Governance in the digital age – Julia Graham

29 November 2016

The explosion of business opportunities opening up as a result of the digital revolution is on a different scale to any development in living memory. This is not news: businesses are fully aware and are rightly investing in the resources to turn opportunity into a competitive edge. Julia Graham, deputy CEO, Airmic, reports.

Along with any business opportunity comes business risk, and unfortunately the risks related to the digital age are as large and complex as the opportunities. The careless use of just one portable device can expose huge amounts of sensitive data that have the potential to create severe financial consequences – reputations built over years can be destroyed in minutes.

The temptation with emerging trends is to focus on the opportunities more than the risks, but successfully embracing the digital age means tackling the risks head on. This is by no means a simple task, but creating a robust digital governance structure is a good place to start.

Governance may be a less glamorous boardroom topic than innovation, but businesses that lead the way in digital governance will profit in the long term.

Digital is an enterprise-wide risk

Why should digital risk be treated differently to any other risk? Quite simply, because the scale and pace of change is exponential, and will become embedded in everything a business does. Science fiction is becoming science fact – everything that used to be dumb and disconnected is now wired and connected. Digital scenarios give rise to new economic and management trends, and challenges for organisations, disrupting how they compete and create value in ways that will increasingly alter current business models. These scenarios are creating risks with different profiles.

Digital risk isn’t a stand-alone problem that can be neatly categorised. Instead, it creates a different business context and will become a dimension of almost all risks as well as opportunities.

Simply expanding the portfolio of the existing IT security team to all digital risk is not viable or advisable. Digital risk requires an enterprise-wide approach to managing it – an approach that breaks down organisational silos. Only in this way can the potential for aggregation and interdependencies of cyber-risk inside and outside the business be identified, assessed and treated.

Digital governance gap

Ownership for digital risk has to come from the top of the business – this is true for all ‘principal risks’ (to use the language of the FRC Code) and is imperative for ‘digital’. Boardroom acceptance and delivery of responsibility for digital risk among UK companies is certainly moving in the right direction; for example, there was a 56% rise in boardroom ownership of these risks, according to a Marsh study conducted this year.

This is encouraging, but there is a long way to go. Despite the level of board confidence reported, two thirds of UK boards admit that they have not set and understood their company’s appetite for digital risk, and only 16% have a very clear understanding of where their company’s key information and data assets are stored with third parties.

Perhaps the most startling statistic is that, according to Marsh, the majority of companies are still failing to estimate the financial impact of an attack on their systems and data.

Does this point towards a ‘digital governance gap’ where boards tick the digital-governance box yet do so without the necessary level of digital knowledge?

The digital risk officer

Even today, digital topics are often left to those who best understand them as there is an inherent fear of the unknown. Nobody likes to appear ignorant, especially when questions about technology are raised – it is too easy to look the other way and expect those in the technology team to field the answers.

Effective enterprise-wide digital risk management demands a degree of upskilling knowledge in the organisation. The board, the CEO and CFO must knowingly govern not unknowingly assume.

This may require a culture shift in many organisations and, indeed, we are already seeing changes in management structures across UK businesses. At the end of the 1990s, the role of the CIO was ebbing out of fashion, typically becoming a junior managerial role. Organisations today are hungrier for knowledge about data and digitalisation, and, as a result, we’ve seen the number of CIOs with more senior reporting lines increase in recent years.

However, CIOs are not necessarily equipped for the needs of tomorrow. Digital transformation requires enterprise-wide leadership, not just technical expertise.

We are therefore also seeing the emergence of the digital risk officer (DRO). According to Gartner, a third of large organisations engaging in digital business models and activities will have a DRO or equivalent by the end of 2017.

The role of DRO will be very different to that of a CIO. They will report to a senior executive role outside of IT, and they will steer the management of digital risk at an executive level across business units, working with peers in legal, compliance, human resources, risk and other areas of the business.

The DRO role will be designed to give executive management a view of their digital risk from an expert not involved in the day-to-day management of digital-related activities. They will influence governance, oversight and decision-making related to the digital business, and, perhaps most importantly, bridge the knowledge, experience and risk-culture gap perceived between IT and non-IT decision-makers.

Crisis management

Security experts agree that even the most resilient companies with the best digital governance structures will at some point encounter a crisis. It is ultimately the responsibility of the board to ensure that their organisation is crisis-fit and prepared to face a crisis most likely when (not if) this happens.

