Few operational areas of every corporation present as much inherent risk or prove as difficult to govern as Information Technology ("IT"). One of the reasons for lack of governance has been the claim of not having sufficient knowledge to do so. However, recent years have brought a growing realization that not knowing is not an excuse. As more responsibility is placed on boards to oversee all areas of risk that their companies face, there is a critical need to provide effective governance over information technology, along with the necessary leadership from the top, organizational structures, and processes that ensure that IT efficiently sustains and extends the corporate strategies and objectives. This article provides an overview of some of the main considerations relative to every director's duty to govern IT risk. In particular, it addresses director's roles in the risk of oversight of the corporations they serve, their role in governance of IT, their role in mitigating IT risks, and ways in which that risk can be transferred to or shared with others. A discussion of these topics will hopefully foster a deeper and productive discussion within boardrooms.
© The John Marshall Journal of Computer & Information Law, 2011