Tech Risk is Business Risk

Cyber, AI, modernization, and third-party exposure aren’t IT topics. They’re enterprise value topics. They determine whether a company can serve customers, meet regulatory obligations, protect its reputation, and keep operating when something fails.

In most organizations, a serious technology failure isn’t just a technical problem. It becomes an operational, reputational, financial, and regulatory headache all at once. This is where governance is most often tested, and too often found thin.

Boards know technology matters. We know cyber is serious. We know AI is changing the landscape faster than governance structures are adapting. And yet we still often treat these as separate technical reporting items rather than as a connected category of enterprise risk that requires the same discipline we apply to financial oversight.

This framing no longer holds.

I don’t believe every director needs to be a technologist. But every board does need a baseline level of technology fluency, alongside a few members with deeper expertise—much as we approach financial oversight. We also need to govern technology risk with the same rigor applied to every other category of enterprise risk: clear ownership, evidence-based review, tested capability, and a cadence that matches the actual pace of change.

This has become a fiduciary question, not a technical one.