Questions for the board to consider
The board has a vital role to play in ensuring that data and technology are employed to facilitate risk management. Here are some questions to ask yourselves:
1. Does your board understand the role that technology and data can play in enhancing risk management? As covered in our first article in this series, this can be achieved by expert training, internal coaching, and considering the need for this expertise when filling future board vacancies. “You need to make sure that the board has one or two people who know their stuff on technology,” confirms Brendan McDonagh, Deputy Chair at AIB. “They don't necessarily have to be an ex-senior executive of a major technology company. They just have to have had solid technology experience and operations experience. Because at the board level you want them to look at the big picture.”
2. Have you allocated sufficient resources for risk management technology? Significant expenditure will likely require board approval. Boards must, therefore, allocate sufficient budget for investments in technology and the required skill sets.
3. Are you holding management to account on how they use data and technology for risk management? “Boards definitely need to buy into new technology and question whether it’s being used, but it’s more important to know how these technologies are being used by the business to get insights about risk,” explains Craig Jackson, board director and Audit Committee Chair, Paloma Rheem Global. “Whether it’s machine learning or artificial intelligence, there are some powerful tools emerging that can be used for risk management. But are they really being used for risk management at the moment? It’s up to the board to find out and make sure that they are.”
4. Is there a strategy in place to overcome the expected obstacles? There are some significant challenges to implementing a data and technology-driven approach to risk management. Boards must ensure that management has a strategy for overcoming the obstacles, with a particular focus on skills. And as with any data and technology-driven transformation strategy, cybersecurity and data privacy considerations should be integral from the get-go, so that new risks aren’t introduced as a result.
5. Has the board clearly defined what is required of management in terms of risk reporting? Boards must work with management to ensure that risk reporting is forward-looking and predictive; covers emerging and atypical risks; and includes internal and external data.
Boards may think that they can leave management to develop a strategy for employing technology to monitor and mitigate risk; however, they do need to oversee that it’s used to its full potential. This may require boards themselves to move up the learning curve in terms of understanding all the benefits that technology can deliver.