Digital governance

For the past 20 years, digital technologies have dramatically reshaped the way organisations engage internally and externally with their stakeholders, creating a completely new digital eco-system in need of its own governance and dedicated management. Many indicators show that the growth in the use of digital medium for sales and communication is scheduled to accelerate in the next five years, evidenced with the forecast 45% increase in the speed of global interconnection band-width from 2019 to 2023.

The global pandemic has demonstrated how effective digital strategy and platforms can provide both strong business development and business continuity, but also how reliant organisations have become on a safe and efficient digital infrastructure. A key part of the robustness of this infrastructure is how well it is governed.


What do we mean by digital governance?

An organisation’s digital presence provides an overlay that intersects all the traditional functions and activities of the entity: marketing, sales, finance, HR, operations, business strategy, information technology, etc. As a result, digital activities should be better thought of as a centralised domain of expertise, rather than an add-on to existing functions. Larger organisations might be able to create a dedicated Chief Digital Officer (CDO) position to coordinate all digital activities, while smaller organisations might have to rely on coordination activities through the existing management structure. Whatever the chosen organisational structure to manage digital efforts, having a digital governance framework will establish clear decision-making responsibility and accountability for digital content management. Digital governance covers how the core data of the organisation is structured and managed, as well as the channels of communication and sharing of this data via external websites, social media, intranet etc. The governance framework is typically implemented through digital policies, data standards, and data classification rules, A good governance framework will typically be more effective if it is built on a strong digital culture, ie the knowledge, beliefs, perceptions, attitudes, assumptions, norms and values of the organisation’s stakeholders and how they manifest in people’s behaviour with the underlying information technologies.


Why is digital governance important?

In the pre-digital era, corporate strategy typically came first, and the technology infrastructure was designed to support it. IT was complementary to the business but mostly a separate domain of expertise. In a world dominated by digital, the business strategy needs to be deeply integrated from the start with data and technology capabilities. Organisations that lack a robust digital foundation will struggle with the accelerating changes in our digital age.

In this context, digital governance serves two main purposes. First, it ensures that companies are performing digital activities in an ethical manner and abide by all laws and regulations (such as data privacy). Second, it enables an organisation to optimise business development and business resiliency through digital channels.

Inadequate digital governance puts organisations at risk through missed business opportunities (inability to reach customers, weak message), direct operational losses (cyber-attacks) and potential long-term reputational impact (defamation, intellectual property, inappropriate language, etc.). These vulnerabilities can be amplified by the internal fragmentation of the different elements of the digital footprint and the lack of internal communication between corporate functions or between parts of the organisation.

For example:

  • One commercial division might decide on a specific digital approach to developing its business without consideration for the central rules for branding applied at the group level
  • The top marketing executive might favour some fairly aggressive approaches to social media without enough input from the cyber-security department regarding data protection

In most organisations (except the smallest ones or those with an extremely limited business model) no single individual or even single function has the knowledge or perspective to dictate or control the full digital eco-system of that organisation. The complexity and scale of any organisation’s digital eco-system will continue to increase. A robust governance framework must reflect this complexity and consider not only the existing state but the emerging properties of new technologies and ways of exchanging data. For example, the policies for use of digital media should be updated more often than most other policies and clearly identify not only who is accountable, but also who should be consulted and provide input in the decision-making process.

As an example, the design and maintenance of an organisation’s websites is a clear illustration of the necessary sharing of responsibilities to ensure an efficient, secure, and effective presence online as shown on the diagram below:


Role of internal audit

Internal audit has a major role to play in raising awareness and providing insights on the dimensions of digital culture and management across the organisation. Given the fragmentation of digital controls, internal audit can provide assurance that the governance is holistic and appropriate for a modern digital eco-system.

For most organisations, the digital governance framework will have been initially developed by trial and error without an overall plan. As a result, it will show areas of strengths and areas of weaknesses. For example, the digital vision and strategy might be clear and well understood but the supporting team structure and data standards might be lacking.

Internal audit can assess how well the organisation is doing by performing audits of the various elements of the digital framework. But the greatest value will be obtained by performing a digital governance maturity assessment that cuts across all the relevant dimensions of the framework: customer experience, business development, data management, inventory and classification, marketing, branding and use of social media, legal function involvement, cyber-security posture, technological advancement (including the use of machine learning and artificial intelligence).

