CANDIDATES
Candidate Toolkit |
THE BOARDSPAN LIBRARY
The Boardspan staff reviews and selects the most informative articles from business news sources, including:





We categorize articles to make them easier for you to find.
- Exec. evaluation & comp
- Critical information about evaluating and compensating the executive team.
Elevating IT Risk Management To The Boardroom

In recent articles on the Coming Crisis of IT Management, I’ve pointed out that IT is often managed as a guild system. There is someone in charge of databases, networking, applications, servers, storage, and each of these experts manages the complexity and risk in their own domain. While this is efficient in some ways, it also means that the answers to every question are embodied in a person, resulting in a vast collection of “tribal knowledge” about the configuration of an environment that is kept within the brain trust of each silo. This is hardly optimal if IT is to become professionally managed.
In a variety of articles, we’ve mentioned the need for improved IT management capabilities, which will require more management resources and new types of systems for technology business management that are being provided by a variety of vendors, such as Apptio.
But today, we’ll examine the way that some of the tribal knowledge can be captured, using systems that were created to manage risk in IT. I came up with this idea after a recent interview with Amad Fida, CEO of Brinqa, whose product was created to capture and manage various forms of technical dependencies, in order to implement controls that allow someone to understand and manage his risk in IT.
Brinqa is essentially a master repository of risks and dependencies that can observe changes occurring in an IT environment. It can monitor certain conditions and provide reports about events that are known risk agents. The goal is ensuring that any risky behavior–whether it’s a change to a configuration file, the capacity of storage running low, network bandwidth being depleted, network latency increasing, and thousands more–can be monitored. The outcome of that goal is changing your risk profile assessment practice from asking a person if “everything is okay,” to a system of thousands of individual measurements of factors known to contribute to risk.
While prior governance and risk control (GRC) systems for IT were essentially large spreadsheets that required a good deal of manual entry, Brinqa actively listens to machine data and other low-level outputs from IT systems, then lets users assign and customize risk indicators for their particular organization.
“Previously, there were multiple, siloed systems that had pieces of the puzzle, however, there was no system that actually went out and collected and correlated that information in a meaningful way,” Fida says. “Now, based on specific activity, you can see your actual risk.” Brinqa uses a weighted scoring system that lets users prioritize risk levels and assign alerts to each level. The system then tracks factors dynamically and notifies users when the risk profile of an activity or asset slips from green to red, for example.
Importantly, this factoring capability can be correlated with business and financial goals and their associated risks, so CIOs can have a dialogue with CFOs, to whom they increasingly report in many organizations, says Fida. The risk can be rolled up to be understood at a high level, and devolved into its detailed components when needed. This has the potential to fundamentally change the role of IT from “just saying ‘no,’” (or saying “yes” and regretting it later) to saying, “these are the technology risk aspects of making this business decision. How would you like to proceed?”
Brinqa and other such software is used by large IT shops, especially in the financial services industry, for whom any outage could mean a significant loss of revenue, or could trigger regulatory scrutiny. But after thinking about Brinqa’s product portfolio, it occurred to me that an ancillary benefit of using an IT risk management product lies in capturing a large amount of tribal knowledge.
One large aspect of tribal knowledge is an understanding of the key points in a system that should be checked if anything goes wrong, or the key points in a system that must be monitored to make sure that the system stays healthy. In an environment in which an IT risk system is in place, each of the tribal leaders (the heads of the silos), is essentially asked to write down the special knowledge they have about what keeps the system running. While this obviously wouldn’t exhaustively capture all tribal knowledge, it would capture perhaps the most important tribal knowledge, which is related to whether the systems are healthy or not.
Developing standardized ways to capture and express risk, and to record tribal knowledge, helps to remove IT leadership from its cave and to capitalize on the wealth of information IT systems collect every day. Tools such as Brinqa and Apptio can help return CIOs and CTOs to the boardroom table, where their presence is increasingly requested, and help resolve one of the critical issues of IT management: how to have a relevant and productive conversation with the business.
