The New Riskonomy

Section 2:
Organisational vulnerabilities

C-suite and GCs believe their organisation’s internal processes and systems present the lowest level of technology risk, despite three of their top four concerns being internal challenges. Are business leaders miscalculating the risks associated with data management, digital skills gaps and misuse of generative AI, or is their confidence boosted by the perceived level of control they have over internal operations?

Riskonomy radar reading

Our Riskonomy Radar indicates that 74% of organisations are in the moderate or high risk range when it comes to managing their exposure to tech risk in internal systems and processes. This suggests that, although many business leaders may be cognisant of internal vulnerabilities, there is considerable room to revisit and improve current practices.

Key sources of internal risk include (but are not limited to)

Poor data management

Lack of employee training and digital skills

Insufficient policies relating to new technology and outdated technology

11%

High
risk range

63%

Moderate
risk range

26%

Low
risk range

C-suite and GCs admit that, when it comes to their data management capabilities, their organisation reviews relevant policies just once a year (41%) or does not carry out regular reviews (8%). And more than half only undertake an internal audit of their data management capabilities once a year (51%) while a further 11% do not perform an audit regularly.

Updating and reviewing relevant data management policies to keep up with changing legislation and best practice can be time-consuming and costly. However, as seen by the penalties for data privacy violations, neglecting to maintain hygienic practices can leave businesses open to more severe financial consequences. Organisations also risk lasting reputational damage, both with existing customers and with the wider public.

Expert perspectives

Data governance has been a long-standing issue for organisations. The size of the task seems daunting and, even though it is so important, thus can be deprioritised. Adding data governance to the “do later” list just perpetuates the problem. It is a lot easier to deploy a data governance structure and framework if you’re doing it from scratch, but that isn’t the reality for most organisations with huge amounts of legacy data. As the data sets grow, and their value and related risk increase, the need for effective data governance becomes both more important and more costly to implement.

The full life cycle of data also needs to be addressed as organisations need to be clear on what data is being collected, how it’s being used and how it’s being secured.

Scott Loughlin
Partner, Privacy & Cyber Security

Risks from poor data management will continue to increase until organisations invest in maturing their data management policies and processes and ensure that it's a constant conversation across its business operations. In this current environment, organisations have no choice but to take a proactive approach to handling their data, as well as their suppliers’ data. If you can get these fundamentals right, you reduce the cyber risks that can come from neglecting data management.

Jessica Hodkinson
Chief Legal Officer and Corporate Secretary, Panasonic USA

Where does your organisation sit in Gartner’s Data Governance Maturity Model?

9%

Effective

Utilising data and managing information is seen to provide a competitive advantage. The team responsible for data management is well-established and active.

13%

Managed

Data policies have been developed, initiated and are well understood. Data metrics are well-defined and accessible.

22%

Proactive

There is company-wide compliance with governance protocols. Data stewards and owners are identified and active.

20%

Reactive

Data quality processes are reactive. Policies have been created, but adoption is low.

27%

Aware

There is an awareness surrounding the need for standardised data policies and processes, but no clear ownership.

8%

Unaware

There is no data governance, data ownership, or accountability in place.

Expert perspectives

It is a bit of a grey area in terms of how often an organisation should be reviewing their data management and cyber response plans – but in reality, it should be an ongoing exercise. Data is now the most important asset that any organisation owns. Accepting the value of data is also accepting that there are legal implications in protecting that value. Your legal team can be a navigator for keeping data secure, maximising your use of it, and ultimately keeping organisations safe.

Joke Bodewits
Partner, Privacy & Cyber Security

The most important role for the GC in cybersecurity is to remain focused on the risk. That risk is informed by — and requires a nuanced understanding of — the technology deployed both by threat actors and our internal security teams. But the lawyer’s unique and critical contributions are to focus on how a security event or issue will be perceived by key internal and external stakeholders, to guide the technical teams in the development of a complete and defensible record, and to ensure that cybersecurity governance and reporting meet or surpass the ever-evolving expectations of our customers and regulators.

