Board surveys keep reporting bad news. They say board members are not happy with the information they are receiving about cyber (see separate post), strategy, or risk. Unfortunately, each year the survey repeats the comment that boards are less than satisfied.
What is happening? Why is this not being fixed?
If the board is not satisfied, it should be demanding a change — and holding management to account for delivering the information the board needs when the members need it.
Is the board nervous about putting its foot down and being assertive? I surely hope not.
If the board is not able to challenge management on this, does that mean it is not able to challenge management on other matters, such as the selection of strategy, succession planning, and compensation?
Is this an indicator of poor governance and oversight? I surely hope not.
In a 2014 blog post, I commented that — again, according to surveys of board members and other stakeholders — there is a high level of dissatisfaction with the performance and delivery of value by internal audit.
I heard that again a couple of weeks ago, when at a board directors’ conference an individual asserted that internal audit does not have the competence to assess cyberrisk. Nobody disagreed.
Given the importance of cyber in today’s and tomorrow’s business environment, that is damning.
So, did the director say that internal audit needed to be upgraded, additional resources allocated, or similar? No. She just said they were of no value when it comes to cyber and board members should look elsewhere.
Sorry, but that is not acceptable.
If internal audit does not have the right leadership, competence, or resources, the board is to blame! They have the capacity and the responsibility for acting when management is reluctant to dedicate sufficient resources or they are not happy with the leadership of the CAE.
Instead of complaining and leaving action to somebody else, they should be more assertive and demand change.
Okay, this is a bit of a rant. But let’s not forget that the CEO and his team report to the board. When there are problems, complaining without acting is not effective governance and oversight.
Do you agree?