The daily announcements of cybersecurity breaches, increasing concern about terrorism on critical infrastructures, the rising reputational risks that social media brings, the rapidly changing technology marketplace, and the complexity of managing increasing risks all put pressure on boards to stay up to speed and to be proactive rather than reactive. Traditionally, oversight of operational and technology risks have been the responsibility of the audit committee of the board, as well as the board at large, but that is changing.
Dodd-Frank legislation mandated that financial institutions separate out technology and operational risk from the audit committee to a risk committee. Many non-financial corporations are following suit.
A third board committee is also emerging to focus on security, both cyber and physical, in those organizations that are considered critical infrastructures like public utilities, health care, and transportation, and in financial institutions and other data intensive organizations. The rationale is to put more expertise and focus on emerging risks and for the board to be proactive rather than reactive. Not only are the regulators more concerned about these risks and third-party risks but the investor community is as well. This is one of the areas that shareholder activists are considering when evaluating company performance.
Most of these new security committees include members of the board with technology or risk management expertise as well as senior management such as the chief risk officer, chief technology officer, chief security officer, and others with the relevant expertise. The chairman and CEO of the board also participates.
The security committee usually has over-sight for both physical and cybersecurity, and the reputational and operational risks related to critical infrastructure, company assets, data protection, and intellectual property. These committees also over- see third-party risk with regard to security issues. Many meet six times a year and on an “as need” basis if an event occurs.
Research on gender differences on boards by sources such as Credit Suisse, Catalyst, and Harvard, suggest that women look at risks in a different way than men. According to the studies, women look at risk more holistically and ask more detailed questions on the issues. It is not surprising that women are populating the emerging risk and security committees of boards.
Catherine Allen is the chairman and CEO of The Santa Fe Group, a strategic advisory group based in Santa Fe, New Mexico, that specializes in risk management, cybersecurity, and emerging technologies, as well as man- aging the industrywide Shared Assessments Program for Third Party Risk. She serves on the boards of El Paso Electric Co., Synovus Financial Corp., and Analytics Pros, as well as on the advisory boards of Houlihan Lokey and Women Corporate Directors. In addition to sitting on other committees, she chairs the security committee at El Paso Electric and sits on the risk committee of Synovus.
This article was originally posted in the current issue of Directors & Boards.