Are there other risks boards must watch out for?
We haven't seen huge blowups or disasters over privacy so far, but it's certainly waiting to happen. Information about people and customers is an asset that needs to be protected. Security is another looming issue.
How bad is the use of IT in financial controls? Is there a widespread problem?
That's a big question. Even after Y2K, there's a widespread problem with patched-together legacy systems, with archaic batch architectures incorporating Web services running with online systems, so there's a real-time updating problem. Spaghetti architecture clearly can be associated with reporting and data accuracy problems. You've got bad systems hooked up to real-time systems, and continually keeping those systems in tune is really difficult. But once you move control systems entirely to a real-time messaging architecture, a lot of these problems are corrected.
Was this part of what went wrong at Enron and WorldCom?
Enron involved outright fraud, and it is hard to catch that if the management decides to undertake fraudulent behavior. However, if the checks and balances had been in place and internal controls verified (as the Sarbanes-Oxley Act requires) it is unlikely that the fraud would have gone as far as it did.
Do all companies need an oversight committee, even if they're not IT intensive?
It depends on the situation. Clearly, financial-services companies are hugely dependent upon IT and need to attend to this more than a traditional manufacturing company, although, even as I say that, I think about the strategic implications of technology at General Motors, where on-board computers and portal-based parts auctions are transforming the business. You need to understand the technology environment for the company, its competitors and strategic opportunities, and from that situation you can start to judge. Even in the financial-services industry, people like David Pottruck, the CEO of the Charles Schwab Corp. and former vice president at Citibank, have a huge impact on the use of the IT within the organization. In that kind of environment, you may or may not need an IT oversight committee.