Skip to main content

Beyond legal #6 : The great governance misunderstanding

·8 mins
Beyond Legal AI Governance GRC Accountability Frameworks Executive Communication

The failure to differentiate between governance and management is not an academic debate. It is the root cause of companies finding themselves in crises, asking themselves “How on earth did we end up here?”

Beyond legal#6: The great governance misunderstanding

I so wish I could have thought up that diagram at the time as I’ve since used it on numerous occasions to explain the “why, what and where” of governance, also the concept of key assets. I think it shows something extremely critical, and that is, that governance of any key asset cannot sit in isolation. In the diagram you can see governance of financial assets, HR assets and Information and IT assets, among several. Now remember this diagram is over 20 years old when AI governance was not “a thing.” Towards the end of this post you’ll find another diagram that shows where AI governance and (as featured in post #5) data governance belong.

A key takeaway here is that you can’t just implement AI governance without doing some as-is analysis of existing governance structures. This is an upfront task because how can you design and implement a governance framework for AI when you are not aware of how it needs to slot in, avoid overlaps, and so on.

These days many companies are struggling on parallel tracks with taming the power and expectation of AI, and the ongoing challenge of data protection, and unfortunately the same confusion has re-emerged. You are no doubt aware of the flood of AI Governance certifications and frameworks. On Linkedin, leaders share insights about “governing their data.” But what they’re almost always describing is management rather than governance (if you look carefully enough).

It’s not just a case of semantics. To use a naval analogy, it’s the difference between steering the ship and stoking the engine. And unfortunately right now, I get the impression that many ships are sailing full steam ahead with no one on the bridge asking where they’re going.

The boardroom versus the engine room Let’s look at what was drummed into me back in 2012, because I find it’s crystal clear:

Governance is the domain of the board and executive leadership. Its purpose is to Evaluate, Direct, and Monitor :

  • Evaluate: They assess stakeholder needs, the business environment, and strategic options. They ask things like: “What are our goals? What is our risk appetite? What are our ethical red lines?”

  • Direct: They set the strategic direction through prioritisation and decision-making, allocating resources to align with that vision. They say, “This is the direction we will take. These are our priorities.”

  • Monitor: They oversee the company’s performance and compliance against the direction they set. They ask, “Are we achieving our objectives? Are we operating within our stated principles?”

Management is the responsibility of the operational layers of the company. Its purpose is to Plan, Build, Run, and Monitor.

  • Plan, Build, Run: They take the strategic direction from the governance body and create the plans, build the solutions, and run the day-to-day activities to achieve the company’s objectives.

  • Monitor: They monitor the performance of processes and services, reporting results back up to the governance body.

In simple terms, governance asks “Are we doing the right things?” while management asks “Are we doing things right?” Governance is about stewardship whereas management is about execution. (Of course, the actual terms will vary depending upon the governance framework you’re using).

Data protection governance In the data protection space, this distinction is also important.

Data Protection Governance is when the board might discuss (obviously depending on context):

  • “How does our approach to B2B client data protection support our brand promise of being a trustworthy partner?”

  • “What is our corporate risk appetite concerning the use of personal data for new product development?”

  • “Are we investing sufficiently in data protection to use it as a competitive advantage in our markets?”

  • “How do we respond to global geopolitical events that impact our DEI initiatives?”

Whereas Data Protection Management is more around:

  • Operationalising a process to handle data subject requests

  • Implementing a tool to support GDPR Art. 30 requirements for a RoPA

  • Ensuring contextual education and training has ongoing focus across all relevant groups of employees

  • Embedding triggers in operational processes and procedures to trigger DPIA considerations

Both are essential. But a company that excels at processing data subject requests without board-level discussion around data ethics is a ship with a highly efficient engine that could be sailing in circles.

The certification trap Now, let’s talk AI where the speed and scale of AI development has exacerbated the governance/management confusion and made things quite dangerous especially when you consider some of the large global certification bodies are already getting it wrong. A controversial statement I know but the potential impact is that hundreds, if not thousands of companies around the world are implementing “AI governance” that will ultimately fail.

For example, I believe it is incorrect to label training on AI risk management covering things like bias testing, model validation, and threat modelling, as “AI Governance.” This is worrying, and a critical error, because that is AI Management. It’s the “doing things right.” They are all extremely important activities, but they are not governance.

Proper AI Governance occurs when the board and C-suite tackle fundamental questions that have no easy technical answer:

  • Evaluate: “Should our company use generative AI in roles that were previously human-centric, like customer support or therapy? What are the ethical implications for our customers and society?”

  • Direct: “We will not develop systems that create deepfakes for political advertising, regardless of legality or profitability. This is our ethical boundary.”

  • Monitor: “Is our use of AI creating unforeseen societal impacts? Are the outcomes aligning with the values we set out at the beginning?”

When a certification course teaches you how to implement a fairness toolkit for a machine learning model, it’s teaching you management. When a board debates whether to deploy that model in a high-risk scenario like credit scoring or hiring in jurisdictions where strong AI regulation exists, that is governance.

