The questions boards should be asking their CIOs

Brian Sommer Profile picture for user brianssommer May 18, 2021
Better boards will be leaning on CIOs to guide their firms well and great CIOs will be ready with the right answers to tough questions. Here are the questions to kickstart great thinking and great things.


I peruse a lot of business publications every month. Many stories often describe something I’ve been seeing at clients for some time. Some articles describe something outside my usual coverage area or services mix. And some articles, a very few indeed, make me want to sit up and devour it in its entirety.

Late last month, McKinsey published “Four Ways Boards Can Shape the Cloud Agenda”. Now, that might not sound all that new or interesting, but, check out this first paragraph:

With the mounting evidence of cloud’s ability to drive significant business value, more and more companies are considering cloud’s role in fundamentally reshaping the competitive posture of their business (see sidebar, “Business value of cloud”). Yet, across interviews with almost 40 different boards, only 13 percent were actively thinking about and engaging in conversations around cloud. For one-third of these boards, cloud has never been considered important enough to discuss at all. This trend spanned boards across regions, industries, and company types.

Those are incredible statistics and unfortunate ones to boot. But, and this is really important, it also explains some of the Cloud 101 questions I get from CEOs even today.

The McKinsey piece is a must-read and it includes a number of questions across several disciplines that board members should be posing to CIOs and others in their firm. And, as good as this succinct piece is, the article could be more extensive and the next section of this piece definitely addresses this need.

There’s another reason for CIOs to communicate better with the board AND the executive committee. It turns out the C-Suite may also not be as digitally savvy as it needs to be. Just check out this bit from a recent MIT Sloan Management Review article, “Does Your C-Suite Have Enough Digital Smarts?”:

Having a digitally savvy top leadership team — that is, a team in which more than half of the executive members are digitally savvy — makes a huge difference. Our latest research shows that large enterprises with digitally savvy executive teams outperformed comparable companies without such teams by more than 48% based on revenue growth and valuation.

That’s actually a great article to read and its findings are sobering, too.  A great CIO that educates, informs and leads can be invaluable to the board and fellow executives. That CIO can also introduce technologies that fuel top and bottom-line growth.

The new board focus

Traditionally, boards of directors generally wanted to know about big IT expenditures and whether these projects had a decent ROI. That was then.

Now boards should care about:

  • The strategic (or lack thereof) nature of different technology vendor relationships
  • How different technologies are making the company more agile, cost-effective and secure
  • How IT (i.e., its people, systems, partners and infrastructure) is adapting to a far more volatile and changing business environment
  • How the mix of technologies being used is driving big, relevant value (and not just a cost line item)
  • What IT is doing to materially assist in reengineering how work is getting done
  • How IT is helping the company adapt to new business models, geographies, risks, etc.

To that end, let’s document the questions that CIOs should have answers to in case they must present to their board of directors with their growing expectations.

Questions CIOs should have answers for

Automation vs. re-automation vs. new white space ppportunities

  • Why are we re-automating transaction processing systems? Shouldn’t we be pursuing all-new apps in new white spaces? Seriously, how many times do we have to re-install/upgrade the ERP?

It’s not just ‘cloud’ – it’s multi-tenancy, hyperscalers and more

  • Why are we paying a managed service provider/implementer/integrator to patch and maintain package software apps when a multi-tenant cloud vendor includes that with the service?
  • Why is it that startups are almost always using cloud technology for everything and cloud still represents a very small part of our IT footprint and cost basis?

Security at the HQ & plant level

  • You argue that we need on-premises technology so that we can secure it but when is the last time our plants’ routers, switches, sensors, production controllers, machine tools, etc. have had their firmware updated? Is our OT (operations technology) as secure as our IT (information technology)?
  • Hyperscalers and major cloud application vendors’ data centers undergo numerous and continuous security audits and certifications. Can you assure us ALL of our IT/OT infrastructure is as well protected as the best of these other data centers and technologies are?
  • Bad actors continue to attack businesses with malware and ransomware. How can we defend and recover from attacks without paying ransoms to these organizations?

Difference between self-interested vendors and strategic ones

  • If you examined the different software products we use, which vendors are committed to relentlessly reducing the TCO of these products? Can you point to any vendor who reduced their billings to us during the pandemic? Which vendors are using more and more open-source code and dropping their reliance on expensive, embedded third-party products? Why aren’t you challenging these vendors to met a continuing price reduction target like our customers are demanding of us? When do the economies of scale these vendors are achieving get passed along to us?
  • Explain why cloud solutions were so great during the pandemic but some of our long-term hardware, systems software and application software vendors (and their integrator/MSP/reseller/etc. enablers) are still pushing costly on-premises or hosted, single-tenant solutions?


The Future of Work

  • This board expects the firm to have factories of the future, many different (and frequently evolving) business models, etc. But, how is this possible when our payroll, cost accounting, financial accounting, etc. still resembles what we were decades ago? When will we radically reimagine how we do work in this firm?
  • What sort of security concerns should we have with all of the Work From Home (WFH) employees we have now? How can we be certain that our customers’ data is secure when employees can access it from most anywhere?

