Cyber security: just part of the wider digital governance agenda
Cyber security is a strategic issue that goes to the heart of whether an organisation will prosper in today’s complex and uncertain world. Accountability for it should lie with organisational leaders.
But the risks from digital technology go well beyond cyber security. Technology has implications for human resources, operational efficiency and organisational reputation. There is a need for formal corporate governance structures to manage risks which include risks of omission as well as incidents.
In his new book on digital corporate governance, Jeremy Swinfen Green, Head of Consulting at TEISS, argues that corporate leadership needs to take technology as seriously as they take capital, talent and reputation.
Digital governance involves the creation and monitoring of policies for investments in, and use of, digital technology across an organisation. The increasing power of computers combined with lower prices means that digital technology is now ubiquitous. As well as providing the communication and data processing traditionally managed by IT departments, digital technology has an impact on the way people work, the efficiency of factories, the ability to sell to consumers, and the strategic management of organisations.
Ultimately it is concerned with the long-term strategic issue of how organisations can thrive during a time of rapid technological change.
With this extended impact come extended risks and ever-growing opportunities. Digital technology is now far too important to be governed by one element of an organisation. It is a strategic issue that needs to be addressed at the very highest level, by the leaders of organisations.
In this extract from Digital Governance (Routledge, 2020), Jeremy Swinfen Green, with his co-author Steve Daniels, argues for a new technology manifesto. Set out clearly in the book, the manifesto requires that the boards of organisations take responsibility for setting the digital technology agenda, identifying the opportunities it brings and ensuring the risks are appropriately managed. It is only the board, with their viewpoint extending across the whole organisation that can do this effectively.
Digital Transformation by Jeremy Swinfen Green and Steve Daniels will be published in January 2020. It is available to pre-order here.
A digital governance manifesto
We live in turbulent times. The scale and nature of emerging risks around the use of digital technology in businesses and other organisations, including privacy, security and mental wellbeing, represent a real threat to organisational survival, let alone success.
At the same time, public expectations are on the increase, often out of line with what is possible for organisations to deliver. And alongside these expectations, new regulatory and legislative obligations are also emerging.
In addition, there is a growing perception that the leaders of many organisations have failed to make the grade in terms of governance. Shareholder revolts which have become increasingly common are a symptom of this, often triggered by perceived or actual under-performance.
Why is this is happening? We believe it is because we are living through a digital revolution that has been progressing at a break-neck pace for the last 20 years, a revolution that sometimes seems as if it is leaderless, rudderless and out of control.
This revolution is being driven by a number of new realities. Computers are ever-cheaper with more processing power. Machines continue to shrink making them easier to embed in other machines. The interfaces between computers and human are becoming more effective, meaning that some computers can actually be considered for physical embedding in people. Software development costs are falling, facilitating innovation. And enhanced sensors and extensive connectivity provide improved data collection, sharing, access and tracking.
A common and widespread reaction of many leaders to this seems to be to treat digital activities as either a veneer on the traditional organisation, or a side issue to be delegated to an IT director or some sort of stand-alone element of the organisation such as a digital division.
This treatment is then used to justify limited engagement with digital technology at board level, and to validate a perception that there is little or no need for the board to learn new skills to manage it.
We believe this attitude to be a critical mistake. Digital technology is of fundamental strategic importance to any organisation. And so it follows that digital governance is also of fundamental importance to the organisation – and to its leaders.
This is the manifesto that we outline in this book: that governing bodies must engage closely with digital technology and treat it as a central to their governance activities, just as they treat issues such as cash flow, talent management, and corporate reputation.
We hope that people who are part of the governing bodies of large and small organisations, and the people who work closely with them, will find this a useful book. Our aim is to explain what digital technology means for organisations, and to describe how it needs to be governed by the leaders of organisations.
