Diligent
Blog
Stay ahead of the news and trends impacting GRC for leaders, organizations and the public sector. Find resources and insights covering everything from governance best practices to ESG to strategic risk, compliance and audit management.
AI in governance: Opportunities and challenges for modern boards
At our recent Breakfast Briefing, "Governance Transformed: AI’s Impact on Boards and Governance Leaders," we brought together board members, company secretaries, and governance professionals to explore the transformative potential and challenges of integrating artificial intelligence into boardroom practices. Led by experts Dr Leanne Allen, Richard Anderson, Michael Charles Borrelli, and Paul Johnston, the session offered valuable insights into how AI can enhance governance, risk management, and compliance. Here, we explore takeaways from the session, focusing on the risks and challenges associated with AI in the boardroom. AI opportunities in boardrooms Our panel of experts shared numerous opportunities for significantly enhancing boardroom operations through AI. Here are some actionable insights based on their perspectives: Reduced risk through proactive management: AI can enhance risk management by providing real-time data and predictive analytics. As Dr Allen highlighted, "The risk level of an AI drives the way you treat it.” By implementing AI tools that can identify potential risks before they escalate, boards can take proactive measures. For example, AI can analyse vast amounts of data to detect patterns and anomalies that might indicate emerging risks, allowing boards to act swiftly and mitigate potential issues. Streamlined meeting documentation for increased efficiency: AI can significantly enhance the speed and accuracy of recording meeting minutes, ensuring that all critical points are captured without the need for manual transcription. This not only saves time but also minimises the risk of human error. Through automating the minute-taking process, AI categorises and summarises discussions, making it easier to review and reference past meetings, improving overall meeting efficiency as a result. Better performance insights for informed decision-making: AI can provide real-time insights into director performance, which can be used for board evaluations and individual director assessments. This enhances the integrity and real-time nature of reporting. Johnston emphasised: "There is definitely an obligation on us to understand what risks these platforms potentially expose the board to." — Paul Johnston, Associate Director, One Advisory By using AI-generated insights, boards can make more informed decisions and improve overall governance. AI can also track key performance indicators (KPIs) and generate reports that highlight areas for improvement, ensuring that directors are held accountable and their contributions are accurately assessed. Data-driven decisions for strategic analysis: AI can support decision-making by providing data-driven insights and recommendations. For instance, AI algorithms can analyse market trends, financial data, and other relevant information to help boards make strategic decisions. By leveraging AI to support strategic decision-making, boards can analyse relevant data and receive actionable recommendations, leading to more informed and effective governance. Challenges in AI adoption While the opportunities for AI in governance are compelling, the challenges of AI adoption in boardrooms are equally significant. Here are some key points to consider: Improved AI literacy through training: Board members must understand the technology and its implications to use it effectively. Anderson highlighted this point, stating, "There's a degree of nervousness around the ability of some of the AI to accurately interpret." To address this, investing in training programmes to enhance AI literacy among board members is crucial. This includes understanding how AI works, its potential benefits, and its limitations. Dr Allen emphasised, "Education is key… understanding what AI is, what it isn't, and a little bit about how it works." Balanced decision-making with AI and human judgement: One of the key risks is the over-reliance on AI, which can lead to a loss of critical thinking skills. Borrelli emphasised this risk: "We need to be really careful of not becoming over-reliant on AI, i.e., outsourcing all of our critical thinking." — Michael Charles Borelli , Director, AI & Partners To ensure robust decision-making, it is important to maintain a balance between AI assistance and human judgement. Boards should encourage members to critically evaluate AI-generated insights and consider multiple perspectives. Ethical data use with clear guidelines: Data privacy and the potential misuse of AI-generated information are significant concerns. Boards must ensure that data is used ethically, and that AI-generated summaries of board meetings or minutes are not misused. Establishing clear guidelines and protocols for data usage and privacy is essential. This includes implementing robust data protection measures and ensuring compliance with relevant regulations. Reduced bias through regular audits and diverse data: AI systems can sometimes exhibit biases based on the data they are trained on. Boards need to be aware of this risk and take steps to mitigate it. Regularly auditing AI systems for bias and ensuring that diverse data sets are used for training can help minimise biases and ensure fair outcomes. The current state of AI in boardrooms AI is gradually making its way into boardrooms, bringing with it a sense of cautious optimism. It is increasingly seen as a valuable tool to enhance governance and decision-making. One of the key benefits of AI is its ability to provide real-time information and improve transparency, especially in compliance and regulatory changes. However, it is crucial for boards to ensure that their education on AI aligns with their strategic goals and regulatory requirements: "Data cannot be used as an excuse for not using AI. AI is today good enough to deal with any kind of data in any form." This highlights the readiness of AI technology and the need for boards to embrace it while being mindful of the associated risks. Charting a new course with AI in the boardroom AI in the boardroom is a powerful tool that can drive business success and enhance governance. However, it requires a balanced approach, with a focus on education, ethical use, and continuous learning. By addressing these challenges, boards can harness the full potential of AI to make more informed and effective decisions. Learn more about how AI is transforming corporate governance in our comprehensive guide. Discover how AI simplifies preparation, tracks performance, and enables data-driven decisions for your board and committee meetings. Download now to see how forward-thinking boards are leveraging AI.
