Governing Information Technology Risk
聚焦IT风险治理,基于文献和六家国际企业董事会成员访谈,提出IT风险治理链模型和仪表盘,帮助董事识别关键IT风险并履行注意义务。
Regulatory changes have affected the composition, role, and responsibilities of Boards of Directors worldwide. While stronger frameworks for directors9 fiduciary responsibilities have resulted, considerably less attention has been devoted to understanding the nature of, and concomitant duty-of-care towards, the information systems and technology assets in the organization, or IT Governance. As a result, Boards have not demonstrated the competence or attention that good IT governance demands. IT Governance takes two forms: a defensive form, IT Risk Governance, that seeks to safeguard the organization from the consequences of IT-related disasters; and a strategic form, IT Value Governance, which creates lasting shareholder value. This article focuses on IT Risk Governance. Based on an academic and trade literature review, and interviews with Board members from six international firms, it presents a model, the IT Risk Governance Chain, and a dashboard that outlines the critical areas of IT risk and the key questions directors should ask to properly safeguard the information and technology assets of their firms.