A few months ago, a group of Pittsburgh Uber users made history by riding in a self-driving car. This was a research exercise, but by 2021, Uber’s human drivers could all be out of a job. This is the Exponential Age, where a company that famously disrupted the taxi industry just a few years ago is already disrupting its own business model.

Paul Fiumara, partner at accountancy firm DFK Hirn Newey, says he would rather call this process a transformation. “‘Disruption’ sounds as though it’s something to put up with until normal service is resumed, like an interruption to a television program,” he says. “The changes brought about by advances in digital technologies are permanent and profound. They reflect a redistribution of power from institutions and businesses to citizens and consumers, and also from larger, slower-moving corporations to smaller, more agile businesses that can innovate quickly with lower capital investment. The old saying that if you do what you’ve always done, you’ll get what you’ve always got, no longer applies. In my view, if you do what you’ve always done, you’ll soon be out of business.”

Companies in every industry are also being overtaken by new entrants into the market. “Directors can’t put their heads in the sand and think it won’t happen to them,” says Dr Monique Beedles FAICD, principal strategy advisor at consultancy firm, Teak Yew, and author of Asset Management for Directors, published in 2016 by the Australian Institute of Company Directors (AICD). “While it’s important to think about how we can protect ourselves, a strategic approach also means looking at opportunities. The best ways to take advantage of the latest technologies, or technologies in the pipeline, in order to create a competitive advantage, should be on every board’s agenda.”

It’s up to the board to ensure that their organisation has an effective innovation strategy in place and the technology to support it.

“You can’t respond to digital disruption if you don’t have agile and flexible IT. I see this as being a material challenge for many boards in 2017,” says Dr Greg Spencer MAICD, senior partner at Beyond Technology Consulting. “As digital disruption shifts up a gear, companies have to get on the front foot and start addressing any institutionalised IT problems.”

Some companies hope to fast track a technology upgrade by acquiring a digital upstart. “This can work, but unless you do thorough IT due diligence at the start, you could find that the integration process is very costly,” says Spencer.

“There can also be massive issues buried just beneath the surface. We have been called in a few times after the event and found things like business systems built around unlicensed software or licences that are non-transferable. If the start-up has been cutting corners, a $100 million acquisition could end up costing you $200 million to fix.” Mobile technology takes priority

The first full touchscreen smartphones were launched barely 10 years ago, yet they have revolutionised the way we live, shop and communicate. According to the 2016 Deloitte Global Mobile Consumer Survey, Australians interact with a smart phone 480 million times a day – a 9 per cent increase on the previous year.

“Mobility will continue to be the number one technology enabler over the next 10 years,” says Colin Panagakis GAICD, director, Asia Pacific at BoardPad. “It needs to be a priority – boards should all be pushing management to adopt the best mobile technology for their clients and employees, and to work out how they can best utilise mobile technology to grow their business.”

For many people, a screen is their primary source of information. “We expect to be able to engage digitally,” says Alison Cairns, partner, IT Advisory at EY. “As consumers and customers, we have become accustomed to having information and services quite literally at our fingertips.”

Much of this information is gleaned from social media. “This is having a significant effect on the success or failure of many organisations,” says Fiumara. “The market is evolving and directors should remember that consumers often pay closer attention to what other consumers have to say, than to expert opinion or marketing.”

New ways of thinking

Governance in the digital age demands a new way of thinking. “There’s still a very prevalent mechanistic and hierarchical assumption about how a company should look,” says Beedles.

“But the companies that are being disruptive don’t make the assumption that they must use the same organisational structures and business models that have been in place for 200 years. Boards should put aside their preconceptions when they’re thinking about how they can achieve their aims. Their approach must be customer-centric – asking themselves ‘what do our customers want and how can we deliver it?’ not, ‘how can we find people who will buy whatever we build or make or sell?’ This level of creativity requires input from a diverse group of directors.”

Boards must also be equipped to take a strategic approach to investing in technology. “As with any other investment, you should have a robust business case and a strategic rationale,” says Beedles. “But sometimes there’s a sense of fait accompli – that we must spend a lot of money on the latest technology without being sure of how it will add value to the business.”

Many boards are appointing directors with some knowledge of technology. “They will often tip upside down conservative thought processes that have been successful in the past but are unlikely to remain so in the future,” says Panagakis.

In order to make sound decisions, all directors must be able to understand the information that is provided for them – but that doesn’t mean they must learn how to code. “Directors need to be able to recognise good IT governance, apply the same standards they would to any other board decision and be prepared to bring in expert advice whenever it’s needed,” says Spencer.

“But I think things like coding boot camps can do more harm than good. In IT, stale knowledge is very dangerous and if you’re not in the industry, anything you learn is pretty much out of date as soon as you’ve learned it.”

