Continuing the CGj review of the Institute’s 13th Biennial Corporate Governance Conference, this article highlights the key takeaways from session two of the conference, offering insights into the risks and rewards of technological innovation.
The remit for the Institute’s corporate governance conferences (CGCs) is to be forward-looking and this year’s forum, delivering on that promise, addressed a number of frontier technology issues relevant to the governance profession. In particular, what are the potential risks that companies need to be aware of when adopting new technology? And how successfully have decentralised autonomous organisations (DAOs) been able to automate their governance frameworks using technologies like blockchain and smart contracts?
The rate of the adoption of new technology has accelerated globally since the beginning of the Covid-19 pandemic and Hong Kong has been no exception to this trend. The first speaker in session two, Adam Stuckert, Group Chief Digital Officer, Tricor Group, shared some of the ways that companies can help to ensure that technology upgrades deliver their expected benefits.
Ensuring close engagement between IT staff and the staff who will actually be using the new technology, he pointed out, is key. ‘This gives you insights from the bottom up on how technologies are actually used, and whether their implementation is delivering the expected benefits in all parts of the organisation,’ he said.
He also emphasised that upgrading technology is as much about achieving human change as it is about the technology itself. ‘It’s people and human systems that are tougher to change. I’ve implemented a lot of big systems, but the number one thing that influences whether the company is successful with the new technology is to what extent it accommodates human change,’ he said.
In this context, staff training is critical. ‘I would say at least 30% to 50% of the effort in a big technological change, whether you’re talking about digitising the boardroom or helping with workflows for corporate governance, is really about the human side. So you should allocate a lot of the time and budget of a project to that type of change,’ he said.
Finally, getting a new system in place is only the start. Regular monitoring of the system and its implementation needs to be put in place to ensure proper checks and balances. Overconfidence and overreliance on an IT system among directors and managers can expose an organisation to a huge amount of security risk.
The uses of ethical hacking
The further organisations progress in their digitalisation journey, the more ‘attack surface’ they have for cyber criminals. The second speaker in session two, Kok Tin Gan, Partner, PwC Hong Kong, shared some insights into how to build effective cybersecurity defences.
He started with a sobering assessment of the current cyber threat landscape. Put simply, cyber criminals have been developing increasingly sophisticated tactics and techniques to target organisations, and legal and regulatory regimes around the world have failed to keep up. Even where laws are in place to potentially deter and punish criminal activity, they tend to only have application in specific jurisdictions, which makes them next to useless in borderless cyberspace.
‘We all know that I don’t have to be in Hong Kong to hack a Hong Kong company. I can be overseas and, since there’s no borderless law, there’s no consequence. So the attitude of hackers is – catch me if you can,’ he said.
Add to this the devastating impact of cybersecurity breaches and you start to get a sense of why cybersecurity has rocketed up the agenda of directors, managers and governance professionals in recent years. ‘No one wants to wake up in the morning to find that all of the data on your office computer has been encrypted and will be deleted if you don’t pay the ransom,’ Mr Gan said.
On a more positive note, however, companies are not powerless to mitigate these risks and Mr Gan was the ideal guide on how to implement effective defences. He stressed that ‘ethical hacking’ – the simulation of real-life hacking scenarios to probe for weaknesses in company cyber defences – is the most useful technique to ensure your cyber defences are sound.
‘Hacking sounds negative to most people but, if you think about it, its creates visibility. Getting hackers to break into your system shows you what you need to fix. After a few iterations what do you get? You get a secure system,’ he said.
Another piece of good news is that, where commercial crime is concerned, cyber criminals tend to go for ‘low hanging fruit’, so companies often only have to ensure a basic level of cybersecurity defences to persuade the criminals to go after someone else. When it comes to other types of cyber crime, however, such as espionage, sabotage or hacktivists, defences need to be more sophisticated and Mr Gan emphasised that it is crucial to ensure that your organisation has the necessary cybersecurity expertise. He also stressed the need to ensure that your cybersecurity system is subject to regular monitoring. ‘Often companies are prepared to pay for cyber defences, but it is just as important to spend on detection,’ he said.
The Q&A at the end of session two further explored cybersecurity from the perspective of data privacy compliance. Ada Chung Lai-ling FCG HKFCG, Privacy Commissioner for Personal Data, Hong Kong, shared statistics relating to the prevalence of cyber attacks in Hong Kong in 2022. Statistics from the Office of the Privacy Commissioner for Personal Data shows that such attacks comprised about 29% of the data breach incidents handled by the Office last year and over 600,000 Hong Kong citizens were affected by these incidents.
