17 Jul 2023 Rising AI adoption increases the complexity of digital risk governance
Authored by RSM US LLP, July 17, 2023
Boardrooms continue to face seemingly unending governance, disclosure, regulatory and legal challenges related to digital systems risk. This is exacerbated by the rapid adoption of artificial intelligence (AI), a digital technology society is just beginning to grapple with and understand.
AI is another, but much more powerful, digital tool being added to the arsenal which businesses must employ to compete. These tools have evolved rapidly from segmented IT functions into the central nervous systems controlling the most vital assets and systems in all sectors of the economy, both private and public.
Highly sophisticated AI applications clearly increase potential cyber-risks from external threat actors. In addition, they also introduce new, much more complicated risks which are perhaps more consequential. Among the many examples are the introduction of biases, unintentional violation of laws and regulations, data exfiltration, and erroneous decision making. The growing complexity and ever-changing persistent nature of AI and cyber-risk are daunting, seemingly overwhelming and hard to understand. Boards are on the defense dealing with new demands for enhanced digital systems oversight.
In addition, the rapid rise and technical complexity of risks associated with digital tools is extending governance gaps between the board and risk managers. Digital risk transcends typical business risk. Defensive measures commonly employed by risk resources such as compliance and risk assessments, as well as enhanced disclosures, etc., are all vitally important, but alone do not constitute acceptable governance. The results of these processes are often communicated using technical language which lacks the business context boards need and should demand.
However, despite this deficiency, board members often derive a false comfort and accept these measures as meeting their governance obligations. Instead, boards need to develop better context associated with digital risk. This requires understanding the systems being governed and establishing digital risk frameworks, policies and procedures to govern them. Accomplishing this requires organizational, educational and cultural changes to your enterprise.
Reorganize your enterprise risk and digital systems management and governance structure.
- Stand up an enterprise risk management (ERM) and digital risk organization to fit the size of your enterprise. One size does not fit all. Smaller companies may only engage a chief information security officer (CISO) as a service while large organizations may employ chief risk officers, chief information officers, CISOs and business information security officers and so on.
- Given the magnitude and growing complexity of digital systems risk, consider establishing a chief systems officer (CSO), or equivalent position, with responsibility and authority over all digital systems. The complexity of digital tools requires careful delegation of responsibilities, authorities and access controls. The CSO must have:
- Clear authority over information technology, operational technology, legal, internal audit, compliance, finance, human resources, etc., to the extent these functions affect enterprise-wide use of digital systems
- An independent reporting channel to executive leadership
- A role as a peer to C-suite executives
- Establish an internal digital risk committee (DRC) led by the CSO to include leaders of all functional areas of the enterprise. This committee will be tasked with managing digital risk and making recommendations to the board of directors.
- Establish a chartered risk committee of the board with a mandate to oversee digital risk. Add digital systems expertise to the board. This committee should interact with the CSO and DRC on a periodic and as-needed basis. Be mindful that a separate committee does not relieve the responsibility of the full board for risk oversight.
- Establish enterprise risk management and digital risk frameworks based upon DRC recommendations. These frameworks will evolve as digital systems evolve and as the education process within the enterprise matures.
Learn to contextualize digital risk as a systemic risk.
- Digital risk is a form of systemic risk, which can only be dealt with through a contextual understanding of the underlying system and subsystems. Without this, the application of risk protection and mitigation methods lacks context and can be both wasteful and suboptimal. All private and public enterprises can and should be defined within a systems context, i.e., enterprise as a system (EAS). The EAS is a regularly interacting and interdependent group of elements and subsystems which comprise the operation of the enterprise. EAS elements include assets, processes and the people who interact with one another both internally and externally. Some elements are more valuable than others.
- Develop governance over the EAS through a four-phase process:
- Phase 1: Task the CSO and the DRC to produce a high-level business process map of the EAS for the board which identifies and describes system elements, their importance and how they interact with one other. Describe the digital threat landscape of the EAS. This should be presented using plain English, not technical jargon. Use outside advisors as necessary.
- Phase 2: Conduct a more detailed business process analysis for the CSO team, summarized for the board. This analysis breaks down the larger elements identified in Phase 1 into an array of smaller elements, thereby fostering a better understanding of the overall process defining the EAS. This leads to a better contextual understanding of the relative importance of your assets and enables better digital risk mitigation investment decisions.
- Phase 3: With the benefit of context established in Phase 1 and 2, conduct a control/framework analysis identifying, assessing and determining the efficacy of digital risk mitigation tools and control activities. Redesign the EAS to reduce the threat landscape and improve control efficiency. Add or reduce the use of digital risk mitigation tools to produce optimal results. Develop a risk appetite defining the risks the enterprise is prepared to accept in pursuit of value.
- Phase 4: The board and CSO team now have a more complete cyber picture of the digital risk posed to the EAS using language and terms understood by all. It should be reevaluated periodically and episodically when changes are introduced such as new digital systems, changes to the business, M&A events, etc.
Stress the importance of shared responsibility for controlling digital risk.
- People are the most important component of the EAS. Organizational and educational steps outlined above will signal the importance of digital risk to the entire enterprise. Elevate the mitigation and control of digital risk from an IT function to a responsibility shared by all constituents.
- Develop an enterprise-wide training program with frequent, short periodic training episodes which do not overburden employees.
- Communicate emerging threats to digital systems and actual incidents experienced by the enterprise.
- Market within your enterprise the importance of controlling digital risk and reward good behavior.
Establishing a risk foundation
Effective digital risk governance requires boards to demand organizational changes necessary to manage and control complex digital systems, educational changes to develop a common contextual system, understanding among the board and risk resources, and cultural changes to imprint the importance of a shared responsibility for controlling digital risk upon the organization. The alternative is to remain reactive with unknown consequences. There are no check-the-box solutions for digital risk governance.
DO YOU HAVE QUESTIONS OR WANT TO TALK?
Fill out the form below and we’ll contact you to discuss your specific situation.
This article was written by Rod Hackman and originally appeared on 2023-07-17.
2022 RSM US LLP. All rights reserved.
RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each are separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. The RSM(tm) brandmark is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.
Haynie & Company is a proud member of RSM US Alliance, a premier affiliation of independent accounting and consulting firms in the United States. RSM US Alliance provides our firm with access to resources of RSM US LLP, the leading provider of audit, tax and consulting services focused on the middle market. RSM US LLP is a licensed CPA firm and the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.
Our membership in RSM US Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise, and technical resources.