risk-assessment-process-7-15-15.pngAs recently as March 2015, Hillary Clinton’s use of private email on multiple devices while serving as secretary of state hit the media. Clinton commented, “. . . I opted for convenience to use my personal email account, which was allowed by the State Department, because I thought it would be easier to carry just one device for my work and for my personal emails instead of two.”

Every board member can fall prey to the Clinton communication example—take the necessary steps to educate your board.

We continue to live in a changing business environment with a backdrop of increasing regulatory pressures and a heightened focus on improving board oversight and communication. Current guidance and regulatory policies and practices are designed to force improvement in risk management and compliance. Along with that comes the responsibility of how we securely communicate and exchange confidential information at the board and committee level.

Technology and security are playing an important role in this change as leadership demands more mobility, flexibility and speed. Armed with multiple mobile devices and an “on-the-go” attitude, some stakeholders, who may not have grown up in the world of IT, are constantly exposing company information to risk.

Practices for managing board communication suggest we may not be keeping up with the requirements for security and compliance.

Take into account the following:

The Organization

  • Think about how many board members are still receiving board and committee information in their personal email accounts. Then layer in the amount of changes and document version control that need to be communicated before the actual meeting. This information often is not encrypted.
  • Interactions with management and the board is continuous. Monthly, quarterly and annual meetings give the board and committee members an opportunity to review company performance, and provide a forum for governance. Information is still being printed, exposing huge amounts of confidential information as directors travel between meetings and between locations.
  • Unsecure dissemination of confidential documents from regulators, investors and management flows from administrators to the board.

The Individual

  • Critical documents are still being stored and shared on a variety of personal devices – computers, tablets and phones.
  • Directors and committee members are still sending their packets to their personal emails so they can print the materials, thereby breaching security.

What do you do?
Security issues continue to be on the front page of the news. How do you prevent a perfect storm from happening where directors with personal communication devices are not handling confidential information in a proper format? Below are four practical steps to address this.

Education: Board members should be educated on a periodic basis as to what their roles and requirements are, from a board and a bank perspective. If you are public, Securities and Exchange Commission regulations should also be reviewed often.

Process: To help prevent damage from occurring, it is also important to setup a process whereby the directors are getting the necessary information in a secure fashion. There should be sufficient documentation of the process in establishing and monitoring board members. Appropriate personnel, including risk-management and IT personnel, should have input.

Review: The risk department should conduct a review and test the entire process to ensure the loop is secure. This should include management, committee members and the entire board.

Evaluate: Evaluate the risk factors affecting the current process. How does it impact the organization overall?

As technology continues to evolve at breakneck speed, the race is on for leaders to move fast enough to deliver a secure environment. It is clear that not enough attention is being focused on the process that is necessary to foster this environment. Board members will need to think ahead before they communicate, and leaders will need to make sure director communications are secure. And there is no magic formula for creating this—it is an ongoing, “live” process that you will need to keep reviewing. While the process needs to constantly be monitored and refreshed, it also must reflect new behaviors and new preferences: look to the success of the Apple Watch. 

This real-time process will aim to keep you secure at all times. And that may end up in your favor as regulators may soon turn their focus to communication within the board room.

Liz Kiley