The National Association of Corporate Directors (NACD) is considered by many to be the preeminent association supporting boards and directors “to stay on the leading edge of corporate governance.” NACD periodically creates Blue Ribbon Commissions, groups of experts that research and create recommendations to boards on best practices to stay relevant and “future ready.” Topics in the past have included risk governance and corporate culture.
This year’s Blue Ribbon Commission is particularly relevant to the times we live in and of considerable interest to those of us who work in technology in a world where, up to a few years ago, the overall direction, strategy, and vision driving economic success was often more focused on the short term and did not include much about the technology operating the company or the potential impact of evolving or emerging technologies. Outside of significant cyber events, in the past those discussions had been delegated to the audit committee to ensure compliance with Sarbanes-Oxley and similar regulatory requirements. The 2024 NACD Blue Ribbon Commission Report, “ ,” was released in early October 2024.
This report from the NACD examines the impact of technology and data on corporate governance. It argues that boards need to strengthen their oversight, deepen their understanding, and develop foresight regarding technology in order to remain competitive and create long-term value. The report includes ten recommendations for boards and management teams, organized around the imperatives of strengthening oversight, deepening insight, and developing foresight.
It provides practical guidance on how to implement these recommendations, including tools and checklists. That last paragraph was AI-generated. Or was it? What is the impact of not knowing? Not caring? Would that answer change if you were fiscally and ethically responsible for a company’s success and reputation in an era where AI dominates the headlines? How does a board ensure that the duty of care exercised as a normal obligation of board service stays current in the face of the tumultuous rate of change and reliance on technology, a rate of change that far outpaces consistent definition of regulatory protections? This Blue Ribbon Commission report includes a call to action for boards to ensure that their practices and partnership with the C-suite and auditors form a foundation that strengthens oversight, deepens insight, and develops foresight of enterprise technology.
Without adequate oversight, it’s impossible to get reliable insight. Without reliable insight, foresight of enterprise technology will be wrong, incomplete, a bad bet, a waste of money, or non-existent. This is not a good look for any enterprise and for a public company, profit, share price, and reputation are at stake.
And the reality of cyber safety is even worse than the board and the C-suite believe. But far from the doom-and-gloom message just portrayed, this report should bring us hope by making the need transparent to those who oversee and those responsible for company success. The report gives a well-written rationale and game plan to get the improvement started.
What do we mean by enterprise technology? It’s not just internal information technology; it includes any operational technology used to provide goods and services or within those goods and services. And for companies in the engineering and technology industry, enterprise technology is reflected in the products and services offered to customers. Consider the optics behind “do as I say, not as I do” as opposed to the visible benefit of “walking the talk.
” The first group of recommendations provided by the report is designed to help a board strengthen oversight of the organization’s use of technology and data. Governance and control of assets is a standard practice for CIOs, whether the assets are standards and policies, hardware, software, data, staff, or time. Enterprise technology doesn’t stand still — there are always projects and services afoot to update, upgrade, replace, fix, protect, and so on.
Projects have approved requirements, costs, and schedules that are monitored, and services typically have service-level objectives/agreements. “Unmanaged change is chaos” is a common belief among those responsible for enterprise technology. The knowledge of and active involvement in technology oversight practices is not yet customary within the C-suite, let alone at the board level.
While the level of detail will be nowhere close to what CIOs and CDOs deal with on a day-to-day basis, the board must recognize the governance structures in use by the organization and define their own involvement in the decision-making process. It’s a fine line between “oversight” and “overstep,” and this may challenge the beliefs of board members of significant seniority, but the duty to protect all stakeholders demands it. The board needs to be convinced that this is a crucial part of the duty of care and have significant interactions with the management team to know what the enterprise has as far as the current state of policies, people, processes, and technology and how they are connected and protected along with the data consumed, integrated, or produced.
The role of organizational culture cannot be ignored, nor can the state of the business processes. Both play a role in increasing technical debt, especially when they work in concert; “that’s the way we’ve always done it” can lead to customizations in off-the-shelf software or a part of the organization going rogue and bringing in their own implementations invisible to enterprise governance. As a part of reviewing the board’s practices for decision-making, the report suggests that boards request that “management explicitly state what technologies are used to create value, why they are used, what risks exist, and if they themselves understand the technology and why it was adopted.
” That statement may rob many traditional management teams of a good night’s sleep. If they read it. Wherever the management team is in their ability to answer those questions is the starting point to assist the board in deepening their insight, the second category of recommendations.
Board members need to come to terms with the fact that innovations are outpacing their experience on an individual basis and understand whether the composition and collective insight of the board is sufficient to shape enterprise strategy and oversee execution. Technological literacy is fueled by genuine interest and curiosity. This supports a continuing practice of learning and exploration about the best ways to create value within the company’s business base.
Structured evaluations of director and board technology proficiency are recommended, as are educational mechanisms for both individuals and the board. The second part of deepening insight comes from improving the measures that show the efficacy of the technology in use. Historically, KPI read-outs to the board tend to be more financial in nature and include more lagging indicators than leading ones.
