The Governance Institute of Australia has released a report highlighting how boards are currently tackling technology challenges, where (some) boards risk falling behind and how and why they can and should strengthen their approach. Our key takeaways are below.
- The starting point for the report is that digital transformation is no longer a 'nice to have' but an imperative and therefore should be a priority for every organisation. Moreover, the report argues that organisations should focus on strategic innovation in this context in order to maximise the potential benefits (rather than limiting their focus to modernising existing systems/processes).
- The report points to the fact that 21% of organisations do not have a digital transformation underway as cause for concern because it indicates that they are at risk of falling behind 'or even becoming obsolete'.
- The report identifies two key areas in need of sharper focus/attention;
- board technology skills: A standout issue identified in the report is that many boards currently lack the high level technology and digital skills needed to enable them to meaningfully engage with digital/cyber challenges/opportunities and that this has various negative knock-on consequences for organisations.;
- data management/protection: The report found that this appears to be an area that is currently not receiving due attention, despite the fact that 'overlooking data management could undermine a digital transformation'.; The report points to lack of director understanding/skills as a key reason why this is the case.;
- The Governance Institute has called on boards to prioritise board skills renewal to ensure every director has sufficient grounding to enable them to take part in/contribute to 'the conversations that matter' on technology;
Given the key role that technology now plays in the day to day running and ongoing success of every organisation, and in light of the rapid digital acceleration prompted by the COVID-19 pandemic, technology-related challenges and opportunities are an increasingly important and prominent focus area for boards.
In light of this, the Governance Institute of Australia together with Diligent, has released a report - Driving the Digital Revolution - A Guide for Boards - providing insights into the way in which boards are currently approaching technology-related challenges and where boards consider the greatest risks to be. The report also offers insights into where boards should consider sharpening their focus and the steps they could consider taking to strengthen their approach.
The report is based on insights from both an online Governance Institute member survey and on discussions with an expert digital working group. Our key takeaways from the report are below.
Digital transformation is an imperative not a 'nice to have'
The report takes as its starting point that 'no business can thrive - or survive - without fit-for-purpose technology' and accordingly, that all organisations should be engaged in 'digital transformation'.
Governance Institute Chair Pauline Vamos observes that fit for purpose technology is an essential enabler of business success, enabling both better and more informed planning/decision making and more effective risk oversight and management. 'Digital transformation is no longer a nice to have, and the risks of falling behind can be catastrophic for the organisation and thus destroy value. No board wants this' Ms Vamos states.
In light of this, the report points to the fact that not all organisations have commenced their digital transformation and not all organisations see the need to do so as cause for concern. According to the report:
- 21% of organisations not undertaking/planning to undertake digital transformation
- The most common reasons for this were that: a) it is not a priority/there are more pressing issues (40%) or b) that the organisation lacked the skills required to undertake such a transformation (25%).
Another area of concern flagged in the report is the fact that of the organisations that have commenced their digital transformation, the majority are focused on modernising existing systems and processes rather than also focussing on adaption/innovation. According to the report, only 33% of survey respondents indicated that their digital transformation involved strategic innovation/adaption.
The report argues that
'innovation should be central to an organisation’s digital strategy to ensure it creates a competitive edge. A narrow focus on digitising existing systems and processes is a missed opportunity'.
Addressing the board skills gap should be a priority
The report highlights that despite the importance of the issue, and despite the fact that almost all survey respondents (93%) consider their board should be involved in technology issues, there is not universal agreement on the need for board members to have high level technology skills. The report flags that 29% of survey respondents indicated that this is not important.
The report also highlights that some boards lack the necessary skills to be able to engage meaningfully in discussion of technology issues and importantly, to meaningfully engage in discussions around the risks/opportunities that technology presents.
For example the report found that:
- 34% of survey respondents consider their board is not dealing competently with the technology challenges facing their organisation. The most commonly nominated reason for this was that board members lack the necessary technology skills and education to do so (47%), or (on a related note) that board members lack the confidence to deal with technology issues (35%).
- Looking at the proportion of directors with high level technology skills represented on boards, 41% of respondents indicated that less than 25% of their board members have high level technology skills. Concerningly, 13% of respondents indicated that these skills are not represented at all on their board.
Again, the report flags this as a concern, noting that boards' unease with dealing with digital issues means that they are 'ill-equipped to probe digital strategy' and also more likely to adopt an overly risk-adverse approach, including with respect to cyber risk. Failure to engage with technology also puts organisations at a disadvantage when tackling social and other risks (as technology facilitates and enables effective monitoring/oversight as well as data-informed planning, and decision making).
The report observes that lack of understanding of technology issues can put organisations at a competitive disadvantage because the organisation is less likely/able to take advantage of the opportunities of digital/technology transformation.
