Rising AI adoption increases the complexity of digital risk governance

Boardrooms continue to face seemingly unending governance, disclosure, regulatory and legal challenges related to digital systems risk. This is exacerbated by the rapid adoption of artificial intelligence (AI), a digital technology society is just beginning to grapple with and understand.

AI is another, but much more powerful, digital tool being added to the arsenal which businesses must employ to compete. These tools have evolved rapidly from segmented IT functions into the central nervous systems controlling the most vital assets and systems in all sectors of the economy, both private and public.

Highly sophisticated AI applications clearly increase potential cyber-risks from external threat actors. In addition, they also introduce new, much more complicated risks which are perhaps more consequential.  Among the many examples are the introduction of biases, unintentional violation of laws and regulations, data exfiltration, and erroneous decision making. The growing complexity and ever-changing persistent nature of AI and cyber-risk are daunting, seemingly overwhelming and hard to understand. Boards are on the defense dealing with new demands for enhanced digital systems oversight.

In addition, the rapid rise and technical complexity of risks associated with digital tools is extending governance gaps between the board and risk managers. Digital risk transcends typical business risk. Defensive measures commonly employed by risk resources such as compliance and risk assessments, as well as enhanced disclosures, etc., are all vitally important, but alone do not constitute acceptable governance. The results of these processes are often communicated using technical language which lacks the business context boards need and should demand.

However, despite this deficiency, board members often derive a false comfort and accept these measures as meeting their governance obligations. Instead, boards need to develop better context associated with digital risk. This requires understanding the systems being governed and establishing digital risk frameworks, policies and procedures to govern them. Accomplishing this requires organizational, educational and cultural changes to your enterprise.

Organization

Reorganize your enterprise risk and digital systems management and governance structure.

• Stand up an enterprise risk management (ERM) and digital risk organization to fit the size of your enterprise. One size does not fit all. Smaller companies may only engage a chief information security officer (CISO) as a service while large organizations may employ chief risk officers, chief information officers, CISOs and business information security officers and so on.
• Given the magnitude and growing complexity of digital systems risk, consider establishing a chief systems officer (CSO), or equivalent position, with responsibility and authority over all digital systems. The complexity of digital tools requires careful delegation of responsibilities, authorities and access controls. The CSO must have:
  • Clear authority over information technology, operational technology, legal, internal audit, compliance, finance, human resources, etc., to the extent these functions affect enterprise-wide use of digital systems
  • An independent reporting channel to executive leadership
  • A role as a peer to C-suite executives
• Establish an internal digital risk committee (DRC) led by the CSO to include leaders of all functional areas of the enterprise. This committee will be tasked with managing digital risk and making recommendations to the board of directors.
• Establish a chartered risk committee of the board with a mandate to oversee digital risk. Add digital systems expertise to the board. This committee should interact with the CSO and DRC on a periodic and as-needed basis. Be mindful that a separate committee does not relieve the responsibility of the full board for risk oversight.
• Establish enterprise risk management and digital risk frameworks based upon DRC recommendations. These frameworks will evolve as digital systems evolve and as the education process within the enterprise matures.

Education

Learn to contextualize digital risk as a systemic risk.

• Digital risk is a form of systemic risk, which can only be dealt with through a contextual understanding of the underlying system and subsystems. Without this, the application of risk protection and mitigation methods lacks context and can be both wasteful and suboptimal. All private and public enterprises can and should be defined within a systems context, i.e., enterprise as a system (EAS). The EAS is a regularly interacting and interdependent group of elements and subsystems which comprise the operation of the enterprise. EAS elements include assets, processes and the people who interact with one another both internally and externally. Some elements are more valuable than others.
• Develop governance over the EAS through a four-phase process:
  • Phase 1: Task the CSO and the DRC to produce a high-level business process map of the EAS for the board which identifies and describes system elements, their importance and how they interact with one other. Describe the digital threat landscape of the EAS. This should be presented using plain English, not technical jargon. Use outside advisors as necessary.
  • Phase 2: Conduct a more detailed business process analysis for the CSO team, summarized for the board. This analysis breaks down the larger elements identified in Phase 1 into an array of smaller elements, thereby fostering a better understanding of the overall process defining the EAS. This leads to a better contextual understanding of the relative importance of your assets and enables better digital risk mitigation investment decisions.
  • Phase 3: With the benefit of context established in Phase 1 and 2, conduct a control/framework analysis identifying, assessing and determining the efficacy of digital risk mitigation tools and control activities. Redesign the EAS to reduce the threat landscape and improve control efficiency. Add or reduce the use of digital risk mitigation tools to produce optimal results. Develop a risk appetite defining the risks the enterprise is prepared to accept in pursuit of value.
  • Phase 4: The board and CSO team now have a more complete cyber picture of the digital risk posed to the EAS using language and terms understood by all. It should be reevaluated periodically and episodically when changes are introduced such as new digital systems, changes to the business, M&A events, etc.

Culture

Stress the importance of shared responsibility for controlling digital risk.

• People are the most important component of the EAS. Organizational and educational steps outlined above will signal the importance of digital risk to the entire enterprise. Elevate the mitigation and control of digital risk from an IT function to a responsibility shared by all constituents.
• Develop an enterprise-wide training program with frequent, short periodic training episodes which do not overburden employees.
• Communicate emerging threats to digital systems and actual incidents experienced by the enterprise.
• Market within your enterprise the importance of controlling digital risk and reward good behavior.

Establishing a risk foundation

Effective digital risk governance requires boards to demand organizational changes necessary to manage and control complex digital systems, educational changes to develop a common contextual system, understanding among the board and risk resources, and cultural changes to imprint the importance of a shared responsibility for controlling digital risk upon the organization. The alternative is to remain reactive with unknown consequences. There are no check-the-box solutions for digital risk governance.