What many companies are unfortunately doing is creating a false sense of security that allow the execs to believe governance is “handled” by a technical team, when in fact, no one is steering the ship.

The competency to govern As in previous posts in this series, I want to anchor specific non-legal competences because this really is the point behind my “beyond legal” series. What I have described so far is not just a theoretical model. It’s reflected in professional skills frameworks including the SFIA framework that I’ve referenced often in this series so far. SFIA defines a specific high-level skill called Governance (GOVN).

It’s worthwhile taking a look at the description for GOVN, as it includes:

  • “Directs the definition, implementation and monitoring of the governance framework to meet organisational obligations under regulation, law, or contracts.”

  • “Provides leadership, direction and oversight for governance activities. Integrates risk management into frameworks, aligning with strategic objectives and risk appetite.”

  • “Secures resources required to execute activities to achieve the organisation’s governance goals with effective transparency.”

  • “Provides assurance to stakeholders that the organisation can deliver its obligations with an agreed balance of benefits, opportunities, costs and risks.”

This is the language of direction-setting, strategic alignment, and stakeholder influence. It is distinct from management skills like Project Management or Business Process Improvement. The board will not be concerning themselves with wrangling or preparing data, or packaging models.

Governance requires a different mindset. A mindset that is focused on long-term value, ethics, and accountability, not just project tasks, or how to conduct a fundamental rights assessment.

As you may have gathered from my posts over the years I like to visualise, and a model I often use in my workshops illustrates corporate governance should be the encompassing framework, with governance of corporate assets within that. Management executes within those frameworks and provides feedback (typically through monitoring and reporting) that allows the governance body to re-evaluate and re-direct as needed. My own model resembles the diagram below, but to give credit where it’s due, you’ll find this diagram in “Defining organizational AI governance” authored by Matti Mäntymäki, Matti Minkkinen, Teemu Birkstedt & Mika Viljanen. You can download the article here: https://link.springer.com/article/10.1007/s43681-022-00143-x#Sec2

Corporate governance, IT governance, AI governance and data governance venn diagram

Again, it’s an excellent diagram that speaks volumes.

The failure to differentiate between governance and management is not an academic debate. It is the root cause of companies finding themselves in crises, asking themselves “How on earth did we end up here?” Mind you, the answer could well be that the managers were expertly executing a strategy that the governors never consciously set!

Conclusion It’s time for many governance leaders to look themselves in the mirror and recognise their strengths and shortcomings, especially if they see their roles as being very challenging or difficult, or have never established governance in a company before. Acknowledging that you require help from others will avoid failure later on. As I say often, data protection, AI governance they are both team sports.

So, if you are up for for it, I challenge you to ask this in your own company. Who is doing the governing for data and AI? Who is asking the difficult, strategic “should we” questions?

If the answer is “a legal assistant” or “our lead data scientist,” then it’s pretty certain that you don’t have a governance function, you have managers. And, as mentioned earlier,while their work is vital, they are managing the “how.” The responsibility for the “what” and the “why” belongs much closer to the boardroom.

Purpose and Means is a niche data protection and GRC consultancy based in Copenhagen but operating globally. We work with global corporations providing services with flexibility and a slightly different approach to the larger consultancies. We have the agility to adjust and change as your plans change. Take a look at some of our client cases to get sense of what we do.

Author
Tim Clements
Tim Clements is Business Owner of Purpose and Means, a data protection and GRC consultancy based in Copenhagen, operating globally. He helps data protection and GRC leaders simplify complexity into actionable strategies, providing tools, training, and support to engage and influence across the organisation. Tim is a Chartered Fellow of the BCS (British Computer Society).

Browse by Topic

access controls accountability accountability frameworks ai act ai ethics ai governance ai infrastructure sovereignty ai literacy ai regulation article 12 article 13 article 22 article 25 article 28 article 30 article 32 article 35 article 46 article 5 article 6 article 7 audit and assessment automated decision-making awareness awareness campaigns behaviour change beyond legal board level board reporting case law change management chief people officer cloud infrastructure compliance monitoring consent cookie compliance cross-border transfers customer success dark patterns data accuracy data breach notification data flows data mapping data minimisation data processing agreements data protection data protection by design data protection culture data protection day data protection hero data protection leader data quality data residency data retention data science data sovereignty data subject rights datatilsynet deceptive design design thinking direct marketing dora dpia education employee data employee engagement enterprise architecture eprivacy esg executive communication external legal counsel finance and banking gdpr gdpr at 10 generative ai governance grc healthcare horizon scanning hr and data protection hr and employment incident response information security intellectual property internal communications international transfers lawful basis leadership lego serious play machine learning marketing nis2 passwords privacy by design privacy culture product management profiling public sector purpose limitation quantum computing records of processing regulatory guidance risk management risk reduction ropa sales security software development special category data standard contractual clauses strategic planning sub-processors supply chain sustainability system design third-party risk training design transparency trend radar ux design vendor management visual communication weak signals workshop facilitation

Related Posts