You are here

Solving the Mystery behind Board Reporting

One of the challenges chief information officers (CIO) and chief information security officers (CISO) typically deal with is Board reporting.  How do you present technology and security-related information to a group of people who mostly grew up in the pre-digital age and/or have little involvement with that side of business? With the lack of guidance on what should be reported and the regulatory pressure to make sure that reporting occurs, we often find that the reporting process implemented at institutions is inefficient and not very effective. This can lead to board members feeling frustrated with management and management feeling frustrated with the boards, because neither party truly understands the other’s needs. 

To help tackle this issue, Wolf recently moderated a forum of about twenty-five Massachusetts bank CIOs who discussed the opportunities and challenges of reporting to boards. We heard from one CEO of a $1.3B Massachusetts bank on how his institution is addressing this challenge as well as from four other New England-based banks ranging in size from $300M to $1.5B on their tips and tricks. The discussion was lively and it was obvious that there are many different approaches to communicating with a board. That said, there are some common tactics used by the banks that seem to be handling this well. Here are the main takeaways: 

  • Tone at the top is critical - the CEO and board must buy into the importance of hearing from the CIO
  • Have an IT expert on your board – his or her presence acknowledges the required expertise needed, similar to the need for a financial expert
  • Get to know your board members – what do they do for a living, what is important to them, how should you best communicate with them
  • Set the expectation for your board’s role - let them know what you (and the examiners) expect from them
  • Be transparent -  share the major issues and challenges you face and how you plan to overcome them
  • Align IT needs with business needs - if you want the board’s attention, lead with the business needs
  • Make it a briefing rather than a training - set the tone for the importance of the topic

Board reporting can be more than just a regulatory requirement. When done well, a strong relationship can build between an institution’s IT department and its board. This relationship can be key when it comes to ensuring that the institution is advancing in its use of technology and also that the support for its customers and employees is continuously improving.

For assistance with your Board Education program, contact Gerald Gagne, CPA, CISA, Director of Risk Management Services, at 617-428-5455 or