Conversations with the Board are often stress-filled occasions for management. Broaching the subject of risk is never easy – even more so when it involves digital risk. But talking about digital risk to the Board is necessary because in today’s business environment, digital risk management spans an increasingly wide range of risk, from automation to cybersecurity, compliance, data privacy and resiliency. Interwoven with these are elements of governance, organisational culture and decision-making which the Board needs to have a firm grasp of, in order to make those decisions effectively.
The need to talk
Because it touches so many aspects of the business, the conversation on digital risk has to be sustained. Furthermore, the digital risk landscape is constantly shifting because of the nature of technology itself; it is difficult to keep up once there’s been a lag, even if there are reports to bridge the gap. Organisations can expect their digital risk to rise in tandem as they begin to incorporate new technology into their operations. One example is the increased risk of being hacked, as firms expand online to enable new services for their customers, such as providing fund transfer via mobile phones or streaming content in real time.
The consequences of making such services available may have unexpected, disruptive, long-term impacts on the organisation which the Board and management neither anticipated nor prepared for when designing products and services or when formulating policy. Strategies formulated by the Board are operationalised by management; talking to the Board about digital risk has a direct impact on how the firm reacts to the environment, and how it is able to grasp opportunities. Not all risk is bad; some of it may prove lucrative to the firm, and increase its value. But the Board needs the right information to support its decision-making, and being aware of digital risk is part of it.
Keeping the conversation going
A part of setting the organisation’s strategy for digital risk management is the consideration of its compliance with good governance practices and transparency of operations. The Board needs to know how digital risk is being managed within the firm’s risk management framework. As part of digital risk management, critical assets must be identified and scenarios have to be imagined in which their vulnerabilities are exposed or exploited. Critical assets include data owned or utilised by the firm which may be confidential and subject to privacy laws. Breaches of this data may have long-term reputational repercussions that may be costly to the firm.
Digital risk assessments should be made in tandem with asset identification so that shortfalls, red flags and other areas of concern become clear. This will allow the organisation to measure, monitor and manage them more effectively, and also answer some of the questions which the Board will inevitably have, such as “How secure are our systems?” or “What else should we be doing to ensure confidentiality of our data?” or “Why do we need more money for cybersecurity?” – information necessary when it comes to decision-making on policy matters that the Board will ultimately be answerable for.
Building confidence in data
Bearing in mind that Board members are organisational part-timers at best (as opposed to management which is on site full-time), they need a constant flow of information to keep them abreast of developments. The more information they have, the better abled they will be to address the risks confronting the organisation and also to more effectively manage and applyits risk appetite. Not all risks are negative. Some, including digital risk, may have positive outcomes. The steady stream of information also provides a picture of how management is applying Board-sanctioned strategies and policies. Feedback will indicate where adjustments need to be made.
The information also feeds conversations with the Board, while allowing management to respond to Board concerns arising from other sources such as media reports and queries by regulators on risk compliance matters. With so much information in the public space, confusion about technology and digital risk is inevitable; management therefore has the opportunity to focus the Board’s attention on what is relevant to the firm and its stakeholders. Through these conversations, risk professionals are actually ensuring that the Board is developing a clear understanding of the firm, and not just from the digital risk perspective.
What say you?
Conversations with the Board are sometimes difficult because those dealing directly with digital risk communicate in tech jargon whereas Board members are more inclined to “business talk.” Not all Board members may be as adept at technology as management which uses it extensively on a more regular basis. It helps, therefore, to couch digital risk matters in terms that Board members are more familiar with, and thus will be more accepting of. A little bit of acceptance on both sides will go a long way. Management will gain more insight on Board perspectives; the Board will better understand the constraints under which management has to operate.
Rule of thumb when talking digital risk to the Board: Be Prepared. That means anticipating what Board members may want to know, and being equipped with the information to address their queries. Pare jargon down to a minimum, and use terminology that is easy to understand, to avoid confusion or misconstruing of meaning. Strive for clarity; offer examples of successful application of digital risk measures; point out what solutions may work, and why. Be detailed but admit shortcomings. Suggest ways to mitigate the risks identified, and demonstrate willingness to support the Board in its efforts to keep the organisation competitive and sustainable.