Magazine article

In the past, a company needed capital, assets and time to achieve the status of serious competitor. Today, a serious competitor could emerge fully fledged at any moment, funded by a credit card.

“When you can’t see competition coming, a defensive approach is a material risk,” says Dr Greg Spencer MAICD, senior partner at Beyond Technology Consulting.

A fusion of technologies including cloud computing, big data and social media is transforming production, management, and inevitably, governance.

“It’s no longer enough for boards to ask what the company is doing about digital disruption,” Spencer continues. “They need to know whether the company is nimble and innovative enough to stay ahead of the curve.”

The languages of business and information technology (IT) have already converged. In large and successful companies such as Google, Apple and Amazon, the business itself is IT. And in small, agile organisations it is no longer unusual to see management writing software.

“Boards will find it much easier to overcome challenges if they recognise that cyber, people and computers interrelate through information services. Relevant business information, processes and intelligence are all part of information services and also make up the language of boards,” says Susan Oliver FAICD, founding chair of the women’s angel capital network Scale Investors, co-inventor of two software systems and founder of a technology start-up company. “This allows us as directors to be informed and make sound decisions.”

Boards will also need to overturn some of their old habits. “Traditionally, companies developed strategies, services and operations and then looked at how IT could be used to achieve them,” Oliver continues. “Now directors need to turn the conversation to how business is done and the value delivered. Could the actual business of their own business be IT?”

The transformative cloud

Cloud computing is a central pillar of digital transformation. “It has supported the rise of disruptive start-ups by putting expensive resources within their reach,” says Spencer. “What you can’t buy cheaply you can rent by the minute, including massively powerful computers.”

The cloud has also proven to be a valuable resource for companies of all sizes. “I think most directors are familiar with the benefits of cost-effectiveness and scalability,” says Colin Panagakis GAICD, director, Asia Pacific at BoardPad. “Now they should be thinking about how their companies can take advantage of emerging cloud-based technologies such as the Internet of Things (IoT) and blockchain.”

These are not topics for the back burner. Gartner has predicted that the IoT will grow to 26 billion units by 2020 – an almost 30-fold increase from 2009. Two studies by IBM have found that commercial blockchain solutions are being adopted throughout banking and financial markets much faster than was anticipated; roughly 65 per cent of banks expect to have blockchain solutions in production within the next three years.

Technology in the boardroom

In the boardroom itself, technology can make governance more operationally effective, auditable and less expensive.

“A board portal, for example, can help directors to manage board pack preparation, board surveys and risk registers,” says Tessa Court, chief executive officer (CEO) of online board portal company IntelligenceBank. “This makes everyone more accountable and ensures that board management runs more smoothly. Everyone involved – company secretaries and executive assistants as well as the directors themselves – can spend their time working on strategic initiatives rather than collating papers and filling out forms.”

Cloud-based companies have the means to collect big data – vast quantities of information about their systems, customers and competitors as well as the organisation itself. The latest dashboards can distil this into real-time displays to help directors monitor performance, identify trends and drill down into as much detail as they need before making a decision.

The displays can also be precisely tailored. “One chair I know has a dashboard on his mobile phone that provides the daily revenue of his company,” says Panagakis. “There are no employees involved, yet he can have the real-time encrypted information he wants wherever he is in the world.”

However, Oliver is concerned that the term “big data” can be misleading. “It is often used by vendors of things like databases, networks and analytics software to sell upgrades – but big data specialists may not be specialists in business strategy and intelligence,” she says. “I prefer the phrase ‘big information’ because this captures the ability to derive new insights and intelligence – perhaps even predictive information – by processing a lot of data electronically across a range of media and sources.”

A more transparent company

Most directors are familiar with social media platforms such as LinkedIn and Facebook and their potential for improving stakeholder engagement, gaining industry insights and developing brand loyalty. A new breed of communication applications (apps) is also gaining traction.

“They use what is known as ‘over the top’ technology because they go over the top of traditional carrier systems,” says Panagakis. “This enables you to send instant messages and photographs around the world. Commercial apps such as Cisco’s Spark and Atlassian’s Confluence are particularly useful when people in different locations are collaborating on a project and their primary device is a smartphone.”

The fact that employees, customers and other stakeholders can now use social media to broadcast news and opinion is changing where power, authority and influence reside. “This is making all organisations a lot more transparent,” says Oliver. “As a result, boards must give much more thoughtful consideration to matters such as workplace health and wellbeing, human resources and ethics as well as customer service, which is no bad thing.”

The board must also be sure that appropriate risk management protocols are in place. “These should include a social media strategy, framework and process to manage reputational risk, shareholder communications and liability if false claims are made,” says Court.

