Continuing the coverage from the April edition, we cover more highlights from #AGS23.
Protecting the data
“I feel like we’re living in a fever dream,” said former Australian Human Rights Commissioner Edward Santow, acknowledging that while technological advancements have enabled businesses to generate insights from large data sets, there have also been instances where AI has caused harm to people, especially in countries where it is being used in a repressive way.
Santow stressed the importance of mindful decisions in terms of regulation and how companies order their work in regard to AI, to avoid the consequences of going down a damaging path.
“We have these simultaneous visions,” he said. “Some of them are utopian, about how technology is doing amazing things. It’s enabling us to generate insights from large data sets in ways we were never able to do in human history. That’s enabling all kinds of business and other opportunities. At the same time, there are really dystopian visions that present to us. You can see how countries like China are using it in a very repressive way. But even in countries like our own, there have been terrible ways in which AI has caused real harm to people.”
In order to harness the power of AI and other modern technologies, boards need to put in place a cybersecurity plan for five to 10 years.
Angelina Gomez GAICD, director of the Digital Law Association, said boards need to look at putting in place safeguards and procedures to achieve what is needed. “You need an emergency procedure about what happens if something goes wrong with cybersecurity and hackers. And not just cybersecurity as it is now, but you need to plan for five to 10 years, which involves dealing with quantum cryptography. How do you protect data and information that you are going to use in AI in the age of quantum, which is five to 10 years away? It’s not that long.”
Professor Anton van den Hengel, director of the Centre for Augmented Reasoning at the Australian Institute of Machine Learning, agreed that Australians need to invest in cybersecurity, and that it is related to, but also different to AI’s unique complexity for boards. “We have a model in Australia where we try to buy AI by the kilogram,” he said. “The truth is, AI is changing the way we do business. It’s completely changing the business landscape and it’s particularly globalising the business landscape. If you don’t have AI expertise on the board, then it’s going to be very difficult to cope with the changes, but also to see the opportunities.
Gomez emphasised that while AI can be a valuable tool for directors, it is not a substitute for their fiduciary duties to act in good faith and loyalty. “With ChatGPT, what are you using it for? Where is that information coming from and what is the end result? For example, if you use it to create an advertisement for your company, are you breaching someone’s intellectual property? Who owns the intellectual property at the end?”
She described the issues for boards as urgent. “When you’re using AI, you have to know why you are using it and what you’re using it for. Once you know that, you can put guardrails in place.”
Potential for discrimination
Discrimination remains front of mind as an AI issue for Santow, who highlighted the problem of algorithmic decision-making and how it can perpetuate past discriminatory practices, particularly in the banking sector. “Those machine learning systems have learned from those previous decisions where women were finding it really difficult to get a loan, and it’s like reawakening a beast, right? It’s the beast of discrimination from many years ago,” said Santow.
Although it is illegal for a bank manager or an algorithm to discriminate, the enforcement of the law is only now starting to catch up, according to Santow. This underscores the importance of addressing discriminatory practices in all areas of society, whether through regulations or through technological advancements.
However, while Gomez warned that boards must be mindful of potential legal issues such as intellectual property violations and discrimination, the potential upside could be significant if boards think of AI as a tool.
“The predictive nature of AI is excellent,” said Gomez. “You can streamline your supply chain, deal with ESG issues and modern slavery issues because you can input huge amounts of data, get the predictive coding, use IoT (internet of things) and blockchain to verify all that information. And as a board, you have made sure that you have a protected supply chain. That’s just one example.”
She emphasised that AI can process and analyse vast amounts of data that humans cannot, but that the human element of discretion and decision-making must not be eliminated.
The revolution is over
Van den Hengel pointed out that the recent excitement around ChatGPT is not a new phenomenon, as machine learning has been used by consumers in daily tasks for at least a decade through platforms like Google, Facebook, Maps and Uber. “The truth is that this isn’t a revolution that’s happening now,” he said. “It’s a revolution that’s happened. We’re in the middle of it. The impact is being felt now and it’s wonderful that we’ve reached the point where the technology is a bit more accessible.”
Van den Hengel noted that despite the precedent, Australia is missing out on opportunities to capitalise on technological advancements such as integrated circuits, solar panels and AI research — and is way behind in owning its technological sovereign capability.
“Most of the nations we compare ourselves to have invested at a rate per capita that would be in the billions of dollars in Australia,” he said. “We have been very strong participants in technology, very big in developing integrated circuits... but we have let that advantage go overseas. We were very big on solar panels, but we let that advantage go overseas. We are quite good at AI research in this country, but we are just letting that opportunity go overseas.”
