Boards of directors are under increasing pressure to be fully responsible for the risks undertaken by their organisations. Electronic commerce applications, especially business-to-business, generate risk across a broad spectrum. Australian standards exist for information security management and risk management but they may be inadequate to meet the increased challenges of electronic commerce and the increasing accountability of boards. This paper reports on the first stage of a study that will test the adequacy of existing Australian standards, and develop monitoring tools and business processes that will enhance security and assess risks. Board members have been interviewed to develop a set of constructs that describe their risk governance of electronic commerce projects.