Boards Through the Looking Glass
By Julie Garland McLellan, AltoPartners Australia
Does your board have a firm grasp on your company’s data and technology strategies?
Over the years boards have developed skills in financial and operational oversight and the practices that allow good governance of finance and operations are well known, firmly regulated, and expected by directors. Boards receive reports from the CEO and CFO. They spend time with these individuals and get to know them. They conduct financial and operational due diligence that allows directors to be confident that they know how much money the organisation has and where it is. They expect to know where the company’s operations are located, what risks they entail, what prospects they hold, and well they perform.
Move from operations and finance to data and technology and the picture is far less clear.
Few boards are confident that they have established process to deliver good governance of these aspects of their companies’ performance. Directors rarely spend time with the Chief Data Officer or Chief Technology Officer and directors would not say that they knew these people well or had clear expectations about how they would perform and be measured. Many directors cannot put a name to the people performing these roles in their organisations.
Reports on data and technology are not yet standardised and directors are often confused by jargon, unable to understand the measures of success that are used, or the activities that are being undertaken. Ask most directors where the most important data in their organisation is stored, and they will probably mention the financial system. Ask them where the system is located, how the data is protected, who can access it, and how they know that the clouds in which it is stored will neither burst, allowing unauthorised access to the data, or float away, preventing necessary access to the data, and directors will often be stumped for an answer.
Move from the finance system to other data systems, such as the email service, HR records, customer, client, or supplier information, etc. and the situation appears increasingly uncontrolled. Few boards receive meaningful independent assurance that this data is safely held, let alone that it is being responsibly used to create value. Many have no process in place for safely disposing of out of date information or checking that data remains accurate and current.
Move from data to technology and the landscape is even more threatening. Directors are exhorted to be across technological developments and able to add value to the strategies of the organisations that they govern. They are also expected to be fit and proper persons with a track record of success that is diametrically at odds with being alert and connected persons with knowledge of fast-changing new technologies (many of which will disappear without a trace after chewing through significant sums of investment capital).
Worse, when boards attempt to inform themselves they are often pushed towards ‘solutions’. Boards need an information and intelligence system – not a set of platforms. An information system should allow directors to know what information is held, how it is used, who is using it, and how it is protected from unauthorised access or use.
New legislation has been introduced and adopted (such as the Notifiable Data Breaches act 2017 and the APRA Prudential Standard CPS 234) in Australia. Yet, more than half (55%) of Australian organisations have no cyber security governance in place, according to the ‘Security In Depth’ survey of 1,894 businesses. 38% of Australian businesses did not provide any cyber awareness training to staff, despite 71% of breaches being the result of human error (90% of those beginning with an email).
The survey – claimed to be the largest, most comprehensive cyber research project undertaken in Australia – found 63% of companies were unaware of how to respond to a cyber incident. The majority (84%) were found to “blindly trust third parties” with data and didn’t seek assurances around the security of cloud-based storage.
SO WHAT CAN A BOARD DO?
First; take stock of the situation. Task management to perform, and report upon, a data audit and identify what information is held, where, for how long, and for what purpose. Next; consider the strategy of the organisation and the data required to effectively implement that strategy. Ask management to draw up a spreadsheet of what data is required for each strategic aim and how that data is quality assured and protected. In tandem; organise staff training from a reputable provider and ensure that internal audit (or the external auditor as an additional service to the statutory audit) follows up to verify that recommended practices are really practiced.
Finally: have a look at the board skills matrix and succession plan. Ask seriously if there is any possibility of training existing board members or if data and technology oversight should be added to the list of required skills when recruiting new directors.
You wouldn’t allow a board to disregard the company’s financial assets. Why allow them to fail in their duty to safeguard the digital and technology assets that are essential for financial success?