Many nations Australia views as technological equals have invested in research funding, but we lag behind countries such as South Korea, Vietnam, Singapore, Canada, the UK, France and Germany, he added. “Australian research funding in this area is almost non-existent. The challenge for us is that this process will continue. It’s happening in farming right now, it will happen in mining. We need to prepare as a nation. We need to have our own sovereign capability — and to have the conversation before it’s too late.”
Cyber threat landscape
Managing cyber risk isn’t particularly different to managing any other risk a board has to deal with — and directors already have the necessary skills, Kathleen Bailey-Lord FAICD told this year’s AGS. Bailey-Lord, a non-executive director of Alinta Energy, Melbourne Water and Datacom, said directors should already have the skills required for enterprise risk management and can apply them to cybersecurity. However, there is one key difference — the cyber threat is relentless and so many of an organisation’s opportunities are anchored in the use of technology and digital.
Any director who doesn’t understand an answer they’re given by a cybersecurity expert should ask the question again. “Tell them to speak in plain language,” she said. “Just pursue it, because tech is not that complicated. You don’t need to know how it works, you need to understand its impact.”
CEO of the Cyber Security Cooperative Research Centre Rachael Falk MAICD agreed that cybersecurity is a risk management issue and said each organisation’s risks are unique.
“The value of your data, where it’s held across the world, who’s protecting the systems and how well. You’ve got to have that audit.”
Falk noted the best thing a director can do for their organisation’s cybersecurity is to conduct intrusion exercises, where an external expert tries to penetrate the company’s cyber defences.
The panel said directors should draw on cybersecurity frameworks, including the Essential Eight promoted by the federal government, but Bailey-Lord warned against them turning into a tick-the-box exercise. Instead, they should prompt directors to think through and identify potential blind spots where the risk lies.
From 17 August, organisations involved in 13 different classes of critical infrastructure will be required to have a critical infrastructure risk management program (CIRMP) covering cyber and information security, personnel security, physical security and supply chain security.
Australian Cyber and Infrastructure Security Centre head Hamish Hansford said companies won’t be required to report their CIRMP to the government, but boards will have to make an annual attestation about the risk management program. The government’s requirements will be a baseline — but one that Hansford encouraged companies to exceed.
Cyber literacy challenge
Speaking at #AGS23, Dr Jane Lute noted an unacceptable degree of cyber illiteracy has been allowed to persist among board directors internationally.
Directors owe a duty to the companies they serve, their workers and the public to understand the vocabulary and concepts around cybersecurity, said Dr Jane Lute, former deputy secretary of the US Department of Homeland Security.
That differs from other areas of board responsibility such as finance, supply chain and operations, where there is a high degree of literacy. There is a myth that cybersecurity is too complicated for non-technologists and there is no contribution that board members can make.
“We need to get over it and get out of our own way, frankly, in playing a responsible role as board members,” said Lute. “The myth is that the IT folk, the technologists, they’ve got it, and if they had a problem, they would let us know. Most of the time, the IT folk can’t get to board members, and that has got to change.”
She added that board members need to devise a program for effective engagement, beginning not only with the questions they should they be asking, but the answers they should be listening for.
“Boards need to put themselves on a 12 to 18-month cadence of looking over the cybersecurity landscape, understanding how business processes map to the IT and in the major systems in place.”
They should ask themselves and their cybersecurity experts five key questions to get a sense of the health of the cybersecurity of their organisation. These are:
- Do we know what’s connected to our networks and systems?
- Do we know what’s running on those networks and systems — or what’s trying to run?
- Do we have a handle on who has permission to wander around our networks, have access to databases and make changes to those databases, to our systems, to our settings?
- Do we have automated systems in place to detect anomalies when they occur and alert us to remedial action that needs to be taken? It’s not good enough to have those systems or to have logs if they’re not checked regularly.
How would you demonstrate that to us, for each of the above questions?
“By doing this, the board shows that it, in turn, is willing to step up and play the role it is supposed to play in this space,” said Lute.
In a session on geopolitical challenges for companies, the audience heard how Australia is caught in the middle of increasing tensions between the US and China — one an ally and one a major trading partner.
“There is a great deal of risk that sits around our governance, our politics, our policy and our business,” said Prof Caitlin Byrne, pro vice- chancellor (business) at Griffith University. “There are a number of issues facing business leaders in how we navigate what is an increasingly challenged, contested, rivalrous relationship.”