The competition

  • What do we really know about the IT stack at our most dangerous competitors? We know our old, long-term competitors well but what are the all-new, VC-backed, unencumbered firms doing? These are the firms that will blind-side us!
  • Instead of 80% of our IT budget going to the care and feeding of our existing apps (e.g., ERP and some custom apps), how specifically can we shift this to a more balanced spend with more emphasis on technology that will provide a competitive advantage (not competitive parity)?

The focus of IT

  • IT seems particularly fixated on internal, transaction data. Where in your long-range IT Strategic Plan are the initiatives that will utilize external data, non-accounting transactional data, dark data, etc.?
  • Our firm’s employee and recruiting brands took a big hit during the pandemic. How do we make the employee experience (EX) truly differentiated, painless and frictionless? Likewise, are we making other processes a pleasure for all of our other constituents (e.g., jobseekers, alumni, regulators, customers, suppliers, etc.)?    
  • Let’s talk about the velocity of decision-making in our firm. While we have a lot of real-time systems installed, it seems to take a long-time for information to get to the right decision maker and then to the person who must act on it.  One firm we are aware of has implemented almost 300 bots across their organization’s shared services functions. They have created over 28,000 automation workflows and have eliminated over a ½ million hours of non-value-added or no-value-added work (editor’s note: these numbers are real). Where are we in making our firm work at the speed of business? The accounting calendar is just not the relevant yardstick anymore!
  • Too many projects are getting slapped with the ‘digital transformation’ label but these appear to be ERP replacements, the addition of a smartphone app to an existing application, etc.   Can you get us systems that provide true Digital Disruption instead of re-automation or minor automation efforts?

IT support for CSR

  • Our annual report contains a lot of copy re: CSR (corporate social responsibility), new certifications (e.g., ISO 9001), energy reduction/management, carbon reduction, water reuse/conservation, renewables, organic products, etc.  However, the percentage of IT spend and headcount dedicated to these initiatives is negligible. Why? When will the electricity that powers IT equipment come from non-carbon sources? How can we make the full reporting of our carbon footprint across three levels of our value chain be automated and real-time?

Smart technologies

  • Fifteen years ago, IT acquired technology that made reporting more graphical and visual. What’s IT doing to make information ‘smarter’ and immediately actionable?  When are we getting tools that spot problems before they happen and recommend courses of action to mitigate problems and/or take advantage of emerging opportunities?
  • How do we know we won’t face legal or other challenges due to the way our algorithmic applications (e.g., applicant scoring) work? What feedback mechanisms exist to help us re-tune algorithms that go rogue? What kind of talent do we have in-house to make sure all ML, AI and algorithmic applications are doing what they should and no more?

Big Data risk management

  • With increasing attention being focused on web cookies, targeted advertising and a consumer’s need for privacy, how exposed are we to claims that we are retaining and/or profiting off of a website user’s or customer’s data?
  • How can we ensure that all personal data of employees, customers, etc. is encrypted and anonymized, and, that data cannot be de-anonymized by others?
  • Can we be certain that our firm’s cloud-based data is not being stored in a country that may not respect our and our customers’ desire for privacy?

IT personnel

  • Is the IT team too focused in some technologies, technology deployment choices (e.g., on-premises), etc.? How can this be corrected so that we have the team reflect the skills that will be needed going forward instead of those falling out of favor?  

Software vendors -  are they managing us or are we managing them?

  • Can we get better cost estimates from our software vendors, cloud or otherwise, so that we can plan/forecast more accurately? Are we pressing vendors for more transparent, straightforward contracts?
  • Are we moving to eliminate vendors that surprise us with too-frequent audits? Are we pressing vendors to give us price reductions when audits are in our favor? Are we billing vendors for our costs in the conduct of these audits? Why are we giving vendors the right to audit us?
  • Why are we accepting vendor contracts that permit vendors to charge us again (and again) for the same software we licensed years ago? Wasn’t the annual maintenance fee they charged us supposed to cover these nominal ‘innovations’?
  • Why are we permitting vendors to charge us subscription fees as well as document fees, connection tolls, virtual user fees, indirect access fees, and more? This ever-growing list of fees reflects something other than a subscription.
  • What’s our strategy to kick any single vendor to the curb should they get too greedy, fail to protect our data, provide poor service, etc.? How can we do so with minimal business disruption and very low cost?

My take

The questions above aren’t just for CIOs. Software vendors, integrators, implementers, etc. would be wise to help CIOs with these matters and to adjust their businesses accordingly. If your livelihood depends on CIOs, then you need to make sure your firm is on the right side of business and technology trends. There’s been enormous price deflation in computing hardware and even greater improvements in computing power, storage, etc. but the services space has yet to reimagine its role. That time is now.

Remember, if your customer, the CIO, can’t adequately defend your technology before the board, then you’ll likely lose this firm as a customer as well as the CIO’s fealty to your firm.

Boards have a fiduciary responsibility to shareholders but not to entrenched technology firms. They have a right to know how well their firm and its systems are protected. They also must ensure that capital funds are spent wisely and that the firm’s leaders are taking appropriate actions to maximize short-term earnings while also creating the opportunities for the firm’s long-term success. The rate of change and innovation in technology continues to accelerate and so, too, must a company’s IT strategy. A good board wants to understand the issues facing IT (and the firm) today as well as the thinking behind the decisions its executives are making re: technology and technology services.

One thing is abundantly clear, with all of the change afoot these days, a status-quo seeking CIO is not really viable or recommended.

A grey colored placeholder image