Understanding how digital technology should be governed is no easy task, however. For a start there are many digital untruths that cloud judgements and decision making. You will probably have heard, and may even have believed, a number of widely accepted statements such as:
- Everyone shops on-line these days (even if this were true, which it isn’t, 80% of UK retail is still off-line and the figure for the USA is nearer 90%)
- No one watches TV anymore (UK adults watch 3 hours and 20 minutes of television a day on a TV set and even 18 to 34 year olds watch over 2 hours a day on average, a third of which is online e.g. Netflix and BBC iPlayer )
- Direct mail doesn’t work anymore (The return on direct mail is still an average of £3.22 for every £1 spent)
- You don’t need anti-virus software on an Apple computer (Apple admitted that its devices are not immune from malicious software back in 2012)
- Everyone has a smart phone these days (Not quite, around 20% of people in the UK and 45% of people in Japan don’t own a smartphone although globally the figure is nearer 60%)
Even if you avoid believing untruths, deriving an appropriate strategy and framework for digital governance is by no means an easy thing to do. There are numerous considerations, often conflicting. Trade-offs will undoubtedly be the order of the day and collaborations, for instance within trade associations or value chains, will be key – even if that means you are sitting down with the enemy.
Hard decisions will be needed. How can we decide between what it is possible to do and what is worthwhile doing? Should we be at the bleeding edge of technology or should we be followers? Should we follow a stepped approach to digital transformation or do we need a big bang? Should we be loud and proud about digital investments (which might go wrong) or quiet and reserved? The list is a long one.
Certainly, the only things about digital governance that there’s agreement on are: that there’s no “one size fits all” answer; that best practice is still being identified and codified in standards; and that there’s a dearth of success stories out there.
The scope of digital governance
All organisations use digital technology to communicate with their stakeholders, to manage and transfer money, and to enable their operational processes. Technology underpins the money and people in organisations. It needs to be a key focus of organisational leaders and of top management reporting on its executive activity to the governing body.
The ICAEW defines corporate governance as follows: “Corporate governance is about what the board of a company does and how it sets the values of the company, and it is to be distinguished from the day to day operational management of the company by full-time executives.” This definition neatly summarises the split of responsibilities and validates that digital governance is therefore merely one element of corporate governance – but an ever more fundamentally important one.
It should be noted though that digital governance and IT governance are not the same. IT governance can be defined as the processes that ensure the effective and efficient use of IT in enabling an organisation to achieve its goals. It is very much the responsibility of the people who head up the IT function in organisations and its concerns are often short term.
Digital governance is wider than this. Yes, it encompasses IT and the processing of data and information. But it is also concerned with the way that data can be used to make strategic decisions. It is concerned with the way that people’s work and home lives are affected by the way they use digital technology during work hours. It is concerned with the way that factory machines can be designed and maintained with the help of digital technology such as augmented reality and digital twins. Ultimately it is concerned with the long-term strategic issue of how organisations can thrive during a time of rapid technological change.
As with corporate governance more generally, digital governance requires that we consider a number of elements when thinking about how digital governance needs to be established:
- Corporate objectives and values: Governance starts with the mission, values and goals of the organisation and how they are achieved. In the case of digital governance, there is a need to understand how the use of existing or emerging technology by the organisation or other organisations can enable or hinder the mission, values and goals
- The organisational context. There are many internal and external issues that will affect the ways that an organisation can use, or will be affected by, digital technology. These will include the policies and processes that define how the organisation operates, for instance decisions that have been made about automating a factory and the consequent effect this has had on employees, profitability and competitiveness
- Stakeholders. The principal stakeholders of any organisation are its owners but there are other stakeholders who should be considered by the board including employees, customers, regulators, suppliers, competitors and society in general.
- The market. Proper governance must consider the markets that an organisation operates in (or could operate in) and how the individuals (human or organisational) who make up those markets are, or could be, affected by technology. This then means considering where digital technology is headed as well as maintaining an awareness of the actions and intentions of any competitors just as much as your own plans.
- Compliance requirements. Any legislation (such as the Equalities Act 2010 or the Data Protection Act 2018), regulations (such as the UK advertising codes laid down by the Advertising Standards Authority) and standards (such as ISO 9001, the Quality Management standard and ISO27001, the information security standard) that the organisation has to, or chooses to, abide by.
- The board. It is important for any board to have unbiased self-knowledge about how effective they are in terms of digital governance. Their knowledge of technology, the way they behave around it, and their opinions about its importance and potential will not only influence the culture of the wider organisation but also the ability of the board to ensure appropriate digital governance. To be kept honest and not to become complacent, governing bodies really ought to obtain independent, 3rd party, feedback on the effectiveness of their digital governance. At least one major UK bank has obtained this, within a wider feedback and input process, via a Technology Advisory board, reporting to the Chief Technology Officer who sits on the bank’s board
Despite the fact that all organisations of any size are completely reliant on digital technology, only 5% of non-technology companies have digital expertise on their board. Given its strategic importance, a failure to govern digital technology will inevitably put an organisation at risk.