Given the array of important issues that are competing for the board’s attention, advance crisis planning is often not a priority. Given the potential consequences of a mismanaged crisis, a well-planned response to a crisis is a low-cost, high-reward endeavour.

Two thirds of UK boards admit that they have not set and understood their company’s appetite for digital risk.

In particular, they need to ensure that their organisation has the resources and relationships not only to respond rapidly and appropriately to what is clearly a disaster, but also to react to small changes that could be slow-burning issues that ultimately develop into a disaster.

The basics of good practice for digital crisis management do not differ from that of any crisis management. The crisis team must be small and carefully selected, with an optimum size of between six and ten (with alternates) populated only by people who really need to be involved. This enables agile decision-making and reduces the risk of confidentiality breaches.

It needs a strong but consultative leader: not necessarily the CEO and rarely the subject expert, but someone with the right qualities to make decisions under pressure and who is one step removed from the source of the crisis. The CEO might be a crisis-team player, but their key role remains running ‘business as usual’.

For digital-related incidents, having an enterprise-wide crisis management team is all the more important given the penetration of the digital world. Reputation management should be considered in any crisis, but it should be of utmost importance for digital risks given the speed with which the event can unfold and the sensitivity regarding the mishandling of data.

It is important to remember that an appropriate and effective response to a crisis can serve to enhance the reputation of an organisation. A crisis is not always a disaster but mismanaging it is. Mishandling can quickly damage a reputation that has taken years to build.

Finally, the crisis-management team must be trained and rehearsed against multiple scenarios. Test your plans and procedures against a range of scenarios, and be clear about what worked and what didn’t.

Are you really insured?

The last resort in a crisis is of course insurance. Cyberinsurance is still an emerging area of underwriting, and while the insurance industry is working hard to develop relevant solutions, offering meaningful and affordable cover for intangible assets is riddled with challenges. As a result, demand for cyberinsurance is currently outstripping supply.

Cyberinsurance could still play an important role in an organisation’s digital risk strategy, but it is vital that boards are clear about what risks they face, what cover they already have and what additional cover they might want – and, importantly, what they choose not to cover. Senior executives tend to overestimate the extent to which they are insured. It is striking that a survey by Marsh revealed that 52% of CEOs believe they are covered for cyberincidences, whereas fewer than 10% actually are.

Part of the problem is that despite the fact that insurance contracts can provide protection worth potentially hundreds of millions of pounds, insurance rarely receives board-level attention and scrutiny: many company directors have little understanding of their company’s insurance requirements other than those that concern professional liabilities.

All too often, insurance is viewed simply as a necessary cost overhead without much consideration of its scope or effectiveness – it is assumed that policies will pay out as and when needed. Come the day of a big insurance claim, board-level attention is then high but potentially too late.

Unfortunately, while most insurance policies pay out most of the time as expected, board complacency can be costly.

What can companies do? Ask your risk and insurance experts to develop scenarios to test your digital risk and insurance response, including directors’ and officers’ liabilities, against a range of digital incidents to flush out any gaps in risk knowledge or insurance cover. It might be that there is suitable additional cover to current policies or new policies are available to plug the gap. Alternatively, where cover is unavailable, one should focus the spotlight on managing the uninsurable risks. Too many organisations discover the gaps in cover the hard way – when a claim is declined.

As a footnote, companies should check out what ‘value-added’ benefits from cyberinsurance policies might be available. Most insurers offer a range of benefits including immediate 24/7 access through one ‘emergency services number’ to data breach specialists, lawyers, forensic accountants and media consultants. When stress levels are running high, knowing that a specialist team is on hand to support the business can be a great comfort. But check out how these emergency services might operate (or not) with those you already have.

Take responsibility

Ensuring your business has the right framework in place to deal with digital risks is not about inhibiting business opportunities – quite the opposite. When implemented well, an informed and carefully thought out digital governance structure, in tune with the wider governance structure and language of the business, should give senior management the confidence to seize these opportunities with both hands.

Indeed, a consistent, unified approach to digital risk at the enterprise level has the potential to deliver cost efficiencies and greater risk assurance for business processes than the fragmented approach currently in place in many organisations.

The pace of change as we move towards a digital world will be exponential and will seem daunting. But what is clear is that digital governance has to become part of the DNA of any company that wants to be resilient and successful in the digital world.

Julia Graham is the deputy CEO of Airmic, the UK association of risk and insurance professionals.