional attributes such as financial, operational, industry, risk management and international expertise, according to a separate PwC survey released earlier this year. Cyber-risk management was the eighth-most important attribute, trailing gender diversity.
DIGITAL SKILLS GAP
Just under half of the surveyed companies (47 percent) are leaning on external providers to meet their digital needs because they don’t have the skills internally, a situation that the report authors warn against. ‘Relying on third parties is not a sustainable solution,’ they write. ‘Companies that lack their own skilled teams could end up far behind their peers and competitors when it comes to getting results from their digital investments.’
Board directors must ensure they also adequately understand the latest developments in emerging technology, in order to view their company’s digital efforts as part of a broader commercial and risk management strategy, the authors add. In particular, they advocate the board requesting regular presentations on digital technology from either the company’s CEO, chief information officer or, if the company has one, its chief digital officer.
Other recommendations include regularly using new digital tools – such as virtual reality headsets and wearable technologies – and periodically attending conferences where digital is on the agenda to stay up to date. ‘By being involved and understanding what is really needed to undergo digital transformation, boards can ensure leadership is executing on its plans and steering the company toward a successful digital future,’ the report authors say.
Corporate secretaries can play a vital role in ensuring the right information gets to the board, particularly as it relates to cyber-risks, according to Yafit Cohn, counsel with Simpson Thacher and Bartlett (CorporateSecretary.com, 7/11). She also outlines questions boards should ask in overseeing cyber-risks, which she details in a recent paper with Simpson Thacher partner Karen Hsu Kelley. These include:
- Has the company identified a senior person who has clear responsibility for organization-wide cyber-security preparedness and who has support from the top of the firm?
- Has management given serious consideration to how much of the budget and how many staffers are adequate for proper cyber-risk management?
- Has management developed a comprehensive, written data privacy and cyber-security program comprising appropriate policies and procedures?