MORE ARTICLES
Refreshing Your Board of Directors
Patrick R. Dailey, Ph.D. and Joel M. KoblentzMore Female Board Directors Add Up to Improved Sustainability Performance
U.C. Berkeley, Haas School StaffBoard Governance Depends On Where You Sit
William GeorgeBattle For the Boardroom
Ludo Van der Heyden and Chris HowellsNight of the Living Board
Matt PalmquistThe "Third Team" Approach to Board Effectiveness
Denis Mowbray and Coral Ingley (both from Auckland University of Technology)Tapping The Strategic Potential of Boards
Chinta Bhagat, Martin Hirt, and Conor KehoeLean Strategy Not Just For Start-Ups
Carmen NobelInvolving the Board in Strategic Planning
Jean-Daniel BrissonBest Practices: Non Profit Governance
McDermott Will & EmeryValue-Focused Corporate Governance
Christian Orglmeister, Marcos Aguiar, and Daniel AzevedoTen Key Dimensions of Effective CEO Succession
Thomas J. SaporitoThe Trouble With Too Much Board Oversight
Olubunmi Faleye, Rani Hoitash and Udi HoitashPurpose, Vision, Mission, Values
Graham KennyRunning More Effective Board Meetings
Mark SusterA More Effective Board of Directors
Ana DutraCulture & Business Performance: What’s the relationship?
Method Frameworks StaffCorporate Culture, Not Lip Service, Counts
Luigi Guiso, Paola Sapienza and Luigi ZingalesBuilding a Forward-looking Board
Christian Casal and Christian CasparWhen Best Practice Isn't Enough
Simon C. Y. WongCollaborate Better
Leigh ThompsonThree Critical Talent Conversations For Every Board of Directors
Jean Martin and Michael GriffinOutgoing CEOs Shouldn't Pick Their Replacements
David F. Larcker, Stephen A. Miles, and Brian TayanFive Things Every CEO Must Do in the Next Era of Globalization
Hans-Paul Bürkner, Arindam Bhattacharya, and Jorge BecerraWhy Directors Should Thank Dodd & Frank
Eleanor BloxhamD&O Liability Insurance: An Overview
Priya Cherian HuskinsBest Practices in Compliance
Stefanie MoscaWhy Every Company Needs a Board of Directors
Brian HamiltonWhy Leadership Isn't Just For Leaders
Sally Helgesen10 Principles of Leading Change Management
DeAnne Aguire and Micah AlpernThe Double-Edged Sword of CEO Activism
David F. Larcker, Stephen A. Miles, Brian Tayan, and Kim Wright-ViolichDecoding Leadership: What Really Matters
Claudio Feser, Fernanda Mayol, and Ramesh SrinivasanThe Buck Stops and Starts at the Top
Cathy L. Reese, John Michael Farrell & Jose SierraBeware Financial Mishaps at Nonprofits
Kate Barr4 Ideas for Improving Effectiveness & Reducing Risk
Stuart M. AltmanHow to Talk to Your Board About Risk
Mary DriscollThe Economic Case for Soaring CEO Pay
Anup SrivastavaSurviving the Sophomore Slump: Moves That Matter The Most
Roselinde Torres, Judy Johnson, James M. Citrin, and Susan S. HartLeapfrog Succession: Trend in Appointing CEOs
Roselinde Torres, Gerry Hansell, Kaye Foster, and David BaronCan Cutting CEO Pay Help a Faltering Company Rebound?
Emily AyshfordWhy Clawback Provisions Are a Must: Present and Future Risks in Financial Services
Brian Jebb and Sarah HenchozWhy Senior Leaders Are On The Front Line Against Cyberattacks
Tucker Bailey, James Kaplan, and Chris RezekCorporate Data Privacy: Time To Grow Up
Dan CurrellAre You In the Dark about Shadow IT?
Ryan Shadle and Brian TurleyCorporate Governance in the Age of Cyber Risks
In collaboration with RANE (Risk Assistance Network and Exchange)Planning Ahead – The Board’s Role in Crisis Management
M. Hill Jeffries, Kyle G. Healy, Marshall M. ChalmersHiring For Cultural Fit At The Top
Eric J. McNultyAgitators and Reformers: How to Respond to Activist Investors
Josh Hinkel, Henrik Poppe, Martin Toner and Chuck WhittenAudit: Radical Change on the Horizon?
Stephen DavisYour library is currently empty. Browse the Boardspan Library to get started.