Sunteți pe pagina 1din 2

The

Board and Technology Risks


Corporate boardsmustexercise their dutyofcare notonlyinmakingdecisionsaffecting the corporation,but also in overseeing decisions made by management. Corporate boards are not required to micromanage decisionsmadebycorporatemanagers,theymustattemptingoodfaithtoimplementasystemthatwillkeep the directors informed about whether management's decisions and practices are in compliance with the laws criminalandcivilthatregulatethecompany'sbusiness. Corporateboards,includingnonemployee,outsidedirectors,hadanaffirmativedutytobeskeptical,toactwith duecare,andtomakeancareful,informeddecision,independentofmanagement,thatanytransactiontowhich theycommittheircompany,isinthebestinterestsofthecompanyanditsstockholders. JusticeJackB.JacobsoftheSupremeCourtofDelawarecaseresolutionspeechoncorporategovernanceand relateddisputesMarch20,2006. A common expectation from shareholders is to have corporate directors demonstrate due care by inquiring, gaininganunderstandingandprovidingguidanceonriskelementslike: Financial:risksrelatedtocapital,liquidity,credit,markets,financialtransactions,investments,and hedging/derivatives. Operational: risks related to environment, health and safety, business partner relationships, business continuity, employment/labor, fraud, competitive practices, global trade/international transactions,supplychain,andproductquality/safety. Legalandregulatory:risksrelatedtolegal/regulatoryrequirements,litigation,financialloss,their impactonreputationandstakeholdervalue. Geopolitical:risksrelatedtoeconomic,political,environmental,civil,andlegislativedevelopments aroundtheworldandpointsofpresence. Technology: This includes risks related to security, privacy, architecture, compliance, disaster recovery,informationprotection,outsourcing,andbusinesspartnerconnectivity. CorporateDirectorscantaffordtobeseenaspassiveparticipantsoftheprocessandaremakingprogresson thebusinesssidehowevertheyarenotaspreparedwhenitcomestoInformationTechnologyanditsinherent risksininvestments,regulatorycompliance,socialmediaandmobiletechnologies. Whyshouldcorporatedirectorsbeconcerned? To date, case law suggests that directors and officers are responsible for overseeing the safety of corporate assets including electronicinformation.Corporate Directorsandofficersinexercisingtheirfiduciarydutiesof caremustestablishpoliciesandprocedurestoprotectthecompanysbusinesscriticaleinformation.Theboard also needs to question management regarding: (i) the internal management of critical information; (ii) proceduresforimplementing,educating,enforcing,aswellasassessingandupdatingthepolicies;(iii)plansfor

March2011

1|P a g e

risk mitigation and effective responses in case of a breach or a disaster ; and (iv) accountability for non compliancewithauditpoliciesandprocedures.

More than 40 states have laws that require the custodian of the data that was lost to notify the individuals whosedata waslostwithinstancesin whichreachiswellbeyondtheirbordersandheavyfinesareimposed. CompaniesalsomustbeconcernedaboutcompliancewithanumberoffederallawssuchastheSarbanesOxley Act,HIPPA,GrammLeachBlileyAct;and,PCIDataSecurityStandard(whichhasbeenincorporatedatthestate levelinsome18states).ExamplesofregulatoryrequirementsincludetheMassachusettslaw(201CMR17.00) thatappliestoanycompanywhichholdspersonalinformationofaMassachusettsresident(withnorestriction astowheretheholderoftheinformationislocated)anditcarriesafineof$5,000perviolationperrecordlost; and,HIPAAHitech,wherefinesapplytopersonsthatwillfullyneglecttocomply;theyrangefrom$10,000.00to $50,000.00 per violation. A fine of up to $1.5 million per calendar year for one identical violation can be assessedifcorrectiveactionisnottakeninthecaseofwillfulneglect.

Failure to provide appropriate IT Governance for the rapidly increasing rate of change in technologies, the increased consumerism of IT by the in individual and the corporate deployment of IT assets are part of the reasons why the Lights on Doors Open does not work anymore. More succinctly, the common practice of continuing to push out the time horizon of retiring IT assets makes keeping up with the pace of transacting businessagreaterriskwhileatthesametimeelevatingrunrateexpenseandexposures;makingastrongcase for the need of a risk based approach promoting a more harmonious alignment between business processes, threatsandopportunitiesandtheITinvestmentcycle.

Tojumpstarttheprocess,corporatedirectorsshouldinquireon: What processes and metrics do we have in place to ensure there is a defined linkage between investments,organizationalresults,usageofourintellectualassetsandInformationTechnologycapacity levels? What processes, metrics and mappings do we have in place to ensure clear asset classification, safeguards,supportedbusinessprocessesandpertinenttechnologylifecycle? Howdowegoaboutensuringaclearunderstandingbyoperationalregionoftherelevantcompliance requirements,theirimpactonthebusinessandtheirunderlyingsupportingtechnology? Which initiatives do we have in place to determine what new and coming technologies might be relevanttoourbusinesswhileincreasingtheconsumerismofInformationTechnologyandourmarket position? If social media sites are part of the electronic footprint? Ensuring usage monitoring and proper use educationarepartanoverallawarenessandsecurityprogram. How do we ensure proper metrics and reaction times in the event of an unexpected business interruptionordisaster? Arcelay and Associates LLC is a proven industry leader in providing strategically aligned solutions for IT Risk Management, IT Due Diligence reviews and Interim CIO Services. Their published experts and industry recognized thought leaders work with their clients on developing customized aligned solutions that suit long termorganizationalgoals,regulatoryrequirements,culturalandregionalneeds. March2011 2|P a g e

S-ar putea să vă placă și