The Board Report Should Show Friction Before It Shows Failure
A practical board-level article on why technology reporting should surface operational friction, hidden labor, exception volume, and recovery confidence before risks become visi...
Most board technology reporting is built to prove that things are fine.
Green status boxes. Completed milestones. Uptime percentages. Budget variance. Audit items closed. Cyber training completion. Project timelines that somehow stay cheerful until the month they do not.
I understand why those reports exist. Directors do not need a raw dump from the ticketing system. Nobody wants the board packet to become a help desk obituary.
But there is a problem.
By the time a technology risk turns red in the board packet, the institution has usually been feeling the friction for weeks or months. Customers felt it. Frontline staff felt it. Operations felt it. The vendor manager probably felt it. The only people who did not feel it were the people staring at a summarized dashboard.
That is not oversight. That is delayed awareness.
Boards do not need noisier technology reports. They need earlier signals.
Green does not always mean healthy
A green metric can be true and still be misleading.
The system was available 99.9 percent of the time.
Fine. What happened during the other 0.1 percent?
The project is on budget.
Good. How much internal work is being hidden because staff are creating manual workarounds?
The vendor met the service level agreement.
Great. Are employees still apologizing to customers because the process technically works but functionally stinks?
The cybersecurity training completion rate is 98 percent.
Nice. Are employees still submitting credentials into fake login pages during internal tests?
This is where boards get trapped. They assume a metric answers the governance question. Sometimes it does. Often it answers only the administrative question.
Administrative reporting asks, "Did the thing happen?"
Governance reporting asks, "Is the institution becoming more resilient, more exposed, or more dependent in a way the board should understand?"
Those are very different questions.
Example one: digital onboarding can look successful while operations absorbs the mess
Digital account opening is a perfect example.
Management can report higher application volume, faster completion times, and improved digital adoption. Those numbers may all be true.
But if branch staff are spending more time rescuing failed applications, if the call center is explaining identity verification errors, if compliance is reviewing more exceptions, and if customers are abandoning the process after hitting confusing steps, the board needs to hear that too.
The real risk is not that digital account opening exists. The real risk is that the board sees adoption while management absorbs friction in places the dashboard does not measure.
That friction matters because it tells you whether the strategy is working in the real world.
If customers start digitally but finish manually, you do not have a clean digital channel. You have a partially automated branch process wearing a nicer shirt.
The board does not need every operational detail. It does need the exception pattern.
Example two: AI adoption can look controlled while work moves around the policy
AI governance has the same problem.
A board may approve an AI policy, receive a model inventory, and hear that major use cases require review. That sounds responsible.
But the more useful question is what employees do when the approved tools are too slow, too limited, or too hard to use.
Do they paste customer complaints into public tools?
Do they summarize board materials with personal accounts?
Do they use AI to draft credit memos, member communications, vendor evaluations, or audit responses without telling anyone?
Do they keep local spreadsheets of AI-assisted work because the official workflow does not fit reality?
The policy can be clean while behavior gets messy.
Boards should not treat that as employee disobedience first. They should treat it as a signal. People create workarounds when the official process does not match the pressure of the job.
That does not excuse bad controls. It explains where the governance attention should go.
An AI report that says "no unauthorized AI use detected" may be comforting. A better board report would also show what has been requested, denied, delayed, escalated, and informally worked around.
That is where the real risk lives.
Example three: vendor performance can meet the contract and still fail the business
Vendor reporting is another place where boards get partial truth.
The vendor met uptime requirements.
The vendor responded within the contracted window.
The vendor completed the upgrade.
All good. Maybe.
But did the upgrade create downstream reconciliation work? Did staff have to rekey data? Did customer notifications go out late? Did another vendor blame this vendor for a missed feed? Did the bank or credit union burn internal hours making the result usable?
Contracts measure vendor obligations. They do not always measure institutional impact.
That difference matters.
A vendor can technically meet the contract while the institution carries the operational cost. If the board sees only the contract scorecard, it may miss the business risk until the relationship is already expensive to unwind.
This is why vendor reporting should include operational friction, not just contractual compliance.
What a better board report should include
I am not arguing for massive board packets. Please do not punish directors with 90 pages of system trivia.
A better report can be shorter than the current one if it focuses on the right things.
Here are five signals I would want in front of a board.
1. Exception volume
How many times did the institution have to step outside the normal process?
Manual account opening saves. Wire processing exceptions. Identity verification overrides. Reconciliation fixes. Vendor support escalations. Failed digital transactions that required employee intervention.
Exceptions are early risk signals. They show where the operating model is bending.
2. Repeat friction
One complaint may be noise. The same complaint twenty times is a process problem.
Boards should ask which technology issues keep appearing across branches, departments, call center notes, vendor tickets, and customer feedback.
Repeated friction is the institution telling on itself.
3. Hidden labor
How much staff time is being spent making technology work?
Not project hours. Cleanup hours. Rework hours. Manual workaround hours. Extra review hours. Time spent translating a broken process for customers.
Hidden labor is where bad technology quietly taxes the institution.
4. Decision latency
How long do technology decisions sit unresolved because ownership is fuzzy?
If a control exception, vendor issue, AI use case, or customer-impacting system problem takes weeks to find an owner, the board should know that. Slow ownership is a governance smell.
5. Recovery confidence
Not "do we have a plan?"
Every institution has plans.
The better question is whether the plan has been tested under conditions that resemble actual pressure. Who made decisions? What broke? What was confusing? What did management change afterward?
Untested confidence is just optimism with formatting.
This changes the board conversation
The board does not need to run technology. It needs to understand whether technology is helping the institution execute strategy without creating silent fragility.
That requires reporting that shows stress before failure.
Not panic.
Not drama.
Not a giant packet of operational noise.
Just enough signal for directors to ask better questions:
Where are customers getting stuck?
Where are employees compensating for weak systems?
Where are vendors meeting the contract but missing the business need?
Where are policies cleaner than actual behavior?
Where is ownership too slow?
That is the difference between technology reporting as decoration and technology reporting as governance.
Most boards already have enough green boxes.
What they need is a clearer view of the friction hiding underneath them.
Discussion questions
1. What technology metric in your board packet looks green but still creates operational pain? 2. Where are employees quietly compensating for a broken or half-working process? 3. Does your board receive enough early friction signals, or only late-stage failure signals?
Sources
- FFIEC, "Architecture, Infrastructure, and Operations Booklet," June 2021
- FFIEC, "Business Continuity Management Booklet," November 2019
- NIST, "The NIST Cybersecurity Framework 2.0," February 2024
- FDIC, "Third-Party Risk Management: A Guide for Community Banks," May 2024