The Financial Risk Double Standard

Many boards receive a quarterly cybersecurity slide. One page, traffic lights, aggregate metrics. No tested recovery capability. No clear escalation path. No way to distinguish real progress from reporting activity. It gets noted, and the agenda moves on.

This isn’t because directors don’t care. We do. It’s because the governance structures built for technology oversight were designed for a world where technology supported the business rather than constituted it. This world is gone.

All companies today, public and private, are reliant on technology, whether we (and senior management) fully acknowledge it or not.

The gap is structural. Audit and finance committees have decades of developed practice: defined scope, expected expertise, regulatory standards, and clear criteria for what evidence looks like. Technology risk governance is still being built in most organizations.

Closing that gap doesn’t require the board to create a new paradigm. It requires applying governance instincts that already work: who owns it, what progress looks like in evidence, what triggers escalation, and whether the review cadence reflects the speed at which threats and technology changes are actually moving.

In my own board work, informed by my time as a CIO, we’re actively applying this same discipline to technology risk. The standard already exists.