Preparing for Provision 29: Leveraging technology to drive robust internal controls assurance
Provision 29 of the UK Corporate Governance Code is arguably the most significant change introduced as part of the Code revisions announced in January 2024. It requires boards of in-scope organisations to make an annual declaration on the effectiveness of material internal controls. This is an expansion and refinement of the requirements of the previous Code, which required boards to monitor, review and report on financial and operational controls. Now boards must: “Monitor the company’s risk management and internal control framework and, at least annually, carry out a review of its effectiveness. The monitoring and review should cover all material controls, including financial, operational, reporting, and compliance controls. The board should provide in the annual report: • A description of how the board has monitored and reviewed the effectiveness of the framework; • A declaration of effectiveness of the material controls as at the balance sheet date; and • A description of any material controls which have not operated effectively as at the balance sheet date, the action taken, or proposed, to improve them and any action taken to address previously reported issues.” While framed by the Financial Reporting Council (FRC) as an evolution rather than a major change, the reality for most in-scope organisations is that Provision 29 requires considerable work across several domains. They must: Evaluate enterprise risk and devise a process to identify the most material controls; Extend scope to cover compliance and reporting controls; Design or expand their control monitoring and remediation environment; Determine how they will provide assurance to form the basis of the declaration. Commentators have suggested that organisations need to find the “golden thread” linking company strategy and CEO priorities with underlying risks, and mapping them to the controls needed to ensure the business has the strongest chance of achieving its goals. By determining material risks, their associated controls (which by definition will be material controls), and designing an environment that draws those threads together, they will be able to deliver oversight and assurance. However, this is not easy. A critical planning and test period for Provision 29 Provision 29 comes into effect in January 2026, meaning 2025 is a critical period for planning, designing and testing the frameworks and processes needed. The aim should be to meet obligations without creating an unnecessarily heavy administrative burden. There are several challenges to overcome, including: Mapping principal risks to strategy, identifying material risks and their associated controls. Engaging a broad spectrum of stakeholders on enterprise risks and controls across what are typically siloed business units. Designing or improving the controls environment to ensure material controls are effective. Designing and implementing a consistent approach to monitoring, evaluating and reporting internal controls effectiveness. Achieving assurance that links directly and demonstrably to the controls monitoring framework. Technology may have been used to support some of these areas in the past, but it is often applied inconsistently between departments. It is also often deployed on a standalone basis, lacking integration with wider business intelligence systems, and manual data entry can introduce inaccuracies that reduce confidence in the system’s integrity. As the organisation prepares its response to Provision 29 requirements, now is an excellent time to explore how investing in integrated governance, risk, and compliance (GRC) technology that supports automated processes can increase control framework maturity and its associated assurance across the business. Internal controls framework maturity: How GRC technology can help An important early step on the road to Provision 29 assurance is to determine the organisation’s position on the control framework maturity curve below: The business may be at different stages for different risk and control areas. For example, processes for identifying the scope and materiality of financial risk, and related material internal controls for financial reporting are likely to be more mature than those for recently identified non-financial material risks and controls. Levels of documentation and internal audit assurance may also vary between the different material risks identified. When these are all managed in different IT systems and departments, each with a different approach to monitoring and reporting, gaining a clear picture is difficult. Furthermore, to achieve any maturity greater than the basic “undefined” level, it is