Neither the US nor China have any domestic political incentive “to make nice with each other” and Australian interests are not considered in that, said Darren Lim, senior lecturer at the Australian National University’s College of Asia and the Pacific. Tensions between the two nations create risks that Australia will have to deal with and geopolitical decisions by them will reverberate around the Asia-Pacific and affect Australia as much as anyone, he said.
Lim noted China still represents opportunity for Australian business, quoting a McKinsey executive as saying, “China is the new China.”
“What businesses must think about is the rise of political or geopolitical risk, so if you’re going to go in, you need to be very aware of what can go wrong,” said Lim, adding that businesses need a contingency plan. Risks include a possible Chinese invasion of Taiwan and ongoing territorial and maritime disputes in the South China Sea, and companies need to do the due diligence and dig into the nature of these risks.
“It’s a pessimistic take, but it has to be sitting alongside the embrace of opportunity,” said Lim. The AUKUS alliance — a security partnership
between Australia, US and UK — might help to deter an invasion by China, but it comes with economic costs. “That doesn’t mean all economic opportunities get lost, but it means you can’t take for granted that they will be there indefinitely,” said Lim.
One Australian who might be able to influence the US-China relationship is former prime minister Kevin Rudd, recently appointed ambassador to Washington. Although he is respected as a China expert, it will be hard for his audience to know when he is speaking as an ambassador for Australia and when he is speaking as a China expert, said Lim.
Dr Erin Watson-Lynn, founder and MD of public affairs consultancy Baker & York Australia, has a “real problem” with the Pacific, because while Australia has spent 30 years investing in the relationship with Asia, it hasn’t done the same in the Pacific.
With its ageing population, Australia has a great opportunity to draw on the younger population of India for sectors such as health and education, said Watson-Lynn, adding that this depends on getting immigration settings right.
The big picture
Former federal Attorney-General and Health Minister Nicola Roxon GAICD noted that business needs a better appreciation of the complexity and breadth of issues governments face. “Business shouldn’t go to government to say, ‘Fix my problem. This is the one thing I care about and why won’t the government fix my problem? Therefore, it’s a failure if it doesn’t.’ We can’t get good government if every tiny different group just wants their issue fixed.”
Businesses would be more effective in advocating for what they want from government if they understood there was always a big picture and considered the whole environment, not just their particular problem, said Roxon, chair of super fund HESTA and the Victorian Health Promotion Foundation (VicHealth) and a non- executive director of retirement living developer Lifestyle Communities.
Melinda Cilento GAICD, CEO of the Committee for Economic Development of Australia, said that directors often have to make complex choices and rarely believe there is only one right decision. However, political commentary tends to focus on the one “right” decision governments should make that will cure everything.
Former WA Treasurer Ben Wyatt GAICD agreed, saying that the conversations about issues and policy in the media were “very binary”. Politicians are under pressure to deliver a line for public consumption on some very complex issues. Governments can float big ideas, but they very quickly get reduced to winners and losers, and politicians are left responding to those immediate issues rather than being able to look 20 years ahead.
In response to a question about transparency, Wyatt said there is a lot of transparency in government and politicians are disclosing and declaring to several different institutions. Whereas, public company directors face the scrutiny of an annual meeting once a year. “That’s parliament every day,” said Wyatt, now a non-executive director of APM, Rio Tinto and Woodside Energy.
A key issue is how to get the public sector and the private sector to work better together, because it’s unreasonable to expect that all expertise will reside in government agencies.
Roxon said that when business leaders are asked to sit on a government panel or inquiry, or to contribute to policy in some way, they should make sure they’re clear about what they’re being asked to do. “People seem to be surprised sometimes that ministers or governments have the ability to appoint or dismiss people in various processes,” she said. “Finding out what the set-up is before you say yes is probably a good idea. Knowing whether you’re giving advice and that’s just an input to decision-making. People often think once they’ve opined on something, that it’ll just be implemented. That’s really how things happen.”
She is concerned there is a reticence among businesspeople to get involved with government. “The expertise in this room and around board tables and in business is amazing. And being able to find part of your working life to contribute to public policy is really rewarding. It means the decisions are better.”
At the Getting on with the Job: Addressing Australia’s Workforce Challenges AGS panel, Australian Industry Group CEO Innes Willox AM said that the skills shortage issue will continue to be the primary concern for businesses throughout the year. Digital skills will dictate much of the workforce potential. “There’s no doubt that 80 per cent of the jobs of the future are going to have some digital component,” he said.