Continuing threats

Cloud computing is now integral to the way the majority of businesses operate, and while most directors are now aware of the associated risks, they can’t afford to take their eyes off the ball.

“Boards should be asking how security, data privacy and data sovereignty will continue to be assessed over time as more and more workloads are moved to cloud,” says Cairns. “Of course, security, compliance and governance need to be robust but these areas are, at times, overlooked or may need to be refreshed as an organisation moves to the digitally-enabled platforms they need for digital transformation.”

Boards also need to be realistic about the possible impact of a security breach. “James Spaltro, former executive director of information security at Sony Pictures Entertainment, famously said that he would not invest $10 million to avoid a possible $1 million loss,” says Beedles.

“It’s a valid business decision to accept the risk, but when the 2014 cyber-attack brought the company to a standstill, the direct costs were over $100 million. This doesn’t include the reputational cost to the organisation and its directors, or the flow-on impacts to individual staff and customers whose personal information, such as their social security number, had been released.”

Predicting the outcome is a difficult exercise as it relies on a lot of unknowns and unknowables. “What is important is that the board treats its valuable intangible assets in the same way as it treats its valuable physical assets,” says Beedles.

Unnecessary risk

As cyber criminals become more sophisticated and organised, the scale of their attacks is increasing.

“The latest super hacks and massive data breaches could put a company out of business and in some cases, company directors might find themselves personally liable,” says Shara Evans, a technology futurist, keynote speaker and chief executive officer of Market Clarity, a technology analyst firm.

“Yet companies are continuing to store information in a way that makes the consequences of a deliberate, or even an accidental breach, much more significant than they need to be. For example, it’s not a good idea to store everything related to one person in a single data base.”

As well as monitoring internal procedures, such as who has access to data and what kinds of approvals are required before information can be disclosed, directors should bear in mind that an attack may not be direct.

“The criminals who attacked Target in 2014 were able to access millions of their customers’ private data and credit card information via a heating, ventilation and air conditioning maintenance supplier,” says Evans.

One simple precaution is to ensure that the company isn’t routinely collecting data it doesn’t need. “Last week I wanted to do a software trial with a very well-known vendor and one of the pieces of information they required for registration was my birthday,” says Evans.

“I deal with cybersecurity on a regular basis and I know a lot about identity fraud, so I’m very cognisant of the information organisations are collecting about me and how it could be abused. In cases where they don’t need to know my birthday I use a fake one.”

In general, the less information you collect and store the lower your risk. “Even if it’s important for your business to classify the age demographics of your client base, you don’t need specific dates,” says Evans. “It’s safer to ask them what age range they fall into.”

Directors should also be careful with their own personal information. “One of the issues with mobile technology is its ability to collect metadata such as where you are, where you go and what you buy,” says Panagakis. “Not many people read the fine print when they download an app so they probably don’t realise that many of them, particularly free ones, collect information which is then extracted and stored for marketing or other purposes. For directors, this could pose a significant threat to corporate governance – and the risks will continue to increase.”

Complex decisions

Many directors will soon find themselves confronting issues that sounded like science fiction at the start of their career. For example, their company vehicles could be self-driving in less than a decade.

“Boards should give some thought now to the implications, particularly in terms of liability,” says Evans. “For instance, who would be at fault in an accident involving a car that was in autonomous mode? The employee sitting in the car, but not driving? The company that owns the car? The manufacturer? The software programmer? And what if someone hacks into the infrastructure systems that interact with driverless vehicles such as stops signs, speed limit signs and traffic lights? These will soon be very real issues that need to be resolved.”

Evans suggests that next year all boards should ensure they have access to a technologist who can alert them to emerging technologies and how they could be used both for and against the company.

“Having that over-the-horizon foresight will allow directors to navigate their company into the future they want, rather than having the future just happen to them.”


10 top tips for 2017

  1. Every organisation needs an innovation strategy and IT systems that are agile and flexible enough to support it.
  2. Mobile technology should be a priority.
  3. Companies no longer need to be limited by the organisational structures and business models that have been in place for 200 years.
  4. Creativity that goes beyond traditional strategy requires diversity of thinking.
  5. Failing to seek out opportunities that lie in new and emerging technologies is as big a risk as failing to protect an organisation against cyber-crime.
  6. Successful organisations are customer centric.
  7. Social media can have a significant impact on the success of and organisation; customers tend to trust the opinions of other customers.
  8. The data you collect and store is a valuable corporate asset.
  9. Internal security procedures must be regularly reviewed and updated.
  10. Cyber criminals can hack into your data via a third party with access to your systems.