Digital transformation: Three priorities for governance leaders

Dig­i­tal trans­for­ma­tion can make organ­i­sa­tions more agile, effi­cient and cus­tomer-cen­tric. While these ben­e­fits are well under­stood, busi­ness­es that neglect the gov­er­nance aspect of dig­i­tal trans­for­ma­tion risk con­tra­ven­ing data pri­va­cy and secu­ri­ty reg­u­la­tions – some­thing no busi­ness can afford to do.

Just to com­pli­cate mat­ters, reg­u­la­tions con­stant­ly change and many are region or indus­try-spe­cif­ic. To remain on top of things, gov­er­nance lead­ers need to work with stake­hold­ers from across the busi­ness to ensure that noth­ing is over­looked, while also ensur­ing they are up-to-speed on upcom­ing addi­tions to the reg­u­la­to­ry land­scape. 

Sev­er­al upcom­ing reg­u­la­tions relate to cut­ting-edge tech­nolo­gies like AI and machine learn­ing. While these tools can unlock huge ben­e­fits for busi­ness­es, in many cas­es they also come with a degree of risk. Gov­er­nance lead­ers must there­fore devel­op a broad under­stand­ing of them to address poten­tial issues before they get out of hand.

It’s a lot to cov­er. But as the fol­low­ing advice shows, gov­er­nance lead­ers that make these issues a pri­or­i­ty will ensure that dig­i­tal trans­for­ma­tion pro­grammes are com­pli­ant as well as com­pet­i­tive­ly advan­ta­geous.

Stakeholder management

Gov­er­nance lead­ers need to iden­ti­fy and work with a vari­ety of stake­hold­ers – such as IT teams, oper­a­tional lead­ers, and finan­cial and legal depart­ments – to ensure com­pli­ance stan­dards are met dur­ing dig­i­tal trans­for­ma­tion pro­grammes.

“If the com­pa­ny has a chief com­pli­ance offi­cer, chief pri­va­cy offi­cer, chief risk offi­cer or data pri­va­cy offi­cer, these are the fig­ures required for a com­pa­ny to meet their com­pli­ance chal­lenges,” says Robert Mey­ers, chan­nel solu­tions archi­tect and fel­low of infor­ma­tion pri­va­cy at One Iden­ti­ty. “But these must not be the only peo­ple that get involved in gov­er­nance, com­pli­ance or pri­va­cy.”

Bri­an Kane, co-founder and COO of pri­va­cy com­pli­ance com­pa­ny Sour­ce­point, agrees that every team, from mar­ket­ing to IT, needs to be engaged and aligned with an organ­i­sa­tion’s approach to pri­va­cy. “The accu­mu­la­tion of data that accom­pa­nies dig­i­tal trans­for­ma­tion ini­tia­tives, be that exter­nal or inter­nal data, means that all stake­hold­ers must be ade­quate­ly trained not just on inter­nal process­es, but on basic pri­va­cy prin­ci­ples,” he says, adding that pri­va­cy must become the “guid­ing prin­ci­ple of the com­pa­ny.” 

That should extend to the board lev­el too. “There should be one per­son on the board who is respon­si­ble for com­pli­ance,” says Nigel Jones, co-founder of the Pri­va­cy Com­pli­ance Hub and ex-asso­ciate gen­er­al coun­sel and head of legal for Google in Europe, the Mid­dle East and Africa. “A gov­er­nance leader such as the data pro­tec­tion offi­cer needs to report direct­ly into that board mem­ber and com­pli­ance reg­u­lar­ly needs to be on the agen­da of each board meet­ing.”

He describes this as “man­ag­ing up” and says: “A suc­cess­ful gov­er­nance leader needs to set expec­ta­tions with the respon­si­ble mem­ber of the board and explain that with­out their sup­port on the board and through­out the organ­i­sa­tion, any com­pli­ance pro­gramme will fail.”

Changing regulations

Reg­u­la­tions are con­stant­ly being updat­ed and new ones intro­duced, not least when it comes to data pri­va­cy and secu­ri­ty. 

How can gov­er­nance lead­ers keep up with all this change? Or bet­ter yet, stay ahead of upcom­ing reg­u­la­tions? “Get involved,” says Mey­ers. “If you are sit­ting on the side­lines it is hard to keep up.”

