Organizational, Educational & Cultural Aspects of Digital Risk Governance
Boardrooms continually face seemingly unending governance, disclosure, regulatory and legal challenges related to digital systems risk. This is exacerbated by the rapid adoption of AI; a digital technology society is just beginning to grapple with and understand. AI is another, but much more powerful digital tool being added to the digital tool arsenal which businesses must employ to compete. These tools have evolved rapidly from segmented IT functions into the central nervous systems controlling the most vital assets and systems in all sectors of the economy, both private and public regardless of the nature or size of the enterprise. Highly sophisticated AI tools clearly magnify cyber-risk. In addition, they also introduce new, much more complicated risks which are perhaps more consequential than cyber-risk. Among the many examples are the introduction of biases, unintentional violation of laws and regulations, data exfiltration and erroneous decision making. The growing complexity and ever-changing persistent nature of AI and cyber-risk is daunting, seemingly overwhelming, and hard to understand. Boards are on the defense dealing with digital systems oversight.
In addition, the rapid rise and technical complexity of risks associated with digital tools is widening governance gaps between the Board and risk managers. Digital risk transcends typical business risk. Defensive measures employed by risk experts such as compliance, risk assessments, and enhanced disclosures, etc. are all vitally important, but alone do not constitute acceptable governance. Unfortunately, they are often viewed as “check-the-box” solutions to complex problems and communicated in the boardroom using technical language which lacks the business context boards need and should demand. Despite this deficiency however, board members often derive false comfort accepting these measures as meeting their governance obligation. Instead, boards need to develop a contextual understanding of digital risk. This requires understanding the systems being governed and establishing systems based digital risk frameworks, policies, and procedures to govern them. However, in recognition of the wide range of size and scope of various enterprises, ranging from large public companies which are tasked with SEC reporting to small private companies, this article is not intended to be prescriptive as to specific action items. Instead, it is intended to heighten awareness of organizational, educational, and cultural changes which may greatly enhance the management and governance of digital risk.
ORGANIZATION: Reorganize your Enterprise Risk and Digital Systems Management and Governance Structure
Stand up an enterprise risk management (ERM) and digital risk organization to fit the size of your enterprise. One size does not fit all. Smaller companies may engage CISOs-as-a-Service while large organizations may employ Chief Risk Officers (CRO), Chief Information Officers (CIO), Chief Information Security Officers (CISOs), and Business Information Security Officer (BISO’s), etc.
- Given the magnitude and growing complexity of digital systems risk, consider establishing a “Chief Systems Officer” (CSO), or equivalent position, with responsibility and authority over all digital systems. The complexity of digital tools requires careful delegation of responsibilities, authorities, and access controls. The CSO must have:
- Clear authority over IT, OT, legal, internal audit, compliance, finance, HR, etc. to the extent these functions impact enterprise-wide use of digital systems.
- Independent reporting channel to executive leadership.
- Role as peer to C-Suite executives.
- Establish an internal Digital Risk Committee (DRC) led by the CSO to include leaders of all functional areas of the enterprise. This committee will be tasked with managing digital risk and making recommendations to the board of directors.
- Establish a Chartered Risk Committee of the board with a mandate to oversee digital risk. Add digital systems expertise to the board. This committee would interact with the CSO and DRC on a periodic and “as needed” basis. Be mindful that a separate committee does not relieve the responsibility of the full board for risk oversight.
- Establish systems based ERM and digital risk frameworks based upon DRC recommendations.These frameworks will evolve as digital systems evolve and as the education process within the enterprise matures.
EDUCATION: Learn to Contextualize Digital Risk as a Systemic Risk
- Digital risk is a form of systemic risk, which can only be dealt with through a contextual understanding of the underlying system and sub-systems. Without this, the application of risk protection and mitigation methods lack context and can be both wasteful and suboptimal. All private and public enterprises can and should be defined within a systems context i.e., “Enterprise-as-a-System” (EAS). EAS elements include assets, processes and the people who interact with one another both internally and externally. Some elements are more valuable than others.
- Develop governance over the EAS through a four-phase process:
- Phase 1: Task the CSO and the DRC to produce a high-level business process map of the EAS for the board which identifies, and describes system elements, their importance and how they interact with one other. Describe the digital treat landscape of the EAS. This should be presented using plain English, not technical jargon. Use outside advisors as necessary.
- Phase 2: Conduct a more detailed Business Process Analysis-summarized for the board-detailed for the CSO team. This analysis breaks down the larger elements identified in Phase 1 into an array of smaller elements, thereby fostering a better understanding of the overall process defining the EAS. This leads to a better contextual understanding of the relative importance of your assets and enables better digital risk mitigation investment decisions.
- Phase 3: With the benefit of context established in Phase 1 and 2, conduct a Control/Framework analysis identifying, assessing, and determining the efficacy of digital risk mitigation tools and control activities. Redesign the EAS to reduce the threat landscape and improve control efficiency. Add or reduce the use of digital risk mitigation tools to produce optimal results. Develop a risk appetite defining the risks the enterprise is prepared to accept in pursuit of value.
- Phase 4: The Board and CSO team now have a more complete picture of the digital risk posed to the EAS using language and terms understood by all. It should be reevaluated periodically and episodically when changes are introduced such as new digital systems, changes to the business, M&A events, etc.
CULTURE: Stress the Importance of Shared Responsibility for Managing Digital Risk
- People are the most important component of the EAS. Organizational and educational steps outlined above will signal the importance of digital risk to the entire enterprise. Elevate the mitigation and control of digital risk from an IT function to a responsibility shared by all constituents.
- Develop an enterprise-wide training program with frequent short periodic training episodes which do not overburden employees.
- Communicate within your enterprise emerging threats to digital systems and actual incidents experienced by the enterprise.
- Market within your enterprise the importance of controlling digital risk and reward good behavior.
CONCLUSION:
Effective digital risk governance requires Boards to demand organizational changes necessary to manage and control complex digital systems, educational changes to develop a common contextual “systems” understanding amongst the board and risk experts, and cultural changes to imprint upon the organization the importance of a shared responsibility for managing digital risk. The scope of your organization’s changes is highly dependent on the human and financial resources available for digital risk management. It is a topic which deserves board attention. The alternative is to remain reactive with unknown consequences.
There are no “check-the-box” solutions for digital-risk governance. Without contextual understanding of the Enterprise-as-a System, digital-risk governance and mitigation is akin to throwing darts blindfolded.
ABOUT ROD HACKMAN
Mr. Hackman has extensive experience heading the cybersecurity oversight function of an NYSE company. His career has been dedicated to capital formation, M&A, corporate development, and the creation of shareholder value as an advisor and entrepreneur. Mr. Hackman is a former member of several public and private Boards of Directors and has served as lead director and as the head or member of all chartered committees. As a former Naval nuclear engineer, Mr. Hackman understands the importance of understanding, protecting, and building resilience into complex digital business ecosystems.