Rising AI Adoption Increases the Complexity of Digital Risk Governance
Boardrooms continue to face seemingly unending governance, disclosure, regulatory, and legal challenges related to digital systems risk. This is exacerbated by the rapid adoption of artificial intelligence (AI), a digital technology that society is just beginning to grapple with and understand.
AI is yet another digital tool that businesses must employ to compete, and it is more powerful than most others. Digital tools have evolved rapidly, their application expanding from segmented information technology (IT) functions into the central nervous systems controlling the most vital assets and systems in all sectors of the economy, both private and public.
Highly sophisticated AI applications increase potential cyber risks from external threat actors. In addition, they introduce new, more complicated risks that are perhaps more consequential. Among the many examples are the introduction of biases, unintentional violation of laws and regulations, data exfiltration, and erroneous decision-making. The growing complexity and persistent nature of AI and cyber risk are daunting. Boards are on the defense as they deal with new demands for enhanced digital systems oversight.
In addition, the technical complexity of risks associated with digital tools is widening governance gaps between the board and risk managers. Digital risk transcends typical business risk. Defensive measures commonly employed by risk resources, such as compliance and risk assessments and enhanced disclosures, are all vitally important but alone do not constitute acceptable governance. The results of these processes are often communicated using technical language that lacks the business context boards need and should demand.
However, despite this deficiency, board members often derive false comfort and accept these measures as meeting their governance obligations. Instead, boards need to develop better context associated with digital risk. This requires understanding the systems being governed and establishing digital risk frameworks, policies, and procedures to govern them. Accomplishing this requires organizational, educational, and cultural changes to your enterprise.
To reorganize your enterprise risk and digital systems management and governance structure, you can do the following:
- Ensure your structure fits the size of your enterprise. One size does not fit all. Smaller companies might only engage a chief information security officer (CISO) as a service, while large organizations might employ chief risk officers, chief information officers, CISOs, business information security officers, and so on.
- Given the magnitude and growing complexity of digital systems risk, consider establishing a chief systems officer (CSO) or equivalent position with responsibility and authority over all digital systems. The complexity of digital tools requires careful delegation of responsibilities, authorities, and access controls. The CSO must have the following:
- Clear authority over information technology, operational technology, legal, internal audit, compliance, finance, and human resources, to the extent that these functions affect enterprise-wide use of digital systems
- An independent reporting channel to executive leadership
- A role as a peer to C-suite executive
- Establish an internal digital risk committee (DRC), led by the CSO, to include leaders of all functional areas of the enterprise. This committee will be tasked with managing digital risk and making recommendations to the board of directors.
- Establish a chartered risk committee of the board with a mandate to oversee digital risk and add digital systems expertise to the board. This committee should interact with the CSO and DRC on a periodic, as-needed bases. Be mindful that a separate committee does not relieve the responsibility of the full board for risk oversight.
- Establish enterprise risk management and digital risk frameworks based on DRC recommendations. These frameworks will evolve as digital systems evolve and as the education process within the enterprise matures.
Learn to contextualize digital risk as a systemic risk. Digital risk is a form of systemic risk that can only be dealt with through a contextual understanding of the underlying system and subsystems. Without this, the application of risk protection and mitigation methods lacks context. It can then be both wasteful and suboptimal.
All private and public enterprises should be defined within a systems context (e.g., enterprise as a system, or EAS). The EAS is a regularly interacting and interdependent group of elements and subsystems that constitute the operation of the enterprise. EAS elements include assets, processes, and the people who interact with one another both internally and externally. Some elements are more valuable than others.
Directors can develop governance over the EAS through the following four-phase process:
- Phase 1: Task the CSO and the DRC with producing a high-level business process map of the EAS for the board, identifying and describing system elements, their importance, and how they interact with one other. They should describe the digital threat landscape of the EAS. This should be presented using plain English, not technical jargon. Use outside advisors as necessary.
- Phase 2: Management can conduct a more detailed business process analysis for the CSO, summarized for the board. This analysis breaks down the larger elements identified in Phase 1 into an array of smaller elements, thereby fostering a better understanding of the EAS overall. This can lead to a better contextual understanding of the relative importance of your assets and enables better digital risk mitigation investment decisions.
- Phase 3: With the benefit of the context established in Phases 1 and 2, conduct a control or framework analysis identifying, assessing, and determining the efficacy of digital risk mitigation tools and control activities. Redesign the EAS to reduce the threat landscape and improve control efficiency. Add or consolidate the use of digital risk mitigation tools to produce optimal results. Develop a risk appetite defining the risks the enterprise is prepared to accept in pursuit of value.
- Phase 4: The board and CSO team now have a more complete picture of the digital risk posed to the EAS using language and terms understood by all. It should be reevaluated periodically and episodically when changes are introduced, such as new digital systems, modified business goals, or merger and acquisition events.
Directors can stress the importance of shared responsibility for controlling digital risk through the following actions:
- Implement the organizational and educational steps outlined above. This will signal the importance of digital risk to the entire enterprise. People are the most important component of the EAS. Elevate the mitigation and control of digital risk from an IT function to a responsibility shared by all constituents.
- Develop an enterprise-wide training program with frequent, short periodic training episodes that do not overburden employees.
- Communicate to all constituents any emerging threats to digital systems and actual incidents experienced by the enterprise.
- Market within your enterprise the importance of controlling digital risk and reward good behavior.
Establishing a Risk Foundation
Effective digital risk governance requires boards to demand organizational changes necessary to manage and control complex digital systems, educational changes to develop a common contextual system, understanding among the board and risk management stakeholders, and cultural changes to imprint upon the organization the importance of a shared responsibility for controlling digital risk. The alternative is to remain reactive with unknown consequences. The stakes are only getting higher as AI capabilities advance.
RSM is a NACD partner, providing directors with critical and timely information, and perspectives. RSM is a financial supporter of the NACD.
Rod Hackman is an executive advisor of board excellence at RSM US.