An enterprise architecture road map that shows the current state of enterprise technology, how it is protected with a zero trust architecture, progress metrics on planned projects, and high-level views of business processes provides a good framework on which to select measures. For example, the depiction of the process of invoicing and collections can show the benefit of improvements on organizational cash flow. Likewise, that insight can better depict return on investment in technology.
Following the report’s recommendations to strengthen oversight and deepen insight lays the foundation for the last category of actions: developing foresight. At this point it should be clear that technology is an integral element in the organization’s long-term strategy and that board literacy and intellectual curiosity coupled with continuous learning are vital to maintain a competitive edge — even more vital to staying profitable and staying in business. “Possibility thinking,” keeping an open mind, and exploratory group discussions strengthen a board’s ability to “see around corners” and recognize opportunities to explore radical changes to business models (Blockbuster missed that one) or the fundamental changes in technology that could rock an entire industry.
The quartz revolution of the 1970s had that impact on the Swiss watchmaking industry, which, up to that point, had about 50% of the global market share for new watches. Excellence in watchmaking was a significant component of Swiss national identity, and the loss of that dominant position was a crisis to the Swiss. In addition to having a mindset of foresight, boards should ensure that management has a process of continuously watching and evaluating the emerging technologies of greatest potential applicability to both internal operations and satisfying the needs of customers and consumers.
This evaluation is best projected on the enterprise technology as it is and as it is planned to be, creating a vision of what it could be and provokes the question, Do we have the talent to make it so? Developing technological possibilities into realities requires a culture of openness and willingness to take risks, a culture where it’s OK to say you don’t know and “Let’s see what happens.” Boards and management teams need to balance strengthened governance around measured implementations with passion and imagination. It is this leadership in the boardroom that our stakeholders deserve.
.
NACD report: Boards need greater oversight, deeper insights, and foresight of enterprise technology
The National Association of Corporate Directors (NACD) is considered by many to be the preeminent association supporting boards and directors “to stay on the leading edge of corporate governance.” NACD periodically creates Blue Ribbon Commissions, groups of experts that research and create recommendations to boards on best practices to stay relevant and “future ready.” Topics in the past have included risk governance and corporate culture. This year’s Blue Ribbon Commission is particularly relevant to the times we live in and of considerable interest to those of us who work in technology in a world where, up to a few years ago, the overall direction, strategy, and vision driving economic success was often more focused on the short term and did not include much about the technology operating the company or the potential impact of evolving or emerging technologies. Outside of significant cyber events, in the past those discussions had been delegated to the audit committee to ensure compliance with Sarbanes-Oxley and similar regulatory requirements.The 2024 NACD Blue Ribbon Commission Report, “Technology Leadership in the Boardroom: Driving Trust and Value,” was released in early October 2024.This report from the NACD examines the impact of technology and data on corporate governance. It argues that boards need to strengthen their oversight, deepen their understanding, and develop foresight regarding technology in order to remain competitive and create long-term value. The report includes ten recommendations for boards and management teams, organized around the imperatives of strengthening oversight, deepening insight, and developing foresight. It provides practical guidance on how to implement these recommendations, including tools and checklists.That last paragraph was AI-generated. Or was it? What is the impact of not knowing? Not caring? Would that answer change if you were fiscally and ethically responsible for a company’s success and reputation in an era where AI dominates the headlines? How does a board ensure that the duty of care exercised as a normal obligation of board service stays current in the face of the tumultuous rate of change and reliance on technology, a rate of change that far outpaces consistent definition of regulatory protections?This Blue Ribbon Commission report includes a call to action for boards to ensure that their practices and partnership with the C-suite and auditors form a foundation that strengthens oversight, deepens insight, and develops foresight of enterprise technology.Without adequate oversight, it’s impossible to get reliable insight. Without reliable insight, foresight of enterprise technology will be wrong, incomplete, a bad bet, a waste of money, or non-existent. This is not a good look for any enterprise and for a public company, profit, share price, and reputation are at stake. And the reality of cyber safety is even worse than the board and the C-suite believe.But far from the doom-and-gloom message just portrayed, this report should bring us hope by making the need transparent to those who oversee and those responsible for company success. The report gives a well-written rationale and game plan to get the improvement started.What do we mean by enterprise technology? It’s not just internal information technology; it includes any operational technology used to provide goods and services or within those goods and services. And for companies in the engineering and technology industry, enterprise technology is reflected in the products and services offered to customers. Consider the optics behind “do as I say, not as I do” as opposed to the visible benefit of “walking the talk.”The first group of recommendations provided by the report is designed to help a board strengthen oversight of the organization’s use of technology and data. Governance and control of assets is a standard practice for CIOs, whether the assets are standards and policies, hardware, software, data, staff, or time. Enterprise technology doesn’t stand still — there are always projects and services afoot to update, upgrade, replace, fix, protect, and so on. Projects have approved requirements, costs, and schedules that are monitored, and services typically have service-level