Beyond legal #6 : The great governance misunderstanding

I so wish I could have thought up that diagram at the time as I've since used it on numerous occasions to explain the "why, what and where" of governance, also the concept of key assets. I think it shows something extremely critical, and that is, that governance of any key asset cannot sit in isolation. In the diagram you can see governance of financial assets, HR assets and Information and IT assets, among several. Now remember this diagram is over 20 years old when AI governance was not "a thing." Towards the end of this post you'll find another diagram that shows where AI governance and (as featured in post #5) data governance belong.

A key takeaway here is that you can't just implement AI governance without doing some as-is analysis of existing governance structures. This is an upfront task because how can you design and implement a governance framework for AI when you are not aware of how it needs to slot in, avoid overlaps, and so on.

These days many companies are struggling on parallel tracks with taming the power and expectation of AI, and the ongoing challenge of data protection, and unfortunately the same confusion has re-emerged. You are no doubt aware of the flood of AI Governance certifications and frameworks. On Linkedin, leaders share insights about "governing their data." But what they're almost always describing is management rather than governance (if you look carefully enough).

It's not just a case of semantics. To use a naval analogy, it’s the difference between steering the ship and stoking the engine. And unfortunately right now, I get the impression that many ships are sailing full steam ahead with no one on the bridge asking where they're going.

The boardroom versus the engine room
Let's look at what was drummed into me back in 2012, because I find it's crystal clear:

Governance is the domain of the board and executive leadership. Its purpose is to Evaluate, Direct, and Monitor :

• Evaluate: They assess stakeholder needs, the business environment, and strategic options. They ask things like: "What are our goals? What is our risk appetite? What are our ethical red lines?"

• Direct: They set the strategic direction through prioritisation and decision-making, allocating resources to align with that vision. They say, "This is the direction we will take. These are our priorities."

• Monitor: They oversee the company's performance and compliance against the direction they set. They ask, "Are we achieving our objectives? Are we operating within our stated principles?"

Management is the responsibility of the operational layers of the company. Its purpose is to Plan, Build, Run, and Monitor.

• Plan, Build, Run: They take the strategic direction from the governance body and create the plans, build the solutions, and run the day-to-day activities to achieve the company's objectives.

• Monitor: They monitor the performance of processes and services, reporting results back up to the governance body.

In simple terms, governance asks "Are we doing the right things?" while management asks "Are we doing things right?" Governance is about stewardship whereas management is about execution. (Of course, the actual terms will vary depending upon the governance framework you're using).

Data protection governance
In the data protection space, this distinction is also important.

Data Protection Governance is when the board might discuss (obviously depending on context):

• "How does our approach to B2B client data protection support our brand promise of being a trustworthy partner?"

• "What is our corporate risk appetite concerning the use of personal data for new product development?"

• "Are we investing sufficiently in data protection to use it as a competitive advantage in our markets?"

• "How do we respond to global geopolitical events that impact our DEI initiatives?"

Whereas Data Protection Management is more around:

• Operationalising a process to handle data subject requests

• Implementing a tool to support GDPR Art. 30 requirements for a RoPA

• Ensuring contextual education and training has ongoing focus across all relevant groups of employees

• Embedding triggers in operational processes and procedures to trigger DPIA considerations

Both are essential. But a company that excels at processing data subject requests without board-level discussion around data ethics is a ship with a highly efficient engine that could be sailing in circles.

The certification trap
Now, let’s talk AI where the speed and scale of AI development has exacerbated the governance/management confusion and made things quite dangerous especially when you consider some of the large global certification bodies are already getting it wrong. A controversial statement I know but the potential impact is that hundreds, if not thousands of companies around the world are implementing "AI governance" that will ultimately fail.

For example, I believe it is incorrect to label training on AI risk management covering things like bias testing, model validation, and threat modelling, as "AI Governance." This is worrying, and a critical error, because that is AI Management. It's the "doing things right." They are all extremely important activities, but they are not governance.

Proper AI Governance occurs when the board and C-suite tackle fundamental questions that have no easy technical answer:

• Evaluate: "Should our company use generative AI in roles that were previously human-centric, like customer support or therapy? What are the ethical implications for our customers and society?"

• Direct: "We will not develop systems that create deepfakes for political advertising, regardless of legality or profitability. This is our ethical boundary."

• Monitor: "Is our use of AI creating unforeseen societal impacts? Are the outcomes aligning with the values we set out at the beginning?"