Robert Schmoll
Director, Deputy General Counsel, Cybersecurity & Data Lifespan, Intuit

Repositioning for success in a digital age

As the war for talent intersects with advancements in technology, it’s not surprising that two-thirds (66%) of C-suite and GCs distinguish digital skills as being important to their business strategy, and that a digital skills gap is the third-top concern related to technology-associated risk.

In today’s digital world, digital literacy and digital security awareness are essential skills, and there is a growing demand for competencies in coding, digital marketing, digital ethics, data literacy, cloud computing and AI. Across sectors, GCs and C-suite leaders believe that, on average, a fifth (21%) of their workforce does not currently have the digital skills to support their business strategy.

There is a strong relationship between those who identify digital skills as important to their strategy and those who think 20% or less of their workforce don’t have the skills required. C-suite and GCs are concerned about the biggest skills gap in their organisation belonging to IT (29%), marketing (21%) and sales (16%), while only 6% believe their legal department has the biggest skills gap.

Despite the technological focus of the new riskonomy, businesses still depend on people. Securing the digital skills that are most in demand – whether through recruitment, upskilling or acquisition – remains a crucial piece of a successful corporate growth strategy.

In which department in your organisation do you currently have the biggest skills gap?

Expert perspectives

There isn’t one standard approach for organisations when it comes to digital skills and upskilling. The specific requirements of an organisation will depend on their sector and strategy. But all organisations are experiencing a greater need for technical skills.

As a result, skills testing is now becoming a regular requirement within the interview process. But organisations also need to consider the DEI perspective when designing their interview process to ensure that the tests accommodate those who may have a disability, for example. The best organisations have already implemented these accommodations, but not all organisations are as advanced in their thinking.

Michelle Roberts Gonzales
Partner, Employment

The AI stalemate

Generative AI has the world on the cusp of systemic change. Content creation, medical imaging analysis, financial forecasting, product design and virtual customer service assistants are just some of the everyday touchpoints now being populated by virtual minds.

Allowing machines to carry out repetitive or technical tasks unlocks previously unimaginable efficiencies, releasing human experts to focus on complex and creative problem-solving. But legal teams need to be prepared for a new set of liabilities around ethics challenges, IP rights violations, data protection and factual inaccuracies.

A challenge of employing a digitally literate workforce is governing the use of new technologies while the respective risks and rewards are still being understood. Over three-quarters (78%) of C-suite and GCs say their organisation allows employees to use generative AI in their daily work. Almost two-thirds of these (62%) permit the use of publicly available generative AI tools, while 38% restrict employees to a bespoke generative AI system.

Expert perspectives

Corporations should be prepared for a focus by private plaintiffs on the intersection of AI and consumer protection, and resulting class action litigation, particularly in the U.S.. Take, for example, an AI-powered chatbot interfacing with your website visitors or customers. Is the chat bot making accurate representations and statements? Is it collecting data and other personal information from consumers? What does the organisation represent about its chat bot and its abilities or pitfalls?

Vassi Iliadis
Partner, Disputes

The technology risk landscape is only going to get more complex with continued innovations and tech developments. But organisations also need to utilise this and invest in AI-based compliance tools and technology that can help them review vast amounts of data - it’s the only way they’re going to be able to keep pace and engage at the level required.

Calvin Ding
Partner, Disputes

AI in the sky

Generative AI has been a central focus for many businesses even before the release of chatbots like ChatGPT. The technology relies on algorithms that allow users to generate outputs in the form of text, images, audio and video. In recent years, generative AI’s commercialisation has led to democratised access, allowing a wide range of people across different industries to take control over fast-paced innovation and productivity with no technical experience.

However, despite the positive impacts of the technology becoming more accessible, it also poses more business challenges around ethics and data security. It is for that reason that some firms have decided to embark on exploring more bespoke generative AI solutions – with many, opting to take advantage of retrieval-augmented generation (RAG) tools that provide a safer way for employees to both take advantage of advanced large language models.

Does your organisation allow employees to use generative AI in their daily work?

The majority of organisations allowing the use of generative AI are sensitive to its complications – irrespective of whether employees use bespoke or publicly available AI tools. Ninety percent of C-suite and GCs say there is guidance and/or policies in place to reduce the risks for the organisation.

