Good boardroom practices to consider

BoardroomTalk

Dr Proctor Nyemba

SOMETHING we keep coming across is cyber risk and how a board can exercise oversight of this fast-moving and difficult-to-understand threat.

Most directors worry about the organisation’s exposure, especially when they sense it is not a matter of “if” but “when”.

But few of them feel confident that their technical knowledge is sufficient to test what they are being told.

Are they merely forming a half-baked judgement on the adequacy of the mitigation approach or the organisation’s ability to respond to a major breach?

It is one of those areas where directors cannot be expected to become experts. And finding someone who is already an expert, but has the right profile to become a non-executive, will always be tricky, particularly with such a limited pool to dip into.

In fact, most boards have stopped looking for cyber-NEDs; instead, they are appointing retained experts as their advisers.

But, of course, even those need to be used wisely by a board.

So, what is to be done?

At a minimum, the board needs to have a clear framework of questions to ask — one based on a good understanding of the full breadth of the risk and required response.

Here we can touch only lightly on this complex topic.

But we have sought to give a few pointers on good practice to help you cover the ground and avoid the pitfalls.

Here are some good practices to consider:

Get a full picture of both the types of risks and where they might hit.

Most boards are familiar with virus and hacking risks, but what about risks such as extortion, theft, information loss, espionage et cetera?

Many have focused on the data loss but have a less-than-complete picture of the possible weaknesses in the operating structures, including the knock-on effects across operations, products and services.

Develop a framework for the board to use in considering the possible costs and consequences. That means getting a picture of each area of impact, with the most significant on a risk-based assessment reaching the board for discussion.

And it needs to be wide-ranging, thinking through the consequences across the risk profile and risk register.

Understand the exposure arising from third parties. The organisation itself might be on top of things, but where are the weak points in the defences that come from suppliers and outsourcers — and any others who have an interface with your systems?

Get a good understanding of the positioning of the organisation around “open” or “closed” approaches to allowing data to be accessed by third parties.

Get a picture of how mitigation resources are being deployed versus the relative risks and potential consequences and costs.

Revisit the assessment as the risk environment changes.

Include cyber risk considerations in strategic discussions and growth plans. New products, services, platforms, outsourcing, delivery mechanisms, partners, joint ventures, acquisitions, channels and geographies all have a cyber risk angle, especially if systems development or integration is involved.

Watch the geographical factor. New jurisdictions may change the game in terms of regulation, liability and control requirements.

Understand the response plans for cases when a breach happens and how they have been tested.

That means understanding both the day-to-day responses as multiple attacks happen and how the organisation will respond to a major breach of the defences.

To do this, it helps to have a clear framework for the board to think within, covering the main categories (for example, communication, customers, executive responsibilities and business continuity)

Ask the “What if?” question. Boards that have tried war-gaming a major breach typically find this helpful. Taking a close and up-to-date look at business continuity planning and testing is an obvious need, too.

Get a clear picture of the critical systems. Boards cannot be expected to look at the systems infrastructure in detail, but they should have a picture of critical systems and the cyber-related exposures.

Take account of the human factor when looking at the control culture in relation to cyber risks.

That means taking a look at how management is establishing the right values and behaviours — the messaging, training, support, monitoring, motivation and penalties.

The board should also be asking executives about how they are reinforcing the messages along their management lines, from the chief executive officer downwards.

Understand the accountabilities. The board should be clear about who is responsible for what.

 

Dr Proctor Nyemba helps board members and executives understand their role in governance. For comments and feedback, please send to: [email protected]/ Call 0772469893/ 0772469893

 

facebookShare on Facebook
TwitterPost on X
FollowFollow us
PinterestSave

Related Posts

Nutty O angles for international success with second album . . . Announces August UK launch
Nutty O angles for international success with second album . . . Announces August UK launch

Maria Chiguvari FIVE years after the success of his debut album “Mustard Seed”, Zimdancehall and Afro-fusion star Nutty O is preparing to release his second project, which he describes as…

Continue reading
JAC T6 Single Cab: Built to Save, Built to Work
JAC T6 Single Cab: Built to Save, Built to Work

A Smart Buy for Businesses That Mean Business If you are looking for a hardworking single-cab bakkie that delivers real value from day one, the JAC T6 Single Cab deserves…

Continue reading

Leave a Reply

Your email address will not be published. Required fields are marked *

×
×