When a certification course teaches you how to implement a fairness toolkit for a machine learning model, it's teaching you management. When a board debates whether to deploy that model in a high-risk scenario like credit scoring or hiring in jurisdictions where strong AI regulation exists, that is governance.

What many companies are unfortunately doing is creating a false sense of security that allow the execs to believe governance is "handled" by a technical team, when in fact, no one is steering the ship.

The competency to govern
As in previous posts in this series, I want to anchor specific non-legal competences because this really is the point behind my "beyond legal" series. What I have described so far is not just a theoretical model. It's reflected in professional skills frameworks including the SFIA framework that I've referenced often in this series so far. SFIA defines a specific high-level skill called Governance (GOVN).

It's worthwhile taking a look at the description for GOVN, as it includes:

• "Directs the definition, implementation and monitoring of the governance framework to meet organisational obligations under regulation, law, or contracts."

• "Provides leadership, direction and oversight for governance activities. Integrates risk management into frameworks, aligning with strategic objectives and risk appetite."

• "Secures resources required to execute activities to achieve the organisation’s governance goals with effective transparency."

• "Provides assurance to stakeholders that the organisation can deliver its obligations with an agreed balance of benefits, opportunities, costs and risks."

This is the language of direction-setting, strategic alignment, and stakeholder influence. It is distinct from management skills like Project Management or Business Process Improvement. The board will not be concerning themselves with wrangling or preparing data, or packaging models.

Governance requires a different mindset. A mindset that is focused on long-term value, ethics, and accountability, not just project tasks, or how to conduct a fundamental rights assessment.

As you may have gathered from my posts over the years I like to visualise, and a model I often use in my workshops illustrates corporate governance should be the encompassing framework, with governance of corporate assets within that. Management executes within those frameworks and provides feedback (typically through monitoring and reporting) that allows the governance body to re-evaluate and re-direct as needed. My own model resembles the diagram below, but to give credit where it's due, you'll find this diagram in "Defining organizational AI governance" authored by Matti Mäntymäki, Matti Minkkinen, Teemu Birkstedt & Mika Viljanen. You can download the article here:
https://link.springer.com/article/10.1007/s43681-022-00143-x#Sec2

Again, it's an excellent diagram that speaks volumes.

The failure to differentiate between governance and management is not an academic debate. It is the root cause of companies finding themselves in crises, asking themselves "How on earth did we end up here?" Mind you, the answer could well be that the managers were expertly executing a strategy that the governors never consciously set!

Conclusion
It's time for many governance leaders to look themselves in the mirror and recognise their strengths and shortcomings, especially if they see their roles as being very challenging or difficult, or have never established governance in a company before. Acknowledging that you require help from others will avoid failure later on. As I say often, data protection, AI governance they are both team sports.

So, if you are up for for it, I challenge you to ask this in your own company. Who is doing the governing for data and AI? Who is asking the difficult, strategic "should we" questions?

If the answer is "a legal assistant" or "our lead data scientist," then it's pretty certain that you don't have a governance function, you have managers. And, as mentioned earlier,while their work is vital, they are managing the "how." The responsibility for the "what" and the "why" belongs much closer to the boardroom.

Purpose and Means is a niche data protection and GRC consultancy based in Copenhagen but operating globally. We work with global corporations providing services with flexibility and a slightly different approach to the larger consultancies. We have the agility to adjust and change as your plans change. Take a look at some of our client cases to get sense of what we do.

We are experienced in working with data protection leaders and their teams in addressing troubled projects, programmes and functions. Feel free to book a call if you wish to hear more about how we can help you improve your work.

With two decades working in the Governance, Risk, and Compliance (GRC) space, you see patterns emerge. One of the most persistent, and I would go as far to say dangerous, is the confusion between the terms governance and management. Although I had read a couple of books about governance beforehand, and managed a few GRC projects, it wasn't until 2012 whilst studying for a governance of enterprise IT certification that I first encountered the distinction in formal terms. I remember the initial course in London where the instructor, Geoff Harmer, drummed this into me and my fellow participants, and it fundamentally changed how I viewed technology governance. Geoff retired 7-8 years ago but he was a fountain of knowledge in the GRC field.

It was also where I came across the excellent books written by Peter Weill and Jeanne W. Ross where the diagram below is taken from. It's copied straight from their book, "IT Governance" published in 2004, and I can see I haven't included the original credit which is MIT Sloan School CISR. Take a few minutes to study it.