Abstract
Regulatory changes have affected the composition, role, and responsibilities of Boards of Directors worldwide. While stronger frameworks for directors’ fiduciary responsibilities have resulted, considerably less attention has been devoted to understanding the nature of, and concomitant duty-of-care towards, the information systems and technology assets in the organization, or IT Governance. As a result, Boards have not demonstrated the competence or attention that good IT governance demands. IT Governance takes two forms: a defensive form, IT Risk Governance, that seeks to safeguard the organization from the consequences of IT-related disasters; and a strategic form, IT Value Governance, which creates lasting shareholder value. This article focuses on IT Risk Governance. Based on an academic and trade literature review, and interviews with Board members from six international firms, it presents a model, the IT Risk Governance Chain, and a dashboard that outlines the critical areas of IT risk and the key questions directors should ask to properly safeguard the information and technology assets of their firms.