Technology governance: the role of the company secretary
CSj examines the key emerging technology issues relevant to Hong Kong businesses and looks at the role of company secretaries in ensuring the effective management of technology risks and opportunities.
From hacking to digital payments, technology issues have become mission-critical for corporations worldwide. Hong Kong is no exception as the WannaCry ransomware attack in May made very clear V at least 25 local computer systems were affected by this attack. Technology issues are in fact particularly relevant for companies with operations in China, which has one of the worlds most technology-conscious consumer bases.
Across the Asia-Pacific region, rapid digital transformations have encouraged more businesses to transfer their products and services onto online platforms to enhance accessibility, customisability and portability. Adopting new technologies can transform internal operations and achieve higher productivity and efficiency, but digital modernisation is not without risks. Information technology is ingrained in every part of business operations and many companies would grind to a halt if their IT system went down, says Ricky Cheng, Director and Head of Risk Advisory Services at BDO Ltd (BDO)in Hong Kong and a member of the Institutes Technology Interest Group.
Dependence on IT means businesses need a continuity plan in place, and the volume of electronic information now being collected, transmitted and shared requires companies to have a robust data-protection mechanism in place to protect sensitive information. Businesses nowadays operate in a hyper-connected ecosystem of consumers, third parties and other partners, Cheng adds. There are an endless number of points of failure that could lead to a compromised system. The old-fashioned perimeter-based security approach will no longer be sufficient and companies must take a risk-based approach.
Recent high-profile data breaches V such as the hacking of three billion Yahoo accounts and the theft of credit data from Equifax V have helped focus top management on technology risks. They have risen up the board agenda, says Gillian Meller FCIS FCS, Legal Director and Secretary at MTR Corporation (MTR), a member of Council, of the Institutes Company Secretaries Panel and Co-chair of the Institutes Technology Interest Group.
While hackers and ransomware are serious threats, there are many other technology risks that dont grab the headlines.
As data breaches become more common and more sophisticated, getting the right risk management system will become more challenging. The cybersecurity risk landscape is evolving rapidly, says Greg Bell, Global Cybersecurity Practice Co-leader at KPMG in Atlanta. Breaches are no longer a matter of if, but when and to what extent. [They] call for deeper V and perhaps very different V conversations in the boardroom today. Those conversations are likely to turn to the role of company secretaries and how they can mitigate the increasingly complex area of risk related to emerging technologies.
While IT departments might be directly responsible for ensuring the security of corporate data, the company secretary is the custodian of many types of records.
In light of rapid developments, the Institute has recognised the company secretarys increasingly important role regarding overall technology risks. In November 2016, the Institutes Technology Interest Group published its first guidance note, Technology and the company secretary, looking at a range of technological issues that company secretaries need to be aware of.
The guidance note examines the degree of responsibility that company secretaries have for technological issues, while acknowledging that there will be significant diversity between companies. Many larger companies, for example, will have a number of other executives specialising in IT-related issues.
While technological issues may not be considered part of the core duties and responsibilities of company secretaries, it is not an area company secretaries can afford to ignore. There are a number of technology risks that can have an extensive impact on a business, says Cheng at BDO. The company secretary is in a perfect position to drive the change from treating technology as an IT issue to recognising it as a board-level business risk.
For Meller at the MTR, that means looking at internal controls around cybersecurity to ensure IT and operational systems are protected. In addition, she is trying to ensure the company is plugged into the latest information and intelligence around cybersecurity. We need to be aware of new forms of attack, and look at how we are prepared and how to have our crisis management system in place.
Cheng believes the company secretary can contribute to many aspects of cybersecurity and information security governance, such as assisting in identifying sensitive data, user compliance training, and ensuring IT operations are in line with government regulations.
Technology risks are assuming greater importance globally among business executives, according to recent surveys. In September, the World Economic Forum reported that cyber attacks were ranked eighth among global concerns – the first time the issue had ranked in the top 10. The issue was rated as more concerning than inter-state conflict or terrorist attacks.
A joint survey by the Institute and KPMG published in July – Risk management: navigating change in Hong Kong – showed that cybersecurity was, for the first time, one of the top five risks for executives of Hong Kong-listed companies. It surveyed 197 Hong Kong-based senior executives, assessing the extent to which they have embedded risk management in their businesses.
Meanwhile, a 2016 survey showed that bankers in Mainland China foresaw IT-related risk as becoming their top concern, ahead of legal risk and decision-making risk, according to a survey published in February by the China Banking Association and PricewaterhouseCoopers China.
As these risks become more pressing, Hong Kong company boards, which have traditionally not been strong on technology expertise, are shifting from IT procurement to newer technologies, such as blockchain, artificial intelligence and virtual reality.
While board members may need training or assistance to fully understand and be able to provide oversight in these areas, there is more willingness to focus boardroom discussions on such issues. Whether the topic is a technology risk or opportunity, the key to engaging the board of directors and gaining their support is to align technology with the business, says Philip Miller ACIS, Assistant Company Secretary at The Hongkong and Shanghai Banking Corporation Ltd (HSBC) in Hong Kong.
