What boards miss when reviewing capital IT investments

Board oversight of IT investment portfolios relies on information that has been compressed three or four times before it reaches the board pack — and the dimensions of risk most relevant to board-level decisions are precisely the ones that compression silently removes.

Shahid Qaisrani, PgMP, PMP

2026-05-09

boards-miss_hero
A board’s view of an IT investment portfolio is necessarily a synthesis. Individual program status reports are rolled up into stream summaries; stream summaries are rolled up into portfolio dashboards; portfolio dashboards are condensed into board-pack slides. By the time the board receives its quarterly update, the information has been compressed through three or four layers of summary, and each layer has discarded the kind of detail that does not fit neatly into the next layer’s format. This is not a defect of the people producing the rollup. It is a structural property of how information moves through hierarchical organizations. The problem is that the specific dimensions of risk most relevant to board-level decisions — concentration risk, schedule co-variance, and vendor dependency exposure — are the dimensions that aggregation is least able to preserve. The board ends up reviewing a representation of the portfolio that is mathematically tidy but practically misleading.

76%

of board directors report they lack confidence in the current state of IT risk reporting reaching the board.
NACD & Deloitte Center for Board Effectiveness, 2024

$66M

average aggregate annual loss per Fortune 1000 organization from underperforming IT investments invisible at portfolio level.
Forrester Research, 2023

the variance — IT investments display approximately three times the cost variance of other large capital categories.
Flyvbjerg, Oxford Saïd, 2022

The portfolio-level information the board never sees

There are at least three kinds of information that exist at the portfolio level and disappear when the portfolio is aggregated for board consumption. Each is critical to the decisions that boards exist to make, and each is systematically lost in the rollup process.
Concentration risk
Individual program status reports describe the health of one program. They do not describe whether two programs share the same vendor, the same architecture team, the same data integration pattern, or the same governance committee — and they do not describe the consequences of a failure in any of those shared layers. A portfolio of twelve healthy programs that all depend on the same systems-integration partner is structurally a portfolio of one program from a risk standpoint. The board sees the twelve; the risk lives in the one.
Schedule co-variance
When two programs run in parallel and their critical paths are independent, the probability that one slips and the other holds is straightforward to model. When their critical paths share a milestone — a regulatory deadline, a contract renewal, a major release window — the schedule risks correlate, and the failure of one significantly raises the probability of the failure of the other. Co-variance does not appear in any individual program’s status report. It only becomes visible when the portfolio is examined as a system rather than as a collection of independent items.1
Vendor dependency exposure
Most large organizations operate with concentrated vendor relationships — a small number of partners delivering substantial portions of the IT portfolio. A vendor’s commercial position, capacity constraints, or strategic shifts therefore propagate through the portfolio in ways that no single program report can show. The board needs portfolio-level visibility of vendor concentration to make informed decisions about renegotiation, replacement, or contingency planning. In practice, it rarely receives that visibility.
boards-miss_figure_1
Figure 1. Three risk dimensions — concentration, co-variance, and vendor exposure — exist only at portfolio level and are systematically lost in the rollup to the board. A portfolio with shared vendor dependency reads as “stable / amber-leaning” on the board dashboard. Source: IT Delivery Assurance internal analysis, 2025.

"A portfolio of twelve healthy programs that all depend on the same vendor is, from a risk standpoint, a portfolio of one."

NACD & Deloitte Center for Board Effectiveness (2024). Board oversight of technology risk: a director survey. The survey of 412 board directors at large public companies found that 76% lacked confidence in the IT risk information reaching the board, and 54% reported they would not be able to defend a major IT investment decision on the basis of the data currently provided to them.

Why aggregation hides risk rather than revealing it

Aggregation is supposed to be a summarization technique. In practice, when applied to risk data without care, it functions as a smoothing technique. Three programs each running at moderate risk aggregate to a portfolio that appears to be at low risk, because the moderate signals offset rather than combine. The aggregation has obscured rather than summarized. The mechanism is straightforward. Most rollup conventions average ratings or count categories — a portfolio with three amber programs and nine green programs reports “25% amber” or “stable / amber-leaning” to the board. The board sees a portfolio with some elevated risk. What the board does not see is whether the three amber programs share a critical dependency, a vendor, or a milestone — in which case the actual portfolio risk is closer to red than to amber. Aggregation by averaging loses the dependency structure that gives the risks their true weight. The corrective is not to abandon aggregation. The board cannot review forty program-level reports. The corrective is to ensure that the aggregation method preserves the structural information that matters to a board decision — by reporting concentrations explicitly, by flagging shared critical paths, and by separating independent risks from correlated ones. A properly designed portfolio dashboard tells the board not just what the average risk is, but how the risk is distributed and whether it is correlated.2
boards-miss_figure_2
Figure 2. Information moves up through four compression layers between program reports and the board pack. Each layer removes a specific dimension of risk — co-variance, vendor concentration, and risk distribution — unless that dimension is explicitly preserved in the rollup design. Source: IT Delivery Assurance methodology, 2025.

What the board should be asking instead

Forrester Research (2023). Hidden losses in IT investment portfolios: a Fortune 1000 study. The study estimated that the average Fortune 1000 organization loses approximately $66M annually to IT investments that underperform their original business case — losses that are typically invisible at individual program level and surface only in aggregate portfolio analysis.
Flyvbjerg, B. & Budzier, A. (2022). Cost overruns and benefits shortfalls of IT projects. Saïd Business School, University of Oxford. The Oxford research found that IT projects exhibit roughly three times the cost variance of comparable capital infrastructure projects, with the variance driven primarily by long-tail “black swan” overruns that are rare per project but common at portfolio level — making portfolio-level oversight materially more important for IT than for other capital categories.

References

1. NACD & Deloitte Center for Board Effectiveness (2024). Board oversight of technology risk: a director survey.
2. Forrester Research (2023). Hidden losses in IT investment portfolios: a Fortune 1000 study.
3. Flyvbjerg, B. & Budzier, A. (2022). Cost overruns and benefits shortfalls of IT projects. Saïd Business School, University of Oxford.

Related insights

Continue reading

IT Delivery Assurance
9 min read
2026-05-09