The Director’s Dilemma – April 2022 Edition
Contribution by Hansjörg Meine, is the Managing Partner at AltoPartners Germany - Alto Consultants GmbH. Hansjörg was an executive member of various leadership teams at IBM, T-Systems and SPIRIT/21 and has lead a pan-European team of experts for the automotive industry with deep expertise in the areas of PLM, Logistics, Mobility Services, Sales & Aftersales, Telematics and Diagnostics
This edition of the newsletter was first published on The Director’s Dilemma website and the full newsletter is available for viewing here. To subscribe to future editions of the newsletter, click here
The Director’s Dilemma - April 2022
This month we look at how a board of ‘non digital-natives’ can bring a strategic approach to governing their organisation’s information and data.
Qi’Ra was appointed a couple of years ago to a government sector board that oversees a wide range of community initiatives. Her background is in social service delivery. Other directors have backgrounds in health, accounting, education and commerce. However, they are all ‘mature’ and none of them has grown up as a digital native.
The company has moved a lot of service delivery and engagement online. This has included development of products that can be delivered online, records about people (including sensitive financial, educational, medical and physical information), payment gateways and links to other government and community websites.
The board is aware that they have a duty to ensure the appropriate development and security of the company’s digital assets. They have undertaken some training on the new cyber-security regulations. However, they are not sure that they are up to the task of building a strategic framework for the development of digital assets in a balanced structure. What they have is really a result of ad hoc development. What they want is a way to make sense of that and then to develop a plan for continuing to build in a strategic fashion.
How can Qi’Ra’s board lead when they have never themselves ventured into this territory?
The problem Qi’Ra faces is a fundamental one, which very often occurs when business requirements grow faster than the necessary operational and technological framework conditions. The migration from previous “analog discrete” processes to digital and sometimes disruptive processes, can often be implemented with simple means, so that quick successes become visible.
However, the perception that a quickly built website with corresponding order and customer management works, tempts one to think that one can move on to the next problem before a real blueprint has been created for a solid technological basis that meets both the future functional scope and the necessary technological security, especially against the background of processing personal data. Unfortunately, such systems grow faster than the “hardening” of the underlying infrastructure. The result is the well-known data breaches and successful cyber-attacks.
Since QiRa and her colleagues see the need for data security measures but cannot describe, evaluate and implement them themselves in any way, it is high time for a “make or buy” decision. Either setting up their own data & security organization or outsourcing to a suitably competent service provider who can take on these tasks comprehensively.
In view of the European General Data Protection Regulation (GDPR), the Board bears the ultimate responsibility for taking all practicable measures to protect personal data.
In the current case, I would recommend the involvement of an external service provider, because setting up one’s own organization takes too long to be able to solve the current challenges in the short term and to avoid potential damage to the company through data loss and negative press.
Qi’Ra’s board is not alone in facing this challenge; it is good that they are honest in admitting that they are challenged by it.
An excellent start is looking at their stakeholders and asking management to draw up a spreadsheet of their various needs. Work out who needs what from the company.
Then they need to consider each stakeholder group separately and ask, ‘how will they benefit from moving to digital service provision?’. This should be followed by a process of investigation (sanity checking) to make sure that her board’s ideas, and those of the management team, are shared by the stakeholders.
This process should also uncover the willingness and ability of stakeholders to make the move online. What are the impediments to digital service delivery? How can they be overcome? If management don’t have the skill or time to do this work, a consultant can be brought in to help.
Only now can the board, management, and any consultants, sit down and work out what services to provide digitally, how these services combine or compete with physical delivery, and write the strategy.
Once strategy is in place the board should oversee implementation and ensure budgets and timelines are kept. They also need to ensure that stakeholders get the benefits envisaged.
Finally, the board needs to step back and consider what digital information they now hold, what hardware is it located on and what risks need to be managed, what software is it written in and how will they keep it up to date, and who has access and how will they ensure that only authorised access is obtained.
Good luck Qi’Ra and enjoy the learning process.