When asked about the preparedness of universities and education systems to address these workforce challenges, Willox referred to difficulties imposed by COVID-19. The pandemic has forced universities to rethink their operations and outcomes, leading to a renewed focus on producing graduates who are “work-ready”.
Liz Jakubowski, digital director at Jobs and Skills Australia, said modernising Australia’s skillset is a keen area of interest for her, following her work on CSIRO’s Ribit platform, a digital matchmaking service connecting STEM students with businesses. “It’s another area of competitive advantage for us,” she said.
Answering an audience question about workplace ageism, she noted the wide age gap between young software programmers and data analysts and their more seasoned counterparts.
Lawrence Goldstone MAICD, lead partner of PwC’s Future of Work agenda and OzHarvest chair, said businesses are beginning to recognise the value of mature workers. “There’s a huge opportunity. We’ve got five generations working alongside each other, and untapped potential in that mature aged workforce to re-enter. Eight of the 10 skills of the future as announced by the World Economic Forum are soft skills, harder skills to acquire.”
Those include resilience, creativity and problem-solving, which older generations can offer the new workers of the modern environment. “What an opportunity if we can connect them in around apprenticeships, on-the-job learning, re- entering through providing meaningful work.”
Jakubowski underscored a shift in thinking about the durability of traditional tertiary qualifications, “We used to have this mindset that you’d go to university, come out with your degree and have skills with a currency of about 10 years,” she said. “Obviously, there was continuing education, which you’d do to skill up. But that’s getting shorter and shorter. When you actually finish a course at university these days, you’re lucky if your skills have a shelf life of about three years. That means you have to rethink how you evolve your career as you’re going through life.”
Willox pointed to eye-opening work as part of the Australian Universities Accord, a collaboration between tertiary institutions and industry stakeholders, to help determine what the future of education should look like in order to meet the needs of employers. “I always remember in about 2018 speaking to all the deans of the 41 business schools, where I had to advise them that one of their key tasks, apart from research and teaching, was actually to produce students who could work at the end of it,” he said. “That seemed to take some of them by surprise.”
Noting the potential for greater partnership between universities and vocational education and training providers, Willox said there is an opportunity to create more flexible pathways for students, which combine theoretical and practical learning, ultimately producing graduates with greater “workability” to meet the needs of industry.
Purpose and impact
The panel session on impact in the NFP sector heard there has been a decline in public trust following the revelations from the various royal commissions into different parts of the sector.
Lynelle Briggs AO GAICD, the former Aged Care Royal Commissioner, said the decline was unsurprising and directors need “to think seriously about what we’re doing and how we’re doing it, and consider areas for reform”.
Patricia Faulkner AO, chair of Jesuit Social Services and of the Commonwealth Bank’s CEO advisory panel, said it’s difficult to show impact when an organisation is working with extremely disadvantaged people in the way Jesuit Social Services does.
Faulkner outlined the approach that the charity (founded 45 years ago to help resettle men coming out of prison) took when it decided to start measuring its impact in 2019. “The board asked itself, what is our hypothesis about the people we are serving? And hence, what will we measure?”
The charity operates on the hypothesis that most human beings are held in a web of supportive relationships that sustain them to have a good life. But for the people it supports, this web is broken. The charity works to restore them to a set of supportive relationships in communities that support them. “We then built a whole set of indicators, which is called our impact,” said Faulkner. “And a way of working. Our workers actually have to report on all those things.” Briggs, also a non-executive director of Goodstart Early Learning, outlined the approach at the NFP childcare centre and kindergarten. It developed standards that Goodstart could be measured against and collected information about the children to whom it is trying to deliver the best-quality early learning.
“It’s taught us a lot about the quality of our services or, indeed, where our services are lagging behind in quality,” said Briggs. “That’s upped our game enormously, because we’ve then focused on not only the average lot of services doing fine and moving up but, in particular, those services that aren’t doing as well.”
As the head of the Royal Commission into Aged Care Quality and Safety, she found there was insufficient evidence the providers of services really understood care itself, in part because their boards lacked the medical expertise. The commission recommended there be a care governance committee on all boards of aged care service providers, which would increase the understanding of clinical care and raise its status.
Jesuit Social Services did a similar thing after it realised that reports about incidents at the charity were going to the audit committee, which was “a bit terrified by them because they were used to doing financial stuff”, said Faulkner. As a result, the charity set up a people, practice and development committee.
This article first appeared under the headline 'Protecting the Data' in the May 2023 issue of Company Director magazine.
Already a member?
Login to view this content