Simon Berglund, Snr Vice President & General Manager, Asia Pacific, Diligent, on the part CIOs can play in balancing data and compliance.
Boardrooms are under more pressure than ever before.
Facing greater scrutiny, they are expected to be ever-more transparent about their operations and appease wider varieties of stakeholders and shareholders alike.
They are tasked with overseeing increasing risks from cybersecurity to regulatory compliance, environmental, social and corporate governance (ESG) or overseeing decisions regarding the organisation’s technology stack.
Overwhelmed with data, boards are also falling behind on data literacy at a time when compliance risks are increasing and expanding.
Ever since the review and subsequent backlash of the compliance risk management reviews of the four major banks in late 2019, the Australian Prudential Regulation Authority supervisors have increased their focus on how entities across all industries manage compliance risk.
The changes and scrutiny will not let up anytime soon, with upcoming recommendations to change the Privacy Act 1988 and the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 also due to shake up compliance risk perimeters.
Most jurisdictions are also rapidly advancing their expectations in the areas of ESG, Cybersecurity and AI.
A recent survey conducted by Diligent found there is no shortage of data in the global boardroom with 92% of directors, senior leaders and company secretaries surveyed claiming that access to data and business intelligence tools in the boardroom has increased dramatically over the past five years.
Herein lies the problem for many boardrooms, of all different shapes, sizes and maturity levels.
While trying to distil and interpret data, it can be challenging to identify the right kinds of data to inform actions and then proactively use data in a way that improves outcomes.
CIOs and other members of the senior leadership team can and should have a big role to play in supporting and facilitating data-led decision making in the boardroom. The payoff for technology teams in encouraging adoption of data analytics at a boardroom level is huge, because of its demonstrable means of proving where you need boardroom backing, budget, and resourcing for a full gamut of IT needs.
What’s more, getting board backing for a data culture in an organisation is the best means for an IT leader to drive change from within. So many corporate decisions and aspects of compliance, both from a personnel and operational perspective, are championed from the top-down.
As a CIO, by encouraging your board to adopt a more sophisticated data culture – one where reporting provides tailored insights, as opposed to the provision of an endless deluge of data that’s ultimately left unactioned – everyone benefits.
But, at the root of the problem is a question of quality over quantity – too many boards have access to too much data and not the correct means to interpret or apply it.
So, what can CIOs and their teams do to help?
Although the decision-making process will differ between companies, what doesn’t vary is the need for good information in an easily consumable format – for the board to access anytime, anywhere.
Having a standard set of metrics that help the board understand where threats are emerging, the latest incidents in the industry and key actions and outcomes, is a crucial part of having productive conversations between the board and CISO.
This helps IT and risk professionals focus on delivering actionable insights that tell a clear and compelling story.
This is of vital importance for addressing compliance obligations in today’s evolving threat landscape.
However, too much of the wrong data can be just as bad as not enough data at all.
Decisions based on faulty or half-baked data are imperfect and, as a result, boards that are highly dependent on data to inform decisions could put the organisation at risk.
Governance and compliance gaps are commonly the result of one of, or a combination of, the following three things: a lack of good data, a lack of good visibility and a lack of good security.
All these can be more effectively addressed with improved data and insights.
Whether it’s concerning ESG policies, audit, cyber risk and investor engagement, consolidated and actionable data brings clear and consistent insight into organisations’ risk postures.
Risk exists in the unconnected pathways between siloed systems, and, too often, boards are presented with data that lives in spreadsheets or is divided up over many different applications.
This is where big picture thinking in the form of consolidated data and having a single source of data truth for GRC, is so vitally important.
As we look to the future AI can and will play an enormous role in bridging the gap between an overwhelm of data and a happy medium where the data flowing through to a board is digestible, relevant and actionable in an automated way.
In the Diligent report, almost half (48%) of the directors, senior leaders and company secretaries surveyed said they expect AI will increasingly automate decision-making by leaders in their organisation.
Encouraging the board to prioritise cyber risk and include data as a necessity in boardroom decisions will ensure efficient and effective processes for the organisation as a whole, especially as AI increasingly infiltrates technology processes.
Indeed, a recent report by Diligent Institute and Bitsight showed there is more that can be done at a board level to absorb and lead on cybersecurity posture, with only 5% of boards having cybersecurity experts as part of their director make-up.
CIOs need to be positioned at the heart of this conversation with the board to focus on gleaning better quality data.
This way, they can benefit from the data collected, and contribute to the way that data is applied in the organisation.
Using a unified platform that collects, contextualises and elevates data to help the board understand cyber risk, will help position IT teams as strategic partners to the business.