The case of Amazon, in Figure 10.1, demonstrates the power of being focused on both the enhancement and the protection of shareholder value. There are two specific standards of performance:

1. Fiduciary duty, which requires the individual director to act with honesty, in good faith, and in the best interest of the company.
2. Duty of care, which requires the individual director to engage with care, diligence, and skill, and to make decisions that are prudent and reasonable.

It has historically been enough for a board to rely on experts in areas like technology. With incidents involving systemic breaches of privacy, like Target, and business models that go beyond expected norms, like Facebook, directors are increasingly under pressure to have their own level of technology diligence and skill in order to fulfill the “protect” part of their mandate.

Enhance and protect are the flip sides of the same coin, and directors need to be on top of both.

Governance is like steering, Risk Management is like braking.

Pearl Zhu

Technology governance discussions often focus only on the risk issues, which leave most boards with a blind spot regarding the opportunities. The blind spot is made larger by the traditional approach of governance by exception. When a board counts on the CEO to know what to bring in for discussion, it is often left out ...