Five questions boards should ask before investing in major tech projects

Poor tech fluency, imprecise scope definition and over-reliance on major vendors can contribute to digital outages, cost blowouts and obsolete systems. Businesses can’t afford to opt out of technological transformation, but deeper board engagement will better negotiate the pitfalls. 

Boards expose their organisations to real risks when investing in major technology projects such as digital transformations and implementation of new enterprise software or AI tools. Industry conferences are sprinkled with tales of successful adoption, but directors can just as easily find themselves trying to play down white elephants in the boardroom. 

Take the Metcash Microsoft ERP transformation, announced in 2020, which sought to bring the company’s three divisions – supermarkets, hardware and liquor – onto the same operational platform. Over several years, the $80-$100 million project ran to $280 million and never achieved its overarching goal, because of unconsidered complexities in the divergent business operations.

The potential risks of over-reliance on third-party platforms were highlighted in mid-2024, when cybersecurity firm CrowdStrike released a faulty sensor update that led to a global IT outage affecting 8.5 million Microsoft Windows systems, which caused massive disruption to individuals and businesses worldwide.

And nothing cried out for careful contingency planning so much as Australia’s September 2025 Optus “triple-zero” outage in which a routine firewall upgrade inadvertently cut off emergency services calls for 13 hours, contributing to the deaths of four people.

“You can outsource capability, but you can’t outsource accountability,” says Katherine Boiciuc, aka “KB”, EY’s Chief Technology and Innovation Officer for Oceania. 

Dr Kellie Nuttall, Director of Future Secure AI, concurs. “Boards should be focused on accountability. We need to normalise the question: ‘What could go wrong here?’ and include a broad range of perspectives.”

John Karabin, Canberra-based Chief Cyber Security Strategist for McGrathNicol, says, “Problems occur when boards don’t ask ongoing questions such as, ‘Has our risk profile changed?’” while embarking on transformations and implementing new technologies.

 AICD tasked these three experts to formulate five essential questions boards should pose to their executives when considering investment in major tech projects. 

1. What is the precise business problem we’re trying to solve?

Having a clear strategic purpose for technology adoption guides subsequent decision making. It defines the scope of implementation, makes attendant risks easier to identify and ideally keeps the end users – employees or customers – firmly in mind. 

Says KB, boards should “hold tightly” to the purpose of the technology, “the value they’re looking to unlock” and “how they want the transformation to feel to the end user”.

2. What is our company’s readiness to make this change?

That is, what does our data look like? What are our governance procedures around new technologies? Are our people ready to be part of this business transformation?

“Boards get into trouble if they treat major tech investment as a procurement decision rather than a transformation decision,” says KB. She says this was just part of the misconception behind the Metcash misstep.

At Future Secure AI, which builds bespoke AI co-workers to support the human workforce, Nuttall observes that the organisations they typically work with “have a strategic mindset around where the future of their workforce is heading – where humans are best placed and where they could be doing more meaningful work. Their mindset goes beyond thinking of AI as a technology solution.” 

KB describes AI as a transformation initiative that is “10 per cent about the tool, 30 per cent about the data and 60 per cent about the people and their ability to cope with the volume of decisions and change”. Therefore, if boards are focused on asking questions about the tool, the vendor, the pricing and time to implementation, they’re missing 90 per cent of what determines a successful transformation.

All three experts advocate for an audit of company data before implementing any transformation. Where is it stored? How secure is it? Is there an up-to-date catalogue of what is sensitive and not sensitive? KB recommends drilling down into, “Who has decision rights on when technology such as AI can touch datasets, and which datasets should not be accessible to synthetic entities?”

3. What processes do we have in place to constantly reassess what could go wrong?

McGrathNicol advises its clients to conduct “tabletops” in which the board, together with the management team, works through hypothetical crisis scenarios and simulations. If, say, your telco’s ability to take emergency calls is disabled or sensitive customer records are breached – what responses does the company have in place to mitigate disaster? Going through this process at least twice a year, if not quarterly, says Karabin, “tests your resilience, your business continuity and your back-up plans”.

He notes supply chains are involved in around 80 per cent of security breaches McGrathNicol is called on to investigate, “Re-evaluating your supply chain when you upgrade, change or introduce new services is super-critical.” That includes periodically checking your supplier contracts are in line with your evolving security requirements.

The cost of the CrowdStrike outage to US Fortune 500 companies alone was estimated at the time to be around $5.4 billion. The blackout prompted many companies to review their dependence on large software providers.

4. Are we being flexible and agile in our partnership models?

Again, Metcash comes to mind in its reliance on Microsoft to implement an all-encompassing solution. Nuttall emphasises that implementing transformative technologies such as AI “is not like putting in an SAP ERP system and upgrading it every five years”. Instead, she talks about creating partner ecosystems, sourcing a number of partners that excel in their fields. Knowing what you’re looking for comes back to strategy and nailing where you want to drive competitive advantage. 

If you’re thinking about the future blended workforce of AI and humans, says Nuttall, seek out a company specialising in agentic AI. If you want to support the personal productivity of executives and require a model that includes data centres in Australia, look for “a hyperscaler or large language model (LLM) provider that works with data in a secure local environment”. And cultivate the mindset to switch providers if a better solution comes along.

5. Before we press “go”, what was the old way? What is the new way? Walk us through the transformed experience.

“You need to have enough contact, skin to skin, with the project,” says KB, to build “your own personal trust with the level of information you’ve got, the level of exposure you’re inviting, to make the right recommendations and choices”.

Some strategies for getting up close and comfortable with a new technology project? Nuttall and KB both recommend speaking with executives and directors of companies that have successfully managed a similar transformation – asking what they learned and what they wish they’d done differently.

Nuttall adds that one “cool” approach to raising board AI literacy and understanding is for directors to shadow an internal AI project. “They attend reviews, they ask questions, they start to see where the friction in building AI is and it helps them identify where there might be governance risk.”  In addition, she recommends the AICD course, AI Fluency for Directors Sprint, of which she is a co-designer.