The table below illustrates at a high-level the type of maturity classification that can be used as a starting point:

Maturity level

Key characteristics

Level 5: Innovative

  • Digital governance is used as key component of the overall strategy (eg Chief Digital Officer is part of ExCo)
  • Lessons learned from competitors (mistakes, successes, best practices) are quickly incorporated into an organisation’s processes
  • The organisation is committed to best-in-class digital presence

Level 4: Sustained

  • Data classification is used systematically for all internal and external data
  • New data laws and regulations are quickly incorporated into existing policies
  • Digital steering committees coordinated centrally (for example by a Chief Digital officer)

Level 3: Standardised

  • Policies are established with clear central owners and decision-making rules
  • Structured data classification is in place for most communication channels
  • Digital standards exist and are used across the organisation
  • Formal coordination of digital activities through dedicated fora

Level 2: Managed

  • Emergence of commonalities in data standards and classification
  • Basic digital policies on use of social media, branding, etc
  • Informal coordination of digital activities across the organisation

Level 1: Initial

  • Ad hoc elements of governance
  • Awareness of the issues
  • Data gathering on digital footprint
  • Some classification of data

Depending on the maturity of an organisation, internal audit might undertake different roles such as advisory, assurance and/or compliance activities. If the organisation has reached a sufficient level of maturity in its digital governance/framework, internal audit can best contribute actively to its improvement by performing an annual digital governance audit engagement until maturity is of a level appropriate to the organisations risk appetite and needs. In addition, research on best practices across other sectors of activity or benchmarking against similar organisations can very often elevate our discussions with management and the board.

In the next section, we focus on the key risks and controls that could be included in such an audit review or inform advisory engagements and generally build internal audit knowledge.


 

Key risks and controls

The following table highlights some of the key risks resulting from inadequate digital governance.

Business and operational risk

  • Fragmentation of the digital eco-system management framework leading to inconsistencies in implementation and loss of business
  • Misuse of branding guidelines leading to customer confusion
  • Inadequate IT support for the maintenance and updating of website tools leading to operational errors or obsolescence
  • Lack of cooperation between business leaders and IT support resulting in major gaps in functionalities

Cyber risks

 

  • Insufficient hardening of the cyber perimeter leading to unauthorised access by an external malicious actor (eg nation state, organised crime, or hacktivist) to an organisation’s systems and information causing a cyber security incident impacting data confidentiality, integrity and/or system availability
  • Operational errors, inappropriate behaviour or fraud leading to an internal data breach. This includes unauthorised logical and physical access and misuse of personal data storage devices

Reputational, legal, and regulatory risk

 

  • Insufficient oversight obligations and weak policy framework: the risk that legislative and regulatory requirements (existing or new) are not identified, analysed, or embedded within internal policies and procedures on a timely basis. Employees do not comply with them and breaches/exceptions are not managed, documented, tracked, escalated and/ or remediated
  • Misuse of social media channels leading to reputational damage
  • Lack of protection of intellectual property across the digital domain
  • Insufficient or inconsistent legal disclaimers exposing the organisation to lawsuits
  • Misuse of confidential information (non-personal data): the risk that staff do not manage confidential information appropriately/misuse confidential information, including internal information and other sensitive data the use of which should be segregated and controlled to prevent the unintended dissemination of confidential data to third parties/unintended recipients
  • Misuse of personal data: the risk that personal data is not adequately protected

By mapping these digital risks to their own organisation’s environment, internal auditors can design a testing programme of the key elements for a robust digital governance framework. These elements cover the whole structure starting with the high-level tone from the top to the policies for the management of information shared on social media and data protection. A robust digital management culture and the right governance arrangements are the keystones for operational excellence in the 21st century.

The table below illustrates the types of questions that internal auditors can ask to assess the status of the organisation’s digital governance:

Key areas

Questions for internal audit

Board and executive management oversight

Does the board (including sub-committees such as the audit/risk committee) have access to the required technical expertise (either directly with board members or externally through advisers and training) to understand and challenge the digital governance framework given the rapidly changing business environment?

