The decision to buy and use board management software (or a board portal) requires thoughtful consideration, especially since you’re likely to want to engage with the vendor long-term.
There are a number of factors to look into, and a number of vendors provide support by offering buyer’s guides. While many of these guides do a sufficient job of educating decision-makers on board portals’ must-have features and services, many of them gloss over the impact and cost of getting things wrong.
We’d like to give you a more holistic approach to selecting board management software.
In this paper, we highlight three pillars that support any board portal platform: simplicity, cost, and security. We discuss the importance of these foundational components and the consequences that arise if buyers fail to evaluate these correctly. Finally, we offer some guidance on what to look for so that you, as a buyer, aren’t blindsided in the long-run.
PILLAR #1: SIMPLICITY
1. For the end-user
What you need to get right:
Board portals should be easy-to-use. Keep in mind that board management software is not an application that’s accessed as frequently as some productivity or meeting solutions. For many, it will be used only when board or committee meetings are scheduled. This makes it critical for board portals to have a clean user-interface that is intuitive by design. Board members, tech savvy or not, should feel comfortable navigating through the features of the application without the need for lengthy training, frequent practice sessions or ongoing support interventions.
Consequences of getting things wrong:
When a board portal has extensive features that are too complicated for the board’s needs, the portal simply becomes another barrier to efficiency and effective governance. Directors and board members will resort to old, familiar and often unsecure ways of reviewing, communicating, and executing their governance duties (think email and mass-market collaboration tools) — for expediency and productivity’s sake. The likelihood of full adoption becomes problematic and the return on investment (ROI) will not be met.
What to look for:
Always request a demo or, if possible, a free trial before making the final decision to go with a provider. Take a look at what the software looks like and have a feel for how intuitive it is. Is it overloaded with features you won’t require? Will it be complex for your board members to learn?
The board portal’s user interface should be simple, clean, and possess practical features you will actually use. Remember that simplicity doesn’t necessarily mean compromising on functionality. It might just mean it’s better designed.
2. For board administrators
What you need to get right:
The board portal should be easy to set-up and configure. Board administrators should have the ability to create committees within the platform, manage groups and assign security roles and rights of users, execute board governance tasks, and control access to board data with ease.
With the exception of handling maintenance issues or implementing updates, ensure the board portal provider gives you full system ownership and control. There’s no need to outsource board administrative work (such as the addition/removal of users or the set-up of committees, etc.) to the vendor. Board administrators should have the flexibility to manage and configure the system as they please.
Consequences of getting things wrong:
If the board software is too complicated to configure or use, it can translate to the need for time-intensive training and costly onboarding efforts — which means lost time and more money.
Also, the need to log change requests with the vendor for routine administrative tasks compromises the ability of the administrator to be agile and can significantly slow down board processes. More importantly, this creates a security gap: are you comfortable with third-party employees and contractors having access to your board and committee data? If a software vendor has 100 staff with access to client data, that’s 100 additional points of vulnerability for you to think about. It might be an unnecessary risk to take on.
What to look for:
Review the specifics around board portal training, maintenance, enhancements, and customer support. After the initial rounds of customised training and onboarding, you’ll want as much administrative autonomy over the solution as possible. The idea is to keep the tool simple for board activities and administrative management.
PILLAR #2: COST
What you need to get right:
This requires a true understanding of how your board works and what their practical needs are. The buying decision should stick to and consider that context. This will prevent you from falling into the trap of purchasing board software that is over-engineered or too complicated for the board’s use.
As mentioned in the previous section, some board portal providers also require that certain administrative features be handled by them. Watch out for hidden costs associated with system configuration requests, user management, data storage, training, product enhancements, and customer support.
Consequences of getting things wrong:
Consider the costs involved when purchasing a board portal from a provider that might be more established, but whose product doesn’t suit your board’s needs. You can end up paying for “functionally-rich” software that the board won’t use. It’s always important to remember that board portals should help streamline and support the board’s activities — not make life more difficult. Boards shouldn’t feel the tool is daunting, cumbersome, or too complex to accomplish meaningful work.
The above-mentioned hidden or “extra” costs of owning board management software can also add up. This can impact your ROI down the line, especially as your board scales and grows. Nobody wants to have to deal with unbudgeted nuisance charges and next-business-day service delays.
What to look for:
First, look for board software platforms that seamlessly integrate with the way your board functions. Note down the features you need versus what is being offered by the platform. Apart from lowering material and labor costs, are there gains to be had in terms of productivity?
Secondly, you’ll want to work with vendors who offer fair and transparent pricing.
At Praxonomy, for instance, we don’t surprise our clients with costs outside the monthly subscription fee for Boardlogic, our board portal. You’re not charged for the set-up of the board software, client support, data storage, or product enhancements around upgrades. We are upfront about what we offer so our potential customers can fully assess whether it makes sense from an ROI perspective.