objectives/agreements. “Unmanaged change is chaos” is a common belief among those responsible for enterprise technology.The knowledge of and active involvement in technology oversight practices is not yet customary within the C-suite, let alone at the board level. While the level of detail will be nowhere close to what CIOs and CDOs deal with on a day-to-day basis, the board must recognize the governance structures in use by the organization and define their own involvement in the decision-making process.It’s a fine line between “oversight” and “overstep,” and this may challenge the beliefs of board members of significant seniority, but the duty to protect all stakeholders demands it. The board needs to be convinced that this is a crucial part of the duty of care and have significant interactions with the management team to know what the enterprise has as far as the current state of policies, people, processes, and technology and how they are connected and protected along with the data consumed, integrated, or produced.The role of organizational culture cannot be ignored, nor can the state of the business processes. Both play a role in increasing technical debt, especially when they work in concert; “that’s the way we’ve always done it” can lead to customizations in off-the-shelf software or a part of the organization going rogue and bringing in their own implementations invisible to enterprise governance.As a part of reviewing the board’s practices for decision-making, the report suggests that boards request that “management explicitly state what technologies are used to create value, why they are used, what risks exist, and if they themselves understand the technology and why it was adopted.” That statement may rob many traditional management teams of a good night’s sleep. If they read it.Wherever the management team is in their ability to answer those questions is the starting point to assist the board in deepening their insight, the second category of recommendations.Board members need to come to terms with the fact that innovations are outpacing their experience on an individual basis and understand whether the composition and collective insight of the board is sufficient to shape enterprise strategy and oversee execution. Technological literacy is fueled by genuine interest and curiosity. This supports a continuing practice of learning and exploration about the best ways to create value within the company’s business base. Structured evaluations of director and board technology proficiency are recommended, as are educational mechanisms for both individuals and the board.The second part of deepening insight comes from improving the measures that show the efficacy of the technology in use. Historically, KPI read-outs to the board tend to be more financial in nature and include more lagging indicators than leading ones. An enterprise architecture road map that shows the current state of enterprise technology, how it is protected with a zero trust architecture, progress metrics on planned projects, and high-level views of business processes provides a good framework on which to select measures. For example, the depiction of the process of invoicing and collections can show the benefit of improvements on organizational cash flow. Likewise, that insight can better depict return on investment in technology.Following the report’s recommendations to strengthen oversight and deepen insight lays the foundation for the last category of actions: developing foresight. At this point it should be clear that technology is an integral element in the organization’s long-term strategy and that board literacy and intellectual curiosity coupled with continuous learning are vital to maintain a competitive edge — even more vital to staying profitable and staying in business.“Possibility thinking,” keeping an open mind, and exploratory group discussions strengthen a board’s ability to “see around corners” and recognize opportunities to explore radical changes to business models (Blockbuster missed that one) or the fundamental changes in technology that could rock an entire industry. The quartz revolution of the 1970s had that impact on the Swiss watchmaking industry, which, up to that point, had about 50% of the global market share for new watches. Excellence in watchmaking was a significant component of Swiss national identity, and the loss of that dominant position was a crisis to the Swiss.In addition to having a mindset of foresight, boards should ensure that management has a process of continuously watching and evaluating the emerging technologies of greatest potential applicability to both internal operations and satisfying the needs of customers and consumers. This evaluation is best projected on the enterprise technology as it is and as it is planned to be, creating a vision of what it could be and provokes the question, Do we have the talent to make it so?Developing technological possibilities into realities requires a culture of openness and willingness to take risks, a culture where it’s OK to say you don’t know and “Let’s see what happens.” Boards and management teams need to balance strengthened governance around measured implementations with passion and imagination. It is this leadership in the boardroom that our stakeholders deserve.Learn more about IDC’s research for technology leaders OR subscribe today to receive industry-leading research directly to your inbox.International Data Corporation (IDC) is the premier global provider of market intelligence, advisory services, and events for the technology markets. IDC is a wholly owned subsidiary of International Data Group (IDG Inc.), the world’s leading tech media, data, and marketing services company. Recently voted Analyst Firm of the Year for the third consecutive time, IDC’s Technology Leader Solutions provide you with expert guidance backed by our industry-leading research and advisory services, robust leadership and development programs, and best-in-class benchmarking and sourcing intelligence data from the industry’s most experienced advisors. Contact us today to learn more.Cora Carmody is a globally recognized CIO, having been appointed as the first CIO of Litton PRC (now part of Northrop-Grumman Information Technology) and most recently as the CIO of Jacobs Engineering. Prior to becoming a CIO, Cora held various positions (programmer, systems engineer, program manager, and others) in projects benefiting the U.S. intelligence community, the U.S. Department of Defense, NASA, and other customers. In 2002, Cora founded the “Technology Goddesses” program to mentor girls (K-12) in all aspects of technology – which led Jacobs to receive the Inaugural “Engaging Youth in IT” Award from Computerworld and the CIO Executive Council, June 2013.