26 June 2017 by Bernadette Barber
Directors must be ever-vigilant in mitigating IT risks, says Bernadette Barber
The regular FT–ICSA Boardroom Bellwether surveys indicate that cyber risk is increasingly causing concern in boardrooms. Unfortunately it is probably also the issue most directors feel least qualified to opine on.
Unlike other financial, operational and strategic risks where, regardless of career background, most directors will feel they have a reasonable degree of experience to bring to bear, the technical and fast-changing nature of IT presents considerable challenges for directors seeking to understand and keep up to date with the issues.
Two recent IT-related problems vividly illustrate the extent to which a serious failure can create absolute chaos. The first was the global WannaCry ransomware attack, which affected thousands of computers across 150 countries. In the UK, vast parts of the NHS were brought to a virtual standstill, with companies elsewhere, such as Renault in France, Deutsche Bahn in Germany and FedEx in the US, being some of the other high-profile names affected.
Malware, it seems, makes no distinction between an essential life-saving health service and a commercial organisation. It appears to take an entirely even-handed approach to wreaking havoc, with absolutely no reference to the ethical consequences of its handiwork.
The second example is the British Airways IT failure that caused a complete cancellation of all the airline’s flights from both London Gatwick and Heathrow airports on one of the busiest weekends of the year.
It appears that not only did a power surge cause the primary systems to fail, but that hardware in the backup facilities was also faulty, so did not do the job it was supposed to. British Airways was hit by a double whammy, so to speak, and it was undoubtedly an extremely challenging situation for all involved.
In both the WannaCry and British Airways examples, there has been an event which the board may have believed to be very unlikely, but the impact of which was pretty catastrophic. As might be expected, in its 2016 strategic report, British Airways identified ‘failure of a critical IT system’ as a key risk, but confidently confirmed that ‘system controls, disaster recovery and business continuity arrangements exist to mitigate the risk of a critical system failure’.
Clearly those arrangements were inadequate to prevent the impact in this instance being considerable. But although one might have sympathy with British Airways being unable to get things back up and running within a reasonable timescale, the apparent failure to communicate with the many thousands of severely disrupted passengers is somewhat less forgivable.
It is apparent that the lack of any communication with customers created almost as much bad feeling as the delays themselves. It is surely so basic a point that no one should need reminding of it, but good communication needs to be an automatic and integral part of any crisis management strategy.
Although directors may not be tech-savvy, their experience in business certainly means they are well-placed to ask the same sorts of challenging questions about the IT preventative, backup and disaster recovery measures as they would about other aspects of the business.
They can ask about third-party risks and how they are mitigated, and what will happen if the backup system also fails. They can also enquire about the strategies to be implemented in the first minutes and hours after a system failure to ensure that damage, including reputational damage, is limited.
It is easy to feel blinded by science when faced with highly-technical issues outside one’s comfort zone and the intangible nature of IT matters may increase the sense of being unqualified to address them. That is no reason, however, for boards to feel they should leave such issues in the hands of the experts.
Fortunately for directors, the law does not impose a standard of competence on them other than to exercise the skill that someone with their qualifications and background and in their role might reasonably be expected to exercise. Therefore there is no requirement for directors to be technical experts.
They are, however, expected to exercise reasonable skill and care in all company matters. That means they are expected to consider what the risks are and seek assurance that those risks are being adequately managed. They may need to ask more probing questions to get the real assurance they need on IT matters and should take comfort from the fact that sometimes, as we all know, the most basic ‘idiot’ question turns out to be the most useful.
The new edition of The ICSA Corporate Governance Handbook, by Bernadette Barber and Barbara Allen is available now from the ICSA Shop.