Ms Chung stressed that minimising the risk of cyber attacks and enhancing the competitiveness of a company in the longer term can only be achieved if a proper system is in place to protect the data in the company’s possession. To this end, she recommended the adoption of a personal data privacy management programme and the appointment of a data protection officer.
She also picked up on the point made earlier by Mr Stuckert that changing people’s mindsets is as important as getting the right technology. ‘Of the three core elements of the information security industry – people, process and technology– companies should put people first because it is people who run the system. Very often, I find examples of either overconfidence or overreliance on IT systems. Directors and managers sometimes think that they only need to implement the system without installing any proper checks and balances. Regular monitoring and proper risk assessment are fundamental, otherwise you will expose your organisation to a huge amount of security risk,’ she said.
Coding for governance?
There was also an extended discussion in the Q&A about the implications of technological innovation for the roles of directors and governance professionals. In particular, how far can governance frameworks be written into computer code? Dr Jag Kundi, Adjunct Professor, EMBA Program, City University of Hong Kong, highlighted the way blockchain technology provides a potential solution to the ‘agent/principal’ problem at the core of corporate governance theory. Directors, as ‘agents’, are supposed to act in the interests of shareholders (and now stakeholders) as ‘principals’. When conflicts of interest arise, however, can these ‘agents’ be relied upon not to put their own interests first?
‘Trying to establish trust between directors and stakeholders continues to be at the core of governance and this is why blockchain is so relevant because blockchain creates digital trust,’ Dr Kundi said. He added that blockchain and smart contracts have enabled the founders of DAOs to write pre-agreed governance frameworks into the DAO code.
In the Q&A, Panel Chair, Mohan Datwani FCG HKFCG(PE), Institute Deputy Chief Executive, asked for the panellists’ views on this issue – will the DAO model put directors and governance professionals out of a job?
‘As the former Registrar of Companies, and having been involved in the rewrite of the Companies Ordinance,’ Ada Chung said, ‘I’m quite against this concept as it runs against the fundamental principles contained in our company law. Under our company law, a company must be managed by a board of directors and assisted by professionals like governance professionals. Corporate governance starts with the board. Shareholders tend to look for shorter-term profits rather than the long-term interests of the company, so I cannot envisage leaving important responsibilities such as good corporate governance and good data governance in the hands of shareholders,’ she said.
She added that she recommends being prepared to embrace technological change, but the DAO model suggests a greater, not a lesser, need for governance professionals. ‘We need somebody to put the house in order,’ she said.
‘I think DAOs are a golden opportunity for all of us,’ Mr Gan said. He picked up on Dr Kundi’s comments about the way blockchain is creating digital trust. ‘Digital companies sell trust. When the top Fortune 500 technology companies release new products, the first thing they talk about is trust,’ he said. He added that a far greater number of trust features are being built into these companies’ products than 10 years ago and that has given them a competitive edge since that is what customers are looking for.
‘So for me, governance is not about compliance or about the cost of doing business, it is actually a key driver in making money. DAOs could be the greatest career opportunity for everyone here, especially if you’re in charge of corporate governance,’ he said.
Remaining ethically sound will be an important part of building trust with stakeholders for DAOs, or indeed any company incorporating emerging technologies into their governance and decision-making frameworks. Dr Kundi pointed out that, while blockchain technology has the potential to introduce greater fairness and more equality into agency/principal relationships, and while this may impact the number of governance professionals needed in the future, there is still one area where technology cannot replace human judgement – the need to make ethical decisions.
This is also relevant to the discussion of how artificial intelligence (AI) systems are implemented and developed. ‘Technology makes our lives very efficient. Where due diligence paperwork might take months to get a job done, AI technology can get it done in minutes or even seconds. But not everything can be digitised and we still need to build ethics into these systems. AI is a great tool that transcends nations, geographies and nationalities, but it is based on algorithms that don’t take into account fairness, equality and morality,’ he said.
Digitalisation is the way forward for all businesses, he added, but governance expertise will still be needed – particularly in determining how ethics interplays with new technology. ‘Ethics is at the heart of governance and ethics is also at the heart of being a governance professional,’ he said.