Does the board understand the key risks to the digital eco-system of the organisation (technological and other)?

Are the risks to the digital eco-system part of an integrated risk management approach rather than a risk-by-risk analysis?

Has the board reviewed/approved the set of digital governance policies?

Is the board presented with regular updates on the key projects in the improvement of the digital governance framework, particularly regarding compliance with regulatory obligations?

Is the board using the organisation’s data classification for its own communication?

Does the board actively support the strong messages of awareness and individual responsibility of all stakeholders regarding the protection of the organisation’s data?

Has the executive management (IT and non-IT) agreed on a clear digital governance framework and on appropriate policies?

Executive/Senior Management

Are non-technical executives involved in cyber and digital strategy discussions?

Is the digital governance framework aligned with the enterprise risk management framework?

Does executive management actively promote awareness of the organisation’s data classification scheme by tagging its own communication?

Is there a senior enough executive in charge of digital governance across the organisation (ideally separated from the CISO responsibility, it does not require an IT specialism)?

Has senior management put in place appropriate incentives (or dis-incentives) to support the behaviours implied by a strong digital governance culture?

Has senior management endorsed clear and practical policies on the implementation of new digital tools and the use and protection of data, in particular: data theft/loss, code of conduct, use of personal devices and use of social media?

Is senior management promoting regular training and testing of the digital governance framework (social engineering or phishing tests)?

Is executive management included in cyber-testing (in particular internal phishing exercises)?

Does management systematically share the lessons learned from data breaches with all employees?

Does the risk function track external best practices in data management behaviours and promote them across the organisation?

Does management encourage a “speak up” mentality to report data loss incidents internally?

Is internal audit involved in data strategy discussions and project updates?

IT function

Is the IT function focused on delivering the tools to influence behaviours for secure management of data (sandboxes for email attachments, automated reminders for external emails, anti-virus, reporting of suspicious emails, password changes, regular back-ups…)?

Does the IT function have clearly defined responsibilities over digital governance, inventory management, and data classification processes?

Does the IT function consider all the regulatory and legal requirements and restrictions on data before moving applications to the cloud?

Does the IT function collaborate with the business to allocate the right resources to the development and maintenance of the digital eco-system?

Does the IT function consider all the dimensions of deploying machine learning and artificial intelligence applications (legal, technical, business...)?

Organisation stakeholders (employees, contractors, suppliers)

Are all stakeholders regularly trained and tested on data management and protection?

Are the risks of digital (including data protection awareness) included in the induction program for new joiners at all levels?


Conclusion

Internal audit can have a proactive and enabling role in the assessment of the digital governance framework and its promotion across the organisation. However, this can only be achieved if internal audit has established working relationships with key stakeholders and decision makers who are shaping the digital eco-system of the organisation. Internal auditors must also demonstrate sufficient knowledge of the dynamic interactions between all the key building blocks of the digital eco-system of the organisation: technology, legal and regulatory, marketing and branding, culture, and business strategy. Developing a systematic approach and thorough analysis, based on the key questions in the table above, could be the first step to a value-added, insightful integrated digital governance maturity audit assurance engagement.


Further reading

Cyber risks

Cyber security | IT auditing and cyber security | Technical guidance | IIA

IT auditing and cyber security | Technical guidance | IIA

Cyber risk | Auditing business functions | Technical guidance | IIA

Mind the Gap: Cyber security risk in the new normal | Research reports | IIA

Recognising internal audit’s role in cyber risk | Technical blog | Technical guidance | IIA

Risk in Focus 2021: practical guidance on cybersecurity and data security | Technical blog | Resources | IIA

Data regulation/data protection

Data protection | Auditing business functions | Technical guidance | IIA

Data security in third party agreements | Auditing business functions | Technical guidance | IIA

Data breach incidents and response plans | Auditing business functions | Technical guidance | IIA

IIA Bulletin - International Data Privacy Day

Culture

Auditing culture | Organisational culture | Technical guidance | IIA

https://www.nao.org.uk/knowledge/digital/

https://www.gov.uk/government/publications/making-digital-work-12-questions-for-trustees-to-consider

Content reviewed: 1 December 2021