He advis­es gov­er­nance lead­ers to sign up for the Inter­na­tion­al Asso­ci­a­tion of Pri­va­cy Pro­fes­sion­als and for secu­ri­ty ISACA (for­mer­ly known as the Infor­ma­tion Sys­tems Audit and Con­trol Asso­ci­a­tion), as they train the audi­tors for cyber­se­cu­ri­ty and gov­er­nance.

“Addi­tion­al­ly, I’d start lis­ten­ing to some pod­casts and fol­low cer­tain ded­i­cat­ed Twit­ter feeds to keep up with the lat­est news and changes in leg­is­la­tion,” he adds. 

George Ioan­nou, man­ag­ing part­ner at Fool­proof, a Zen­sar com­pa­ny, also advo­cates for forg­ing stronger work­ing rela­tion­ships with reg­u­lat­ing and stan­dard­i­s­a­tion bod­ies. “This could lead to the co-cre­ation of future com­pli­ance stan­dards and poli­cies that are under­pinned by a greater under­stand­ing of the details and objec­tives behind dig­i­tal trans­for­ma­tions.”

For Jones, keep­ing up with a con­stant­ly evolv­ing reg­u­la­to­ry land­scape is as much about hav­ing the right cul­ture in place as any­thing. “The prac­ti­cal real­i­ty is that gov­er­nance lead­ers need to be com­fort­able with the fact that they can­not keep up with every change,” he says. “That is why they need to have the right cul­ture in place, kept in place by a reg­u­lar­ly main­tained com­pli­ance pro­gramme.”

This ensures that the impor­tant things are dealt with. “There is no point in know­ing that the data reten­tion peri­od for tax returns in Aus­tria has recent­ly changed if none of the employ­ees in an organ­i­sa­tion have been trained on the sim­ple steps they can take to keep data safe in their dig­i­tal work­place,” he says.

The role of technology

Tech­nolo­gies such as AI and robot­ic process automa­tion (RPA) are becom­ing increas­ing­ly main­stream across a range of indus­tries and busi­ness func­tions. But that does­n’t mean bots can sim­ply be left to their own devices.

Fair­ness and bias issues can arise from the use of AI. “RPA at its core is a scal­able, cost effec­tive repli­ca­tion of human deci­sion mak­ing, which means it can rein­force some of our uncon­scious bias­es in cer­tain instances,” says Dr Michael Kol­lo, chief econ­o­mist at Faethm AI. 

“AI and RPA-based sys­tems are script­ed in nature and there­fore more open to reg­u­la­to­ry scruti­ny,” he adds. “So compliance’s job is to make sure their algo­rithms are exe­cut­ing in an unbi­ased man­ner, and if not, pre­vent small bias­es from being scaled across the organ­i­sa­tion and cre­at­ing more struc­tur­al issues.”

Many AI solu­tions are “black box” solu­tions, which means “it is dif­fi­cult, if not impos­si­ble, to under­stand how deci­sions are made and thus if deci­sions and rec­om­men­da­tions are com­pli­ant to poli­cies,” says Dr Lars Rossen, CTO of Micro Focus. “On the oth­er hand, you can actu­al­ly use AI tech­niques to help find and pin­point com­pli­ance issues in an organ­i­sa­tion, by, for instance, using AI to find infor­ma­tion that requires GDPR atten­tion in unstruc­tured data.”

Kol­lo adds: “Cer­tain ele­ments of com­pli­ance roles are very data-dri­ven; typ­i­cal­ly they involve col­lect­ing data and com­par­ing it to trans­ac­tion­al bench­marks to estab­lish whether some­thing is com­pli­ant or non-com­pli­ant. These tasks can be auto­mat­ed to a great extent by sys­tems like RPA, which col­lect large vol­umes of data and gen­er­ate rules-based out­comes for a com­pli­ance pro­fes­sion­al to assess, sav­ing them a great deal of valu­able time in the process.”

Could com­pli­ance pro­fes­sion­als be put out of the job by the bots? Kol­lo says: “There are also many ele­ments of com­pli­ance that relate to more strate­gic risks that require human man­age­ment rather than imme­di­ate iden­ti­fi­ca­tion and elim­i­na­tion. In oth­er words, a dif­fer­ent skill set that is much less like­ly to be auto­mat­ed in the near future.” For now, the future looks to com­bine the best of peo­ple and tech­nol­o­gy.