Governance

Three-week Board Technology Governance Initiative

Risk register in financial terms. Governance framework modeled on audit committee structure, aligned to the SEC 2023 cybersecurity disclosure rules (Item 106 of Regulation S-K and the four-business-day material-incident clock under Item 1.05 of Form 8-K) where applicable. Management reporting cadence with defined formats. Built to be defensible against named governance standards (NACD Director's Handbook on Cyber-Risk Oversight, COSO ERM, NIST CSF 2.0 Govern function) and consumable in 30 minutes of board time. Board and committee-chair interview availability is the typical schedule constraint.

Scope this initiative See full scope →

3 weeks15 working days

Fixed priceagreed at scoping

Framework + deckdelivered on the date

Who this is for

A board-ready technology governance framework you can present at the next meeting.

Board / Audit Committee

You need a defensible posture under the SEC 2023 cyber disclosure rules and technology risk visibility in the same format you already use for financial risk.

General Counsel

You want a defensible governance structure documented before the next D&O renewal or board self-assessment cycle.

CEO

You need to give the board confidence on technology without becoming the IT spokesperson.

CISO

Your board is asking for governance maturity and you want the framework documented so the same answer holds up across quarters.

Scope

What this initiative delivers, and what it does not.

Scope is fixed at signing. Items tagged TOP are available inside the broader Technology Operating Partner retainer; the initiative alone does not include them. Items tagged with an outside source require a separate specialty engagement.

In scope

15 working days

Existing governance state interview (board chair or audit committee chair, GC, CEO, CISO, internal audit if present)
Technology risk register drafted in board-readable financial terms (Annualized Loss Expectancy)
Governance framework recommendation modeled on audit committee structure (charter, cadence, escalation)
SEC 2023 cybersecurity disclosure alignment where applicable (Item 106 of Regulation S-K board-oversight description; the four-business-day materiality clock under Item 1.05 of Form 8-K; the materiality determination process)
Management reporting cadence (what gets reported, how often, in what format)
Board presentation deck designed for 20 to 30 minutes of board time
Reference to applicable governance frameworks (NACD Director's Handbook on Cyber-Risk Oversight, COSO ERM, NIST CSF 2.0 Govern function)

Out of scope

Available elsewhere

Serving on the board or audit committeeDirector independence
Legal opinion on director-and-officer fiduciary dutyQualified counsel
Running the governance program on an ongoing basisTOP
Replacing your internal audit functionInternal audit firm
Vendor selection for GRC toolingTOP

TOP Available via Technology Operating Partner retainerSpecialty firm Engage a qualified third party

Inputs

What we need from you

Provided at kickoff. Missing inputs delay the initiative; they do not change scope.

Current board package or committee charter if one exists
Existing risk register (financial, operational, or technology) for reference format
Recent technology incidents or near-misses to inform the register
Three to five stakeholder interviews (board chair or audit chair, GC, CEO, CISO, optionally internal audit). Board-member calendars typically drive the schedule.

Timeline

Week by week

Daily visibility throughout. Mid-initiative check confirms direction before the deliverable lands.

Week 1

Kickoff and stakeholder interviews

Scope confirmation, current-state document collection, three to five structured interviews scheduled and conducted.

Week 2

Risk register, framework, cadence

Technology risks expressed in financial-impact terms. Governance framework, reporting cadence, escalation paths drafted. Mid-Initiative check with GC and audit committee chair.

Week 3

Deck, walkthrough, handoff

Board presentation built for 20 to 30 minutes of meeting time. Walkthrough with GC and audit committee chair. Final framework, register, and deck delivered.

Output

What you walk away with

Written governance framework document
Technology risk register in financial terms
Management reporting cadence with templates
Board presentation deck
Walkthrough with GC and audit committee chair

Honest framing

What this initiative is not

This Initiative produces advisory documents. It is not legal advice, not director-and-officer fiduciary counsel, and not a replacement for your internal audit function. The framework is designed to be defensible against governance standards (NACD Director's Handbook on Cyber-Risk Oversight, COSO ERM, NIST CSF 2.0 Govern function) and to align with the SEC 2023 cybersecurity disclosure rules where applicable, but adoption, ongoing operation, and final disclosure language are your responsibility.

