How to Ace Board IT Governance Without Tech Expertise



Trusted to serve
by Tamara Paton in Work of the board
IT governance

It seems that every board’s nominations committee is on the hunt for IT talent. When a recent HBR article emphasized the importance of IT expertise on boards, the Twitterverse responded with enthusiastic head nodding.

I am the first to celebrate the contributions of the IT experts on boards. My tech-savvy colleagues have informed views on project implementation timelines, reasonable budget overruns, and the risk inherent to neglected legacy systems. I trust their instincts and value their hands-on experience, especially in softer, change management aspects of IT investments.

The risk of having an IT expert on board

By labeling a director the board’s “IT expert”, however, organizations risk taking fatal missteps. Intimidated by the complexity and scale of an organization’s IT operations, it is tempting to defer to a lone director with technical knowledge. Even more potentially dangerous, the creation of a technology committee might draw a clear line between those with and without IT chops. A board can easily fall into the habit of effectively delegating IT oversight to a small fraction of the board’s membership.

This is nothing short of willful negligence on the part of corporate directors.

A board values (and is often required to have) a director with an accounting designation. Would we ever approve financial statements based solely on that sole director’s review? And we sincerely appreciate the road-tested knowledge of a director who leads an HR function in his day job. But would we expect that director to single-handedly set CEO compensation? Of course not. It’s similarly inappropriate to hand the IT oversight role to one person.

Admittedly, I have done it myself. Assuming that my techie colleague knows better than I do, I have leaned back from a discussion.

In more recent years, a simple framework has helped me move beyond this self-imposed barrier. Realizing that the risk surrounding IT assets is fundamentally identical to that of any investment, I developed my own lay man’s view of IT oversight.

Today, I ask 4 types of questions to achieve reasonable assurance of an organization’s IT strategy and operations. (An overview of the framework appears below. You can download a complete list of more than 50 questions here.)

1. Background context

Director orientation is the perfect opportunity to explore the ways and whys of an organization’s technology assets. Asking your organization’s IT leadership to present to the board sustains the board’s exposure to technology basics. And I have seen sharp directors take additional time off-line to cover questions for the Chief Information Officer.

Potential questions include:

  • How critical is IT to sustaining the organization today? And growing our organization tomorrow?
  • How is our enterprise architecture likely to change in the next three to five years?
  • How do we assess quality in our IT operations? How is the value delivered by IT being measured?

2. Alignment of IT with the enterprise and its strategy

Boards tend to become more passionate about technology when they see a direct connection between systems and strategy. Questions that help surface that relationship include:

  • How will IT enable the organization in five years?Are we investing enough to support the organization’s strategy?
  • Do we have the right organization structure in IT? Is it sufficiently resilient to support our growth aspirations?

3. Responsible use of IT resources and capital investments

The price tag on the last website upgrade that one of my boards approved exceeded $5 million. I sought reasonable assurance of the project’s success by asking a long list of questions. A handful of them appear below (with the extended version here).

  • Based on past systems implementations, what are the 3 sources of risk that worry us the most about a new IT project?
  • For new projects, what is the business case, including projected ROI and payback period?
  • What did our reference checks on the hardware, software and systems integration partners reveal?

4. Risk management

Nora Aufreiter, chair of the Neiman Marcus board’s Digital and Technology Committee, encourages boards to get a hands-on feel for risk. At a recent panel discussion on industry disruption, she pointed to the value of board simulations and scenario planning. “Conducting pre-mortems can give boards a tangible sense of technology’s impact – the upside and downside risk.”

I’m curious as to whether the management and board of Southwest Airlines ever ran through a ticketing systems failure scenario. When a recent IT glitch forced the delay of 450 flights, the lines of upset customers stretched over two miles in airports across the US.

If the Southwest board didn’t see the value in scenario planning before, I’m willing to bet that they do now. Such an exercise provides a forum to explore key questions, including:

  • When did management last simulate an IT disaster? What were the learnings?
  • How do we manage cyber risk? What cyber security measures do we have in place?
  • For ongoing IT projects, what feedback mechanisms provide an early warning to potential problems?


You’ll note that none of these questions requires a computer science degree to understand. If the resulting answers feel unnecessarily technical, directors can and should ask for clarification. Failing that, management’s inability to explain technology simply may actually be a warning sign of shaky investments or unacceptable risk.

Every director should feel capable of and responsible for oversight of the IT function. A starter list of questions, coupled with natural curiosity, should allow each of us to engage on IT topics with appropriate authority.

Question: What questions did I miss? What do you often ask about technology and IT governance?

Please be sure to download your copy of 50 Powerful Questions Ready to Ask at Your Next Board Meeting.

Thank you for reading! If you found it useful, please click the “like” button on LinkedIn or tweet a comment. Doing so helps my work reach others and would mean so much to me.




How to Ace Board IT Governance Without Tech Expertise

by Tamara time to read: 4 min