The Institute of Internal Auditor’s (IIA) report, OnRisk 2020: A Guide to Understanding, Aligning and Optimizing Risk, identifies several organisational risks that have arisen out of a disconnect between company board and C-suite perceptions on the ability of companies to address risk.
These risks include:
- data protection
- regulatory change
- business continuity/crisis response
- data and new technology
- third party
- talent management
- board information
- data ethics
How are boards and organisations misaligned?
There are several causes of this misalignment, and it’s increasing the risk exposure of organisations, particularly to newer threats such as cybersecurity risk. According to the qualitative survey in the IIA’s report, there is a divergence between board members and C-suite-level employees about their organisation’s perceived capability to manage risk.
Across all risk types, board members were more confident in their organisation’s ability to manage risk, compared to C-suite executives. This was particularly evident with the risks related to data protection and engaging third parties for processes, IT and cloud services. Interestingly, cybersecurity was one of the most closely aligned risks as both parties rated their organisational capability as low. However, other risks such as data protection, data ethics, and data and new technology which are interrelated with cybersecurity suggest that organisations could be underestimating their cybersecurity risks, and organisational misalignment is a key cause.
What are the causes of misalignment between company boards and C-suite executives?
There are several causes of misalignment between company boards and C-suite executives in terms of perceived capability to manage risk. These causes primarily stem from insufficient information sharing and knowledge gaps, including:
- inconsistent or infrequent reporting upwards
- lack of knowledge and understanding, causing board members to ask the wrong questions (or not ask at all)
- desire of executives or managers to represent organisational capabilities in a stronger state than they currently are.
For example, according to Unsisys’ report, Cybersecurity Standoff Australia, 25 per cent of organisations with a board do not report on cybersecurity concerns or issues, demonstrating a possible underestimation of the importance and value of data and keeping it secure.
There’s also misalignment between company boards and other levels of organisations
Misalignment of perceptions isn’t solely an issue between company boards and c-suite executives; it also occurs in all levels of organisations. For example, on the issue of cybersecurity, there’s a divergence between executives and mid-level managers and between CEOs and Chief Information Security Officers (CISOs). Some of the findings of the industry survey in Uniysys’ cybersecurity report highlights this divergence:
- 6 per cent of CEOs said their organisation suffered a data breach in the past 12 months, compared to 63 per cent of CISOs
- 44 per cent of CEOs think their organisation can respond to cyber threats in real-time, while only 26 per cent of CISOs agree
- 51 per cent of CEOs think their organisation’s data collection policies are clear, but only 26 per cent of CISOs agree
Risk management suffers as a result of organisational misalignment
The misalignment of views and perceptions between different levels of organisations results in a misunderstanding of the risks that organisations need to mitigate, which produces subpar risk management practices. This results in the inefficient allocation and use of risk mitigation budgets, further exposing organisations more than necessary. The impacts of mismanaging risk, particularly cybersecurity risk, can result in significant reputational, financial and legal damages, including personal liability for directors in some cases.
How to better align company boards and organisations
There are several process improvements and practices that can be implemented to better align company boards and all levels within an organisation. These improvements and practices differ between each level of an organisation as outlined below.
For board members:
- Apply professional scepticism when evaluating information received from executives.
- Remain curious and seek education in poorly understood domains.
For C-suite executives:
- Provide complete, accurate, timely and realistic information to the board, regardless of how the information may be perceived
- Apply a questioning mind and critically assess the appropriateness and sufficiency of information received from middle managers
- Implement and enforce consistent and regular reporting structures within the organisation.
For middle managers
- Provide complete, accurate, timely and realistic information to executives (management reporting), regardless of how this information may be perceived.
If you would like to discuss your company’s cybersecurity and governance risks and how we can help, please contact your Pitcher Partners specialist.