Governing Information Technology Risk

by Michael Parent, Blaize Reich


  PDF
 

Abstract

Regulatory changes have affected the composition, role, and responsibilities of Boards of Directors worldwide. While stronger frameworks for directors’ fiduciary responsibilities have resulted, considerably less attention has been devoted to understanding the nature of, and concomitant duty-of-care towards, the information systems and technology assets in the organization, or IT Governance. As a result, Boards have not demonstrated the competence or attention that good IT governance demands. IT Governance takes two forms: a defensive form, IT Risk Governance, that seeks to safeguard the organization from the consequences of IT-related disasters; and a strategic form, IT Value Governance, which creates lasting shareholder value. This article focuses on IT Risk Governance. Based on an academic and trade literature review, and interviews with Board members from six international firms, it presents a model, the IT Risk Governance Chain, and a dashboard that outlines the critical areas of IT risk and the key questions directors should ask to properly safeguard the information and technology assets of their firms.

California Management Review

Berkeley-Haas's Premier Management Journal

Published at Berkeley Haas for more than sixty years, California Management Review seeks to share knowledge that challenges convention and shows a better way of doing business.

Learn more
Follow Us