Ian Oppermann (Chief Data Scientist for NSW and immediate past President of the Australian Computer Society) is quoted as commenting:
‘if your board director cannot participate in the conversation because they have no grounding whatsoever [in technology] then you’ve really lost access to a real asset. Or if they don’t feel confident participating because they don’t have that level of expertise, you’ve lost part of your collective…risk and responsibility taking [mindset].’
To be clear, the report does not argue that every director needs to be an technology/cyber expert, rather it suggests that individual directors need to upskill sufficiently to be able to engage with/contribute to the conversation and for the board as a whole to have the right mix of digital and technology skills represented to effectively discharge their oversight function.
Board skills renewal – key challenges
The report acknowledges that there is not standardised set of technology skills for directors and that this poses challenges. In terms of where to start, the report suggests that:
- undertaking an assessment of the current digital/technology skills represented on the board as part of the next board evaluation process and then offering training to directors that is tailored to their roles/responsibilities, and to the needs of the organisation may be helpful
- it's also suggested that boards consider appointing a special adviser to provide them with access to expertise on a particular technology/technical issue.
- finally, it's suggested that appointing 'digital natives' and more diverse board members could also assist in this over time.
Data management and protection has been overlooked by boards, but should be a priority
The report flags the fact that 46% of survey respondents rated the quality of data management/protection within their organisation as poor as an area of particular concern.
The report quotes Peter Deans (Non-executive director of RegTech Australia and former CRO, Bank of Queensland) as suggesting that this could be an indicator that organisations have prioritised/are prioritising cybersecurity and privacy risk as 'more pressing issues for the board' than data governance/protection.
The report argues that given the amount of data that has been/is being collected by companies, data governance/protection is not a risk that boards can afford to ignore. Again, the lack of skills at board level is highlighted as a key issue in this context as is, the related issue of underinvestment (by some companies) in data governance.
Some organisations already appear to be increasing their focus on the issue
The report highlights that most organisations (76%) have plans in place to strengthen their data management and protection. The most common steps being taken by organisations to ensure data and AI is used ethically are: 1) that training is provided to staff and 2) that there is a high level of transparency and accountability around data management processes.
Insights into how organisations are currently approaching technology challenges
- Most organisations understand the need to develop and implement a digital transformation: As flagged above, the report found that the majority of organisations are already undertaking/planning to undertake digital transformation (79%). The report suggests that the high proportion of organisations already taking action 'highlights the risk of falling behind or even becoming obsolete for organisations that haven't yet embraced technology'.
- Driving the digital transformation: 66% of survey respondents reported that the CEO/senior management are driving the digital transformation within their organisation with most boards receiving reports at every board meeting (40% of respondents reported that the this was the case within their organisation) or quarterly (36% of respondents indicated that this was the case).
- Views on optimal governance arrangements:
- Most survey respondents (47%) consider that the optimal board and committee structure for dealing with technology risk is to include it as part of the responsibilities of an existing audit and risk committee. Only 18% consider that there should be a separate board-level technology committee.
- The report suggests that going forward, given the scope of the issue, organisations may wish to consider establishing a separate technology committee to oversee digital strategy and/or digital transformation plans and potentially monitor the involvement of third parties.
- Key Technology Risks:
- The top three technology related issues currently facing organisations (as nominated by survey respondents) were: 1) risk of cyber attack (62%); 2) data governance challenges (49%); and 3) staff technology skills/knowledge (48%). Interestingly, respondents nominated these same threats when asked for their views on the top technology threats facing organisations in 2030. Commenting on this, the report suggests that the response: 'reflects the enormity, unpredictability and rapidly evolving nature of this area of risk and how vulnerable directors feel in the face of a threat that is so far out of their comfort zone'.
- Coming back to looking at immediate threats, ransomware, hybrid working and automation and adapting to crises (eg international conflict, pandemic events) all ranked as lesser issues. The report calls out the fact that directors appear to be underestimating the importance of ransomware attacks as an area of concern suggesting that 'governance professionals should educate their board on the significant damage ransomware attack can do to a company, in some cases leaving it unable to recover'.
- Only 7% of survey respondents nominated climate-related risks such as technology connectivity being impacted by extreme weather events as a key threat (though this issue is expected to grow in importance looking ahead to 2030).
- What organisations are doing to respond to these risks:
- Financial investment in technology is the most common action being taken in response to the risk identified. According to the report: 64% of survey respondents indicated that their organisation is increasing its investment in the organisation's technology framework or assets.
- Organisations are also investing in training – over 40% of survey respondents indicated that that their organisation has increased technology focussed staff training.
[Sources: Governance Institute of Australia media release 16/08/2022; Survey 'snapshot'; Full text report: Driving the Digital Revolution – A Guide for Boards]