The Three Questions Every Board Should Be Asking Their IT Team

Most boards receive a technology update once a quarter. It usually involves a slide deck with green amber red indicators, a summary of projects in flight, and a budget variance. The board asks a few questions, the IT executive answers them, and everyone moves on feeling like governance has occurred.

It often has not.

The problem is not that boards are uninterested in technology. It is that they have not been given the right questions to ask. The questions that actually test whether an organisation’s technology is being well managed are not technical questions. They are judgment questions. Any board member can ask them.

Question one: What would happen if we lost access to our systems tomorrow morning?

This is a business continuity question, not a technology question. The answer should be specific: which systems, which processes would stop, how long before the business could resume operating, what has been tested and when was it last tested.

A good answer names specific systems, gives a recovery time objective that has been validated by an actual test, and acknowledges the gaps. A poor answer is vague about recovery times, cannot name the last time a restoration was tested, or treats backup and recovery as the same thing. Having backups is not the same as being able to restore from them quickly under pressure.

The follow-up question: when did we last actually test a recovery, and what did we learn?

Question two: Who in our organisation has access to what, and do they still need it?

This question surfaces the access management problem that most organisations have but few boards explicitly ask about. The answer involves former employees, contractors with persistent access, and internal staff who have accumulated rights over years of role changes.

What the board is really asking is: if someone wanted to cause us harm from the inside, or if a credential was compromised, how much could they do? The answer to that question is shaped entirely by how access is managed.

A good answer includes a recent access review, a process for revoking access when people leave or change roles, and some visibility into privileged accounts. A poor answer involves a lot of "we trust our people" and not much process.

Question three: Are we compliant, or do we just have a compliance document?

POPIA is the obvious example in South Africa. Most organisations have a privacy policy. Many have appointed an Information Officer. Fewer have actually mapped where personal information flows through the business, reviewed their processing agreements with third-party vendors, or tested what happens when someone requests access to their data.

The difference between having compliance documentation and being compliant is the gap between a photograph and the reality of what is happening day to day. Boards have a governance responsibility to understand which side of that gap their organisation sits on.

A good answer to this question includes a recent practical assessment, not just a policy document. It knows where the gaps are and has a plan for them. A poor answer produces the policy document and treats it as evidence of compliance.

Why these questions matter

Technology is not a specialist subject that boards can safely delegate and ignore. It is where most organisational risk now lives — in the systems, the data, the access rights, and the recovery capability. Boards that ask operational questions about technology are doing their job. Boards that accept a quarterly dashboard without pressing on the substance are not.

For South African organisations that want practical help understanding their technology posture — what the real gaps are and what it would take to close them — Hayshack’s advisory practice provides exactly that. No platforms, no vendor relationships, just honest assessment. Claritam provides the continuous monitoring layer that makes these questions answerable with live data rather than best guesses.