Cheng agrees, noting that information security is not just about the technological aspect of the business. Effective governance requires a holistic approach that also encompasses people and processes, he says. The knowledge and awareness of the end user is critical as the human factor remains the weakest link when it comes to security.
Policies and procedures might only be effective when all levels of an organisation understand their roles and responsibilities. Information security is a shared responsibility across an organisation, observes Alan Lee, Advisory Services Executive Director at EY in Hong Kong. The board needs to support the efforts being made, and every employee needs to learn how to stay out of trouble by not opening suspicious emails or losing mobile devices.
For company secretaries, that could mean working with IT, compliance and audit teams to raise awareness of the subject matter, and to make up for the boards lack of technological prowess.
A company secretary should ensure technology issues make the boardroom agenda just like any other enterprise risk, Cheng at BDO insists. When technology items on the agenda require expertise that is not widespread on the board, the company secretary should suggest a pre-discussion takes place. That way, he adds, the boards knowledge can be brought up to a level in which an informed debate can take place or a decision can be made. A company secretary should seek ways to introduce a technology expert to the boardroom as a catalyst to support more meaningful discussions, Cheng recommends.
To effectively communicate the potential risks and rewards of new technologies, the company secretary has to be increasingly tech-savvy. Depending on the nature of the business and industry, the more company secretaries are aware of the technological trends relevant to their industries, the better they will become at identifying and advising on technology risks and opportunities, says Cheng.
However, less technologically adept company secretaries can provide meaningful input. Meller at MTR talks to her own team, the companys suppliers and other in-house counsel to stay at the forefront of technological change. Im a bit of a dinosaur and I force myself to get out there in order to be aware and able to assess, she says.
Cheng recommends networking among industry peers. A great way to stay informed is to be part of a technology ecosystem that allows exchange of information and feedback between other businesses within the industry, such as third-party providers, customers and regulators.
Communication is key, and even the most technologically competent company secretaries should advise their board in plain language. Translate technical information into understandable language that the intended audience can relate to and comprehend, Cheng recommends. Too often the board is presented with overly-technical reports, which are very difficult to decipher without a technical background.
The company secretary can help boards to understand technology. There is a role in coordinating induction programmes and ongoing training and development for directors so that the chief operating officer, or whoever is most appropriate, is able to provide briefing sessions to directors on the organisations technology, says Miller at HSBC. That can ensure directors are aware of and understand both new and emerging technology opportunities, as well as threats if the business doesnt adapt to take account of such technologies.
The good news is that technologys higher profile among boards has helped company secretaries raise the boards awareness of, understanding of, and ultimate responsibility for, technology-related issues. In terms of the top 10 risk areas, technology would be up there, says Meller at MTR. While cybersecurity is the dominant concern, the next highest issue is opportunities, she says.
Miller at HSBC, who is also a member of the Institutes Technical Consultation Panel and Technology Interest Group, points out that technology is becoming a core concern of companies in Hong Kong. Technology is becoming such an integral part of so many business models, or at least a significant contributor to operations and expenditure, that it will continue its current trend and become of equal importance to the management of an organisation as finance, sales and human resources, and will therefore command an equal share of the boards attention, he says.
One important factor is the realisation of the value of data. Effective management of cybersecurity and information security both heavily rely on a businesss ability to understand the value of its assets, whether they are data or physical assets, people, critical processes or functions, says Cheng.
The other piece of good news for company secretaries is that technology is making their roles more efficient. Miller at HSBC points out three main areas where technology has increased the efficiency of corporate secretarial departments:
- electronic statutory filing (e-filing)
- corporate information databases, and
- board portals.
Regarding e-filing, Hong Kong might have some catching up to do. Hong Kong is maybe behind other jurisdictions, such as the UK, in widely adopting the use of statutory e-filing, says Miller, noting that this has the potential to offer significant efficiencies to company secretaries statutory filing processes.
The impact of more advanced corporate information databases and board portal systems looks set to have a very significant effect on the work of company secretaries. With expanded functionality, the information that such databases contain about an organisation, particularly those with a significant number of subsidiaries, might be used by departments such as tax, finance, or the internal control functions, says Miller. I suspect that this is an area that will start to see more change.
Board portals have been the biggest area of technology growth for company secretaries in the past few years. Miller points out that the number of providers has increased, as has the usability of the systems. There are obvious benefits to using a board portal V for example ease of distributing papers, ease of use for directors, reduced use of paper, etc V but for Miller the most significant advantage is the upgrade in information security that portals offer. As the dangers of using email and other communication technologies have become more apparent, there is now very limited ability to send information securely outside of an organisations firewalls.
Board portals provide company secretaries with a invaluable tool for secure distribution of information which, in the current climate, would otherwise be very difficult to achieve with a comparable level of security. One can only assume that the usability and functionality of these systems will continue to develop to the benefit of both directors and the company secretarial teams using them, Miller says.
George W Russell
The guidance note, Technology and the company secretary, published by the Institutes Technology Interest Group, along with the joint HKICS and KPMG survey Risk management: navigating change in Hong Kong, are available from the publications section of the Institutes website: www.hkics.org.hk.