We're a Baker Tilly network member
Learn more
Back to top
Misalignment between company boards and organisations is increasing risk

Misalignment between company boards and organisations is increasing risk

The Institute of Internal Auditor’s (IIA) report, OnRisk 2020: A Guide to Understanding, Aligning and Optimizing Risk, identifies several organisational risks that have arisen out of a disconnect between company board and C-suite perceptions on the ability of companies to address risk.

These risks include:

  • cybersecurity
  • data protection
  • regulatory change
  • business continuity/crisis response
  • data and new technology
  • third party
  • talent management
  • culture
  • board information
  • data ethics
  • sustainability

How are boards and organisations misaligned?

There are several causes of this misalignment, and it’s increasing the risk exposure of organisations, particularly to newer threats such as cybersecurity risk. According to the qualitative survey in the IIA’s report, there is a divergence between board members and C-suite-level employees about their organisation’s perceived capability to manage risk.

Across all risk types, board members were more confident in their organisation’s ability to manage risk, compared to C-suite executives. This was particularly evident with the risks related to data protection and engaging third parties for processes, IT and cloud services. Interestingly, cybersecurity was one of the most closely aligned risks as both parties rated their organisational capability as low. However, other risks such as data protection, data ethics, and data and new technology which are interrelated with cybersecurity suggest that organisations could be underestimating their cybersecurity risks, and organisational misalignment is a key cause.

What are the causes of misalignment between company boards and C-suite executives?

There are several causes of misalignment between company boards and C-suite executives in terms of perceived capability to manage risk. These causes primarily stem from insufficient information sharing and knowledge gaps, including:

  • inconsistent or infrequent reporting upwards
  • lack of knowledge and understanding, causing board members to ask the wrong questions (or not ask at all)
  • desire of executives or managers to represent organisational capabilities in a stronger state than they currently are.

For example, according to Unsisys’ report, Cybersecurity Standoff Australia, 25 per cent of organisations with a board do not report on cybersecurity concerns or issues, demonstrating a possible underestimation of the importance and value of data and keeping it secure.

There’s also misalignment between company boards and other levels of organisations

Misalignment of perceptions isn’t solely an issue between company boards and c-suite executives; it also occurs in all levels of organisations. For example, on the issue of cybersecurity, there’s a divergence between executives and mid-level managers and between CEOs and Chief Information Security Officers (CISOs). Some of the findings of the industry survey in Uniysys’ cybersecurity report highlights this divergence:

  • 6 per cent of CEOs said their organisation suffered a data breach in the past 12 months, compared to 63 per cent of CISOs
  • 44 per cent of CEOs think their organisation can respond to cyber threats in real-time, while only 26 per cent of CISOs agree
  • 51 per cent of CEOs think their organisation’s data collection policies are clear, but only 26 per cent of CISOs agree

Risk management suffers as a result of organisational misalignment

The misalignment of views and perceptions between different levels of organisations results in a misunderstanding of the risks that organisations need to mitigate, which produces subpar risk management practices. This results in the inefficient allocation and use of risk mitigation budgets, further exposing organisations more than necessary. The impacts of mismanaging risk, particularly cybersecurity risk, can result in significant reputational, financial and legal damages, including personal liability for directors in some cases.

How to better align company boards and organisations

There are several process improvements and practices that can be implemented to better align company boards and all levels within an organisation. These improvements and practices differ between each level of an organisation as outlined below.

For board members:

  • Apply professional scepticism when evaluating information received from executives.
  • Remain curious and seek education in poorly understood domains.

For C-suite executives:

  • Provide complete, accurate, timely and realistic information to the board, regardless of how the information may be perceived
  • Apply a questioning mind and critically assess the appropriateness and sufficiency of information received from middle managers
  • Implement and enforce consistent and regular reporting structures within the organisation.

For middle managers

  • Provide complete, accurate, timely and realistic information to executives (management reporting), regardless of how this information may be perceived.

If you would like to discuss your company’s cybersecurity and governance risks and how we can help, please contact your Pitcher Partners specialist.

This content is general commentary only and does not constitute advice. Before making any decision or taking any action in relation to the content, you should consult your professional advisor. To the maximum extent permitted by law, neither Pitcher Partners or its affiliated entities, nor any of our employees will be liable for any loss, damage, liability or claim whatsoever suffered or incurred arising directly or indirectly out of the use or reliance on the material contained in this content. Pitcher Partners is an association of independent firms. Pitcher Partners is a member of the global network of Baker Tilly International Limited, the members of which are separate and independent legal entities. Liability limited by a scheme approved under professional standards legislation.

Pitcher Partners insights

Get the latest Pitcher Partners updates direct to your inbox

Thank you for you interest

How can we help you?

Business or personal advice
General information
Career information
Media enquiries
Contact expert
Become a member
Specialist query
Please provide as much detail to ensure appropriate allocation of your query
Please highlight a realistic time frame that will enable us to provide advice within a suitable and timely manner. Please note given conflicting demands with our senior personnel, we will endeavour to respond to you within the nominated time frame. If you require an urgent response, please contact us on 03 8610 5477.
CPN Enquiry
Business Radar 2024
Federal Budget 2024-25
Student careers 2024-25
Search by industry