However, of the business leaders in organisations that do not allow the use of generative AI tools, only 18% have implemented a policy to ban it. Two in five (39%) are cautious enough to have additional guidance in place despite disallowing the technology.

This leaves 43% of GCs and C-suite leaders working at organisations that do now allow the use of generative AI and who do not think additional policies are required.

Expert perspectives

No matter your approach, it is important that you have documented structure and governance to manage to the use of AI. Especially, when it comes to regulators in the U.S., organisations need to be able to provide a clear answer when asked how they have managed the risks associated with AI.

Vassi Iliadis
Partner, Disputes

As the technological development of generative AI continues, class actions are also set to increase in new areas. The increased exposure to generative AI may lead to consumers questioning whether they have been unknowingly exposed to generative AI content and claiming having thus been subject to unfair practices. Another scenario is that, similar to what we are already seeing with some businesses, consumers may bring claims for compensation for economic exploitation of their pictures, online content, data etc. through generative AI. Organisations need to try and get ahead of these developments where ever possible and have strategies and policies in place to protect themselves.

Matthias Schweiger
Partner, Disputes

Sustainable innovation: playing to win

Although emerging technology has its risks, investing in its future also creates opportunities. For example, although blockchain can introduce regulatory uncertainties around data privacy, it also provides enhanced security and transparency, and reduces the likelihood of being a target for cyberattacks.

Blockchain is a type of distributed ledger technology; a decentralised digital record of transactions across multiple computers, that provides transparency, security, and immutability without the need for intermediaries.

Financial services firms are leading the way with the use of this technology, being the most likely to be use blockchain (60%). Sectors falling behind with leveraging the technology were transport (25%), energy (26%) and manufacturing (33%).

With growing digitalisation in the financial services world, the industry is continuing to look for ways to instil greater trust and security – especially with the rise of digital currencies. Blockchain investment is already helping financial services firms to simplify compliance procedures, whilst providing tamper-proof records that reduce the risks of fraud and cybercrime.

Sector spotlight

Transparency and trust in transactions

Digital twins are another emerging technology with great potential for driving efficiencies. These are like-for-like virtual models of real-world products, systems or processes, created for testing scenarios and gathering data. Although digital twins can introduce vulnerabilities to data breaches or privacy violations if not securely implemented, they can enable predictive maintenance, optimise operations, and simulate scenarios for risk mitigation.

Although only 18% of business leaders say their organisation is currently using digital twins, 38% say their organisation is looking to invest in the technology, particularly for ESG purposes.

Leveraging virtual models presents significant opportunities for businesses to simulate real life scenarios that can provide essential, actionable insights. Business leaders recognise this; despite digital twins only being put to limited use at the moment, leaders in several sectors identify the technology as a key focus for future investment.

Currently, almost a quarter of those in the energy sector (23%), 21% in manufacturing, and 20% in life sciences are using digital twins. At the same time, 46% in manufacturing are looking to invest in digital twin technology to meet their ESG goals in the future, alongside 48% of leaders in tech and telecoms.

The least likely users of digital twins are in the transport sector, with only 12% saying that they use digital twins to help meet their ESG goals. And the data highlight that it’s unlikely that these organisations will be adopting the technology any time soon too, with only 27% expecting to focus on using the technology more in the future.

Sector spotlight

Investing in the future of emerging technology

Expert perspectives

To facilitate and encourage the adoption of and investment in emerging technologies, trust is key. A big part of building that trust will involve clients exploring legal questions like legal interpretation, regulatory applicability and enforceability of rights.

Jennifer Dickey
Partner, Disputes

Next chapter

Section 3: Risk openings
in the supply network

Read now

Chapters

Executive
summary

Read now

The Riskonomy Radar

Read now

Section 1:
Navigating the new risk economy

Read now

Section 2:
Organisational vulnerabilities

Read now

Section 3:
Risk openings in the supply network

Read now

Section 4:
Macro risk

Read now

Conclusion and recommendations

Read now

About this report

Read now