Even for a business trading in the physical world, one making car parts for instance or packing food, digital technology is an essential component of operations. And that’s because digital technology enables the collecting, sharing and using of data and information – organisational assets that are just as important as raw materials, machinery and people. That information can very quickly become valuable intellectual copyright in its own right.
These assets can be found everywhere in any organisation and they affect the ability of every part of an organisation to perform well. For instance:
- Digital technology (obviously) underpins any digital transformation initiatives
- Many regulations, including those relating to privacy, human resources, safety at work, finance and marketing involve the way organisations can, or must, use information
- The analysis of data and information, increasingly powerful with the use of artificial intelligence and other software tools, enables effective strategic plans to be developed and followed
- Customer trust (or distrust) is closely linked to the way that the digital technology used protects (or otherwise) privacy, prevents fraud, enables good customer service and projects (or not) a positive organisation reputation
- The ability to deal with third party organisations around the world, including suppliers and other business partners, is also closely linked to the way that digital technology allows communication and interconnectedness
- Effective technology including good cyber security allows organisations to take risks that otherwise they would be unable to consider
- Digital technology affects the skills that organisations need from their workforce, as well as enabling employees to share knowledge and grow skills
Overall good digital governance is associated with better business results. But it isn’t easy to achieve. And that’s why it must be handled as a strategic issue, appropriate for board-level consideration.
The role of the governing body
Digital governance starts and ends with the board of the organisation. It is these organisational leaders who must set the direction of their organisation’s relationship with digital technology for others to execute – how they make decisions about its use, and how the organisation reacts to the change (and, sometimes, chaos) that technological developments can bring.
What does this mean in practice? Leaders will set the direction by identifying and communicating three things:
- The goals of the organisation’s investment in digital technology. For instance, are there opportunities to differentiate their organisation through technology? Should technology be used to secure the organisation’s IP? Can efficiency be increased, or costs reduced, through technology? In short, what are the strategic opportunities that technology brings now and in the near-to-medium future?
- The degree of prudence that the organisation should have when investing in and using technology. How much risk are they willing to accept when using and investing in technology? How much capital and revenue are they prepared to invest in it? Cyber security is an obvious area of consideration but as we shall see there are many others.
- The ethical stance the organisation should take when considering technology. In particular, they must decide what uses of digital technology they feel are inappropriate for their organisation from an ethical (and reputational) standpoint. How they treat the privacy of their customers is one important area and how they treat their employees is another. The UN’s Sustainable Development Goals make a useful framework here.
Setting the direction is only part of the task of organisational leaders though. They also have to see that the direction they have set is followed and they then need to act upon the results.
It is therefore helpful to think about the board’s role as having three main areas: Accountability; Direction; and Control. In each of these areas you will be working with your top management to (1) acknowledge your ultimate accountability, (2) set the direction you want followed, (3) ensure the implementation of appropriate controls, and (4) accept your accountability again for the success or otherwise of the collective leadership given.
While it is not appropriate for board members to become involved in day to day managerial matters, especially the details of digital technologies, they may from time to time be called on to support the Chief Executive to intervene with management and influential stakeholders including important suppliers and others for instance regulatory authorities, if the organisation is performing poorly or being obstructed in a particular area.
They should also set the rules around the sort of decisions that the board, rather than top management, should take. For instance, certain investments in technology such as a new customer database or the automation of factory processes may be some of the largest an organisation may make and it is therefore entirely appropriate for the board to be closely involved and to take the final decision whether to adopt and to declare the limitations of any decision to do so.
Digital Transformation by Jeremy Swinfen Green and Steve Daniels will be published in January 2020. It is available to pre-order here. The contents are as follows:
Chapter 1. Introducing digital governance
Chapter 2. Digital governance strategy
Chapter 3. Managing rapid change in a digital world
Chapter 4. Digitising internal operations
Chapter 5. Transforming products and services
Chapter 6. Digital marketing and sales
Chapter 7. Thinking digital in mergers, acquisitions and venturing
Chapter 8. Digital technology in accounting and financial management
Chapter 9. Human resources in a digital age
Chapter 10. Assuring digital compliance
Chapter 11. Information and cyber security
Chapter 12. Delivering digital privacy
Chapter 13. Think digital resilience
Chapter 14. Emerging digital technologies