Regular reviews should confirm that a social media policy for employees is in place and up-to-date, that the use of social media is being measured and monitored and that one person is responsible for overseeing all corporate social media posts and responses. Directors also need to understand the role social media plays in crisis management, including whistleblowing and activism.

“Some online board portals offer a social media monitoring feature which reports mentions across different platforms,” says Court. “It can also provide directors with independent information and third party opinions of the company.”

Companies have always monitored the media but as Spencer points out, the big difference now is the speed with which news can circulate. “At worst, there used to be a 24-hour news cycle,” he says. “Now it’s practically instantaneous, so if bad news needs to be addressed, it’s unlikely that there will be time to consult the board as a whole. We recommend looking at different risk scenarios, deciding how they could best be contained and setting out when management would be empowered to make decisions that would normally go to the board.”

The changing nature of risk

Forty years ago, most of a company’s assets were tangible – according to intellectual capital merchant bank Ocean Tomo, the average was 83 per cent. Last year this figure had fallen to just 16 per cent for S&P 500 companies.

“Most directors know that the world’s largest taxi firm, Uber, owns no cars and that the world’s most valuable retailer, Alibaba, carries no stock, but statistics like these still drive home the fact that risk management is undergoing a fundamental change,” says Spencer. “If you’re not deliberately identifying and valuing intangible assets like data, brand value and reputation, you could be overlooking a significant and increasing component of the organisation’s risk profile.”

No business is too large or too small to run the risk of falling victim to cyber crime. “Concerns for data security lead some boards to question the wisdom of outsourcing cloud services, but a creditable cloud provider is likely to have tighter security than an IT team managing data internally,” says Panagakis. “The important thing is to check the credentials of every provider.”

The choice of provider must also take compliance into account. “Many companies operate under a regulatory framework which mandates the need to know where their data is stored and how it is being protected,” says Court.

But there can be no such thing as guaranteed security and when a company does suffer a breach, the consequences can be devastating. “We have seen companies lose customers, lose revenue and suffer a fall in their share price,” says Court. “The cost of remediation can also be very high.”

It is hardly surprising that many companies do their best to keep news of a breach to themselves – though this option is almost certain to disappear.

“There has already been a great deal of discussion about mandatory data breach notification and it seems likely that it will soon become law – possibly within a matter of months,” says Spencer. “This will bring Australia up-to-date with many other countries, including the UK and the majority of North American states.”

Cyber risk in the boardroom

Court is pleased that cyber risk is making its way from the IT department to the boardroom. “The boardroom is where it belongs – especially as cloud applications are gradually encroaching on software which was traditionally hosted on internal networks,” she says. “This means that, in effect, the network perimeters of an organisation are continually expanding and are therefore becoming more difficult for companies to control, manage and secure.”

Cyber risk is now central to good governance, and good governance is built on sound advice – but Oliver is concerned about the quality of the advice boards receive and their ability to test it.

“Vendors motivated by what they want to sell to the company, advice from people who describe technology as PCs, servers, screens and networks, the removal of the ‘information’ part of IT – these can all leave boards with thin information upon which to base their decisions,” she says. “All too frequently, a board is presented with a technology solution rather than a clear picture of how the product will serve the strategic purpose of the business, how the business will use the product effectively and how implementation costs are to be recovered.

“It is not realistic for directors to test assumptions such as the costs and time involved in implementing new technology, or even whether the technology is current and competitive, unless they understand how it will service the company’s needs. They need to stand up for themselves and ask for the business information and the services value behind the technology proposal. External experts can provide valuable information – and there is no reason why a board should not have one or more members who are substantially literate in these areas.”

The board must also be equipped to provide relevant guidance to the management team.

“Looking into a void is always harder than examining the evidence in front of you, but management must be encouraged to focus beyond the horizon,” Oliver continues. “They should be considering future challenges, intelligence and value systems, emerging opportunities and new ways of conducting business and serving customers.”

Considerations to take to the boardroom

  1. Serious competitors with entirely new business models could emerge at any time, without warning. This makes a defensive approach to digital disruption a material risk.
  2. Boards must have the capacity to test advice, question proposed technology solutions and challenge management on digital and innovation strategy. This may require help from an external expert.
  3. Technology can support a board’s decision-making process by providing relevant, real-time data in an accessible format.
  4. Mandatory data breach notification is likely to soon become law. A board’s shortcomings in identifying, assessing and managing a breach will be clearly visible.
  5. Social media has given stakeholders a platform to voice their opinions, and must be carefully managed.
  6. Boards can no longer assume that the company should develop strategies and operations and then look to IT for ways to implement them; technology is integral.