Public Boards Seek a Balance Between Innovation and Risk

Public boards are bullish on artificial intelligence and generative AI as new key levers for growth and are taking measures to seize opportunities while mitigating mounting risks, a new survey finds.

Directors realize “the full potential of technology deployment requires enhanced risk management, security, and compliance measures to safeguard their organizations and stakeholders,” according to the 2024 BDO Board Survey of nearly 250 public company directors.

Risk and innovation: a symbiotic relationship

At the same time, they are exercising caution, noting that innovation presents both a significant opportunity and risk.

Some 17% of directors indicated that “advancing the use of emerging technology is a top strategic priority, while lagging implementation of emerging technology (72%) is a top-cited risk,’’ according to the report. “Risk and innovation have a symbiotic relationship for directors, for whom the need to move quickly to keep pace with customer demand, competition, and stakeholder expectations must be finely balanced with robust risk management and oversight.”

The report notes that failing to adequately invest in either of these areas can potentially harm the other. This may explain why emerging technology (51%) and cybersecurity (41%) are among the top areas directors said will see increased investment in the year ahead, the BDO report said.

SEE: Will Power Availability Derail the AI Revolution? (TechRepublic Premium)

Progress on emerging technology implementation

As boards and management teams consider opportunities for incorporating generative AI into their businesses, the workforce may be ahead of them, the report noted, citing a global study by Microsoft, which found that 75% of knowledge workers already use AI at work.

The BDO survey reveals that:

• 23% of respondents are exploring what emerging technology can do and learning more about its risks and limitations.
• 16% reported actively training employees on emerging technology within their day-to-day work.
• 6% said they are not currently exploring emerging technology and have no immediate plans to do so.

Directors appear mixed on which business function may present the greatest opportunity for GenAI use cases. However, 31% of directors cited customer experience (16%) and product/service development (15%), indicating that the technology is viewed as a value-adding, top-line tool that organizations can use to capture growth and customer loyalty, according to the report.

“Research indicates early adopters have seen benefits from faster and deeper data analysis, which can support personalization and custom content in market outreach and aid in product improvement,’’ the report said. “Boards also see potential in leveraging generative AI to gain efficiency across back-office processes and key operations.”

Attention also focused on GenAI risks

Boards are also approaching GenAI with their eyes wide open, noting that they “have seen ample evidence that generative AI brings new risks.” Among them are widely reported hallucination incidents, where an AI output is incorrect or “entirely fictitious.” While some are relatively harmless, the report observed, others are potentially serious and can expose companies to fines, litigation, and reputational damage.

Among the greatest GenAI risks respondents cited were:

• Generation of and/or action upon incorrect information (19%).
• Inaccurate/biased inputs and/or output (16%).
• Data privacy violations (16%).
• Fear of job loss and damage to employee morale/loyalty (15%).

The BDO report supports the approach public boards are taking, noting that they “are right to simultaneously invest in emerging technology development and enhancements to risk management practices. Both of these should be in alignment with the organization’s strategy and in support of executable goals and objectives.”

The ability to successfully implement technology is the most in-demand skill or experience (31%) for directors to prioritize in 2025, as boards seek members whose expertise reflects their organizational goals, the report said.

Additional investments made in cybersecurity, data privacy, and governance

Over a third (37%) of director respondents indicated that they are changing the treatment of and approach to cyber risk from an “IT responsibility” to a “company-wide responsibility,” the survey found.

“To remain agile, companies need strong oversight, real-time understanding of and mechanisms for identifying and protecting against emerging threats, and continual monitoring programs to reduce the risk of a cyber crisis and mitigate damage and disruption should a breach occur,’’ the report advised.

Respondents indicated they are investing in additional protections and valuable expertise to safeguard their organizations, with 25% of directors pointing to cyber threats and incidents as the most significant risk to their business over the next year.

Additionally, 27% said cybersecurity is one of the most in-demand board skill sets, and 41% of directors plan to increase investment in cybersecurity, data privacy, and governance over the next year.

The regulatory environment is also top of mind, with 45% of directors saying they are pursuing an external assessment, such as a systems and organization control (SOC) for cybersecurity report or a maturity/gap assessment to further aid in organizational preparedness and program maturity. Further, 41% cited creating internal processes and improved communication channels to report on cyber risk management and cyber incidents as their focus.

Boards must remain proactive

In addition to the survey findings, BDO said their ongoing discussions with directors show that boards are continuing to invest in education and training on the evolving threat landscape — both at the leadership and company-wide levels. Specifically, they are engaging in company-specific scenario planning and conducting comprehensive vulnerability testing to keep risk awareness high.

The good news is that boards are “dialed in to the type and frequency of cyber information they receive from leadership, particularly the Chief Information Security Officer,’’ BDO said. “They want to know how to improve practices for monitoring the effectiveness of prevention and detection efforts along with responding and mitigating alleged or confirmed breaches.”

However, BDO recommends that companies continue to sharpen their activities regarding management and oversight disclosures, document actions undertaken, and further enhance stakeholder communication. The firm advised members to seek resources such as CISA’s “Shields Up” guidance for Organizations.