If you are a portfolio company

How the work calibrates to the PE-backed seat.

Companies inside a PE portfolio operate against constraints generalist enterprise framing does not cover. Each of these shapes how the Initiative is scoped and sequenced.

Board reporting cycle. Output is sized to land before the next quarterly board read, not the company's annual planning calendar.
Exit window math. Decisions made 12 to 24 months ahead of exit show up at the bid. Where applicable, findings are tagged for the exit-window timeline they affect.
Add-on integration tempo. Findings that pertain to acquisition integrations are surfaced separately so the deal team can either price them in or sequence the integration around them.
Cost discipline by hold position. Recommendations are calibrated to where the portco sits in the hold cycle. A company in early hold has different cost flex than one 12 months from exit.

Initiatives that pair with this one

FAQ

Questions buyers ask first

What do the SEC cybersecurity rules require the board to disclose?

The annual 10-K must describe the board's oversight of cybersecurity risk, name the committee that owns it, and explain how that committee receives information about threats and incidents. The 8-K rules require disclosure of material incidents within four business days of the materiality determination. A general statement does not satisfy the rule. The Board Governance Initiative produces the disclosure language, the committee charter, the briefing cadence, and the materiality framework that supports the four-day clock.

How do I quantify IT risk in dollars for the board?

The board-ready format is Annualized Loss Expectancy. ALE equals Single Loss Expectancy multiplied by Annual Rate of Occurrence, with each number expressed as a defensible range, not a point estimate. SLE is grounded in asset value and exposure factor. ARO is grounded in industry incident data and your own history. Preside delivers the ALE baseline within 30 days. From that point every control decision is a dollar trade, not a color.

Are directors personally liable for a cyber failure under Caremark?

Pure cyber-failure Caremark claims have mostly lost at the pleading stage. The Delaware Court of Chancery dismissed the SolarWinds derivative suit in Construction Industry Laborers Pension Fund v. Bingle (Sept. 6, 2022) and the Marriott derivative suit in Firemen's Retirement System of St. Louis v. Sorenson (Oct. 5, 2021), both at the pleading stage. The exposure has shifted: directors face higher risk when the company has issued materially misleading statements about its cybersecurity and the board cannot show it had a process to verify those statements. The Board Governance Initiative documents the oversight process: the committee charter, the briefing cadence, the materiality framework, and the evidence trail that lets the board show it asked the right questions on the record.

What is the four-day rule for cyber incidents?

Once the company determines a cybersecurity incident is material, it has four business days to file Item 1.05 on Form 8-K. The clock starts at the materiality determination, not at incident detection, and the determination must happen without unreasonable delay. The Board Governance Initiative includes the materiality framework, the determination process, and the disclosure language template so the four-day window does not become a discovery exercise.

For your role

Where this initiative fits into the wider Preside view

For Boards and Audit Committees →

The full board view: SEC Item 106 disclosure language, committee charter, materiality framework, and the four-day clock under Item 1.05.

For CEOs →

The CEO's side of board governance: getting the cyber conversation off color-coded slides and onto dollars and decisions.

Inside the broader program

When the initiative becomes the standing engagement

This Initiative is a one-time fixed-price engagement. The Technology Operating Partner relationship continues the work on a quarterly cadence at one of four Program tiers: the dashboard gets re-run, the savings get re-baselined, the architecture gets re-mapped, and the board gets the same format every meeting. Most clients begin with an Initiative like this one and decide on the tier after the deliverable lands.

Program Tiers & Pricing →Operating Partner overview →Inside the Program →

Ready to scope this

From "the CISO presented" to documented oversight under the SEC 2023 rules. Three weeks.

One email. Brief description of the situation. We respond within one business day with initiative confirmation or a recommendation of a better fit.

Scope this initiative Compare all initiatives

Not sure this is the right initiative for your situation? Take the four-question path-finder for a personalized recommendation.