How do we know before a crisis if our board has adequate oversight of cyber and other critical risks?
Risk, and, specifically, cyber risk, are increasingly priority concerns for boards of directors. Yet, only 32 percent of public company directors have a high level of knowledge and understanding of their board’s emerging risks. In an environment of constant, disruptive change, it is imperative that board directors assist their companies with the prudent risk-taking that is essential to successful strategic execution.
TBI Protiviti Board Risk Oversight Meter™ leverages many years of research to provide a tool that enables a board to highlight its strengths and limitations, provide up-date information on regulations and laws, and, by showing best practices, create a roadmap to excellence. This TBI online instrument accomplishes all of this through a participative process and insightful reporting of the range of responses, the mean response, best practices, anonymous commentary by board members and key company executives, and legal and regulatory requirements germane to board risk oversight. According to noted organizational resilience expert, Dan Sharp, principal of The Board Institute, “With disorder and disruption becoming the norm rather than the exception, it’s critical that boards have the skills to help their companies prepare for and manage impending risk. Our tool highlights the importance of organizational resiliency and the board’s role in driving it.” The Board Institute’s suite of assessment tools is the first and only accredited web-based solution for board evaluation, education and benchmarking. Directors take ownership of the results using a robust, up-to-date, actionable report. With the expertise of CyberVista added to that of Protiviti and The Board Institute, cyber risk is now an integral component.
The U.S. Securities and Exchange Commission rules require all public companies to disclose the extent of their boards’ role in the risk oversight of the company. It is not enough to check the box. Focus has shifted to the quality of the underlying risk oversight process. TBI Protiviti Board Risk Oversight Meter™ allows boards to understand and deflect risk.
U.S. Federal Reserve Chair Janet Yellen said recently, “I’m going to be focusing on risk and board oversight.” The Risk Meter enables boards to confidently meet market expectations relative to risk preparedness.
Recent corporate scandals, fraud and reckless risk-taking underline the urgency of proactively addressing unforeseen risks and making effective risk oversight a priority for every board. “To address new regulatory pressures, investor demands, innovative competitors and the array of internal and external potential disruptors,” says Susan Shultz, CEO of The Board Institute, “Boards must have confidence that they are effectively overseeing risk. TBI Protiviti Board Risk Oversight Meter will enable that confidence by providing the tools to evaluate and move towards best practices in risk oversight.”
Only 8% of directors are satisfied with their readiness to respond to a cyber crisis. Cybersecurity is no longer an “IT issue,” says Amjed Saffarini, XCEO of CyberVista, “but rather an enterprise risk issue”. Therefore, cyber risk stands as a significant challenge for the majority of today’s corporate leaders”. According to National Association of Corporate Directors, 2016-2017 NACD Public Company Governance Survey:
- 59% of board directors find cyber risk somewhat-to-very challenging to oversee.
- 31% of board directors have attended continuing education events on cyber risk within the past year.
- 12% of board directors have participated in a test of the company’s cyber response plan within the past year.
The cyber knowledge and management skills that senior leaders must have to successfully drive cyber resiliency across their organization – and to meet their fiduciary and shareholder responsibilities – far exceeds what anyone could have imagined even a decade ago.
However, we should not expect directors and officers to understand all the technical details related to cybersecurity. Instead, we should expect them to have literacy around cyber risk issues so they can skillfully navigate the grey zone where cyber risk and business risk converge. Beware of any false sense of comfort derived by selecting a token cyber expert for their board or executive suite. While having an expert at your disposal is certainly helpful, navigating cyber risk can be complex and should be addressed as a team. You wouldn’t simply have one director or officer who is good at financials on your team – cyber should be treated no differently.
To ensure your directors, officers, and company at large is prepared to oversee this growing risk area, :
- Employ TBI Protiviti Board Risk Oversight Meter™. Evaluate your board and c-suite on their composition and abilities to govern and manage a wide-range of risk issues, including cyber risk, and then develop a roadmap to excellence by discussing results and creating/implementing an action plan of improvements based on the TBI online report..
- Implement a cyber risk training program for your board and executive team. CyberVista offers such courses
- Identify risk areas and blind spots by implementing a cyber risk dashboard. Evaluate and implement policies and controls to manage and prioritize risk within acceptable tolerance thresholds.
- Maintain your resilience by keeping up-to-date on the latest cyber risk issues and through cyber breach exercises and simulations.
Boards interested in using TBI Protiviti Board Risk Oversight Meter should visit The Board Institute web site at www.theboardinstitute.com/risk. Our site is linked to Protiviti (protiviti.com) for risk consulting services and to CyberVista (cybervista.net) where additional educational services are available.