PILLAR #3: SECURITY
1. External risks
What you need to get right:
IBM’s Cost of a Data Breach Report states that the average cost of a data breach in 2022 is $4.35 million, up 2.6% from 2021. The report further states that compromised credentials were responsible for 19% of breaches, and phishing was responsible for breaches 16% of the time. The cyber environment is riskier than ever.
It’s not surprising that because of their position and access to sensitive information, board members have become targets for cyber scams and crimes (such as business email compromise and whaling). The use of secure board software helps mitigate these cyber risks.
So, it should be reiterated: be wary of board management software vendors who don’t place a premium on security, or those who don’t highlight its importance nearly enough. Security can arguably be the most critical component of a board portal.
Consequences of getting things wrong:
You put your organisation at risk by placing information in a board portal with sub-par security features and poor security measures and procedures. With data breaches on the rise, you don’t want to make choices that expose your organisation to financial costs, regulatory fines and penalties, reputational and credibility damage and complex operational risks.
What to look for:
Work with a vendor who understands how — and why — security should underpin all design decisions and features of the board portal. Look for a board management software provider who has a “security-first” culture.
By “security-first” culture, we mean that the board portal is built and designed with security in mind. It also means that the vendor is meeting industry security standards in the form of certifications, such as ISO 27001. Ask whether the board software undergoes periodic penetration testing and whether it’s subject to internal and external security audits.
On an infrastructure note, where are the vendor’s servers located? Does the vendor have incident management or business continuity plans in the event of attacks? As a baseline security concern, it pays to be informed about the vendor’s data-encryption methodologies too — is data encrypted in transit and at rest? It should be.
Finally, ask how the vendor protects access to the board portal (e.g., biometric access, remote wipe of the application in case the device(s) with the board portal are lost or stolen, etc.). These shutdown options should be “air-tight” and easy for administrators to control.
2. Insider threats
What you need to get right:
Be it for reasons of financial gain, boredom or curiosity, for the purpose of seeking shortcuts to productivity, or for revenge, insider threats are on the rise. The 2022 Ponemon Cost of Insider Threats: Global Report reveals insider threat incidents have risen 44% over the past two years, with total average annual costs reaching $15.38 million.
Here are some other alarming statistics from the same report:
Out of 6,803 incidents considered:
- 56% were caused by employee or contractor negligence
- 26% were caused by criminal or malicious insiders
- 18% were due to credential theft
Whether malicious or unintentional, board portal information is not spared from insider threats. Again, a layer of complexity is added if certain tasks have to be handled by the board portal provider. This might grant them access to information you don’t want them to see. Visibility into meeting information and attendees, for instance, has inherent security risks and implications. How can you be sure such highly-sensitive pieces of information will not be captured, leaked, or shared?
It’s therefore important to identify what type of information, if any, will be visible and accessible to individuals belonging to — and working with — the organisation.
Apart from data security, look into the client data privacy angle. (To highlight the difference between the two, data security is generally meant for protection against external threats, while data privacy relates to responsible governance or use of data.) Ideally, you’ll want to retain complete ownership of your data. Vendor agreements that omit this point or suggest otherwise are problematic. For information as sensitive as board documents, you don’t want third parties (meaning parties other than your supplier) managing, processing, transferring, or sharing your data at all (the best case) or at least not without prior encryption, explicit legal safeguards and serious chain-of-control processes in place.
Consequences of getting things wrong:
The consequences of mistakes can be just as disastrous as falling victim to external threats. If highly confidential information inadvertently becomes public, there can be long-term damage to the organisation (39% of costs are incurred more than a year after a data breach.)
What to look for:
From a macro-level, since employees are stewards of information, ask about the policies that the provider has in place for employee security training and whether employees are bound by agreements to uphold privacy policies for the handling of confidential client data.
From an application level, ensure only designated board administrators have sole access to determine and set user roles and access privileges. Look for board portals which offer granular permission settings. This gives board administrators more control over who has access to uploaded board packs, minutes, files, and spaces in the board portal. It narrows down the possibility of insider threats.
With respect to data privacy, is the vendor a member of data-privacy certification bodies?
Praxonomy, for instance, is a member of the Verasafe Privacy program. Membership to this program ensures that personal data processed within the Boardlogic application follows external data governance and data security standards set by Verasafe’s Privacy Program Certification Criteria. It requires that participants maintain a specific standard for data privacy and implement best practices pertaining to notice, onward transfer, choice, access, data quality, recourse and enforcement.
TO CONCLUDE —
Dig deep into what vendors have to offer in terms of simplicity, cost, and security. The issues are interrelated in many ways and getting one area wrong can have implications for the other two. However, by asking the right questions, you can have smarter and more open conversations with providers about what makes sense for your organisation.
There’s a lot to consider. The costs and consequences of getting things wrong can loom large. But by keeping the three pillars in focus and approaching the purchasing process from these angles, you exponentially increase the odds of getting things right.
Remember:
Thank you for reading to the end. We hope this article helps you move forward with confidence.
Experience secure, modern board governance with Boardlogic. Schedule a demo today.