Board and Management-Level Factors Affecting the Maturity of IT Risk Management Practices

Abstract: The Securities and Exchange Commission's 2009 enhanced proxy disclosure requirements and the updated Committee of Sponsoring Organizations' (COSO) Internal Control Framework have caused organizations to increase their focus on risk management and consider the impact of information technology (IT) in enterprise risk management. Our study examines whether board involvement, board expertise, and top management's risk culture affect the maturity of IT risk management practices (maturity) in firms. We find that boa… Show more

“…As our findings show that board roles require governing IT at a strategic level, rather than dealing with the technical details, a technical degree may be less valuable than strategic IT experience. Interestingly, Vincent, Higgs [44] report that whilst board IT competence positively influences IT risk management maturity, board involvement is more important, suggesting that simply attracting ITcompetent board members is insufficient. Indeed, our results show that boards should contribute to governing IT by performing a range of roles, with IT competence being only one mechanism to support performance of these duties.…”

“…Further, increased board oversight of risk management offers the potential to improve risk mitigation [41,42] and avoid costly lawsuits [43]. Specifically, boards' IT-related behavioral control is shown to positively influence the maturity of IT risk management practices [44]. Thus, through behavioral control, shareholder value is created [42,45], by lowering the cost of capital [42], and/or regaining shareholders' trust after operational IT failures [34,41].…”

“…In the context of IT governance, boards should offer IT-related guidance and advice to management [6,34]. Resource dependence theory [34,49] and stewardship theory [8,44] are also applied in IT governance literature. From a resource dependency perspective, directors with IT experience should add value to an organization through their IT-related expertise, such as knowledge related to governing IT and IT outsourcing [8,49,50].…”

“…A certain level of IT competence is needed to support the roles of the board in IT governance. In the context of behavioral control, such competence facilitates the reduction of information asymmetry between boards and executives and thus enables better evaluation of IT decisions [44,67]. The board's ability to provide IT-related advice and counsel is enhanced by recruiting directors with IT expertise [34].…”

“…This IT competence may relate to directors with prior executive and/or board experience in the IT sector which have gained experience at the strategic level of the organization [49]. When very specific knowledge is needed, boards could consider hiring an expert [44]. Another strategy linked to the board's IT competency is to appoint a specific director to take a leadership role with IT [36,42].…”

How Boards of Directors Can Contribute to Governing IT

“…As our findings show that board roles require governing IT at a strategic level, rather than dealing with the technical details, a technical degree may be less valuable than strategic IT experience. Interestingly, Vincent, Higgs [44] report that whilst board IT competence positively influences IT risk management maturity, board involvement is more important, suggesting that simply attracting ITcompetent board members is insufficient. Indeed, our results show that boards should contribute to governing IT by performing a range of roles, with IT competence being only one mechanism to support performance of these duties.…”

“…Further, increased board oversight of risk management offers the potential to improve risk mitigation [41,42] and avoid costly lawsuits [43]. Specifically, boards' IT-related behavioral control is shown to positively influence the maturity of IT risk management practices [44]. Thus, through behavioral control, shareholder value is created [42,45], by lowering the cost of capital [42], and/or regaining shareholders' trust after operational IT failures [34,41].…”

“…In the context of IT governance, boards should offer IT-related guidance and advice to management [6,34]. Resource dependence theory [34,49] and stewardship theory [8,44] are also applied in IT governance literature. From a resource dependency perspective, directors with IT experience should add value to an organization through their IT-related expertise, such as knowledge related to governing IT and IT outsourcing [8,49,50].…”

“…A certain level of IT competence is needed to support the roles of the board in IT governance. In the context of behavioral control, such competence facilitates the reduction of information asymmetry between boards and executives and thus enables better evaluation of IT decisions [44,67]. The board's ability to provide IT-related advice and counsel is enhanced by recruiting directors with IT expertise [34].…”

“…This IT competence may relate to directors with prior executive and/or board experience in the IT sector which have gained experience at the strategic level of the organization [49]. When very specific knowledge is needed, boards could consider hiring an expert [44]. Another strategy linked to the board's IT competency is to appoint a specific director to take a leadership role with IT [36,42].…”

How Boards of Directors Can Contribute to Governing IT

Corporate management boards’ information security orientation: an analysis of cybersecurity incidents in DAX 30 companies

Board of directors’ attributes and aspects of cybersecurity disclosure