Misalignment between company boards and organisations is increasing risk

Misalignment between boards and other areas of organisations is leading to increased risk exposure, according to a report from the Institute of Internal Auditor’s (IIA).

The report noted divergence between board members and C-suite-level employees about their organisation’s perceived capability to manage risk in the following areas:

• cybersecurity,
• data protection,
• regulatory change,
• business continuity/crisis response,
• data and new technology,
• third party,
• talent management,
• culture,
• board information,
• data ethics, and
• sustainability.

How are boards and organisations misaligned?

Across all risk areas, board members were more confident in their organisation’s ability to manage risk, compared to C-suite executives. Interestingly, cybersecurity was one of the most closely aligned risks as both parties rated their organisational capability as low. However, other risks such as data protection, data ethics, and data and new technology, which are interrelated with cybersecurity, suggest that organisations could be underestimating their cybersecurity risks, and organisational misalignment is a key cause.

What are the causes of misalignment between company boards and C-suite executives?

The causes of misalignment between company boards and C-suite executives primarily stem from insufficient information sharing and knowledge gaps, including:

• inconsistent or infrequent reporting upwards;
• lack of knowledge and understanding, causing board members to ask the wrong questions (or not ask at all);
• desire of executives or managers to represent organisational capabilities in a stronger state than they currently are.

There’s also misalignment between company boards and other levels of organisations

Misalignment of perceptions isn’t solely an issue between company boards and c-suite executives; it occurs in all levels of organisations. For example, on the issue of cybersecurity, there’s a divergence between executives and mid-level managers and between CEOs and Chief Information Security Officers (CISOs). In fact, 6 per cent of CEOs said their organisation suffered a data breach in the past 12 months, compared to 63 per cent of CIOs, demonstrating the misalignment.

Risk management suffers from organisational misalignment

The misalignment of views results in a misunderstanding of the risks, which produces subpar risk management practices and inefficient allocation of risk mitigation budgets. The impacts of mismanaging risk, particularly cybersecurity risk, can result in significant reputational, financial and legal damages, including personal liability for directors in some cases.

How to better align company boards and organisations

There are several process improvements and practices that can be implemented to better align company boards and all levels within an organisation.

For board members:

• Apply professional scepticism when evaluating information received from executives.
• Remain curious and seek education in poorly understood domains.

For C-suite executives:

• Provide complete, accurate, timely and realistic information to the board, regardless of how the information may be perceived.
• Apply a questioning mind and critically assess the appropriateness and sufficiency of information received from middle managers.
• Implement and enforce consistent and regular reporting structures within the organisation.

If you would like to discuss your company’s cybersecurity and governance risks and how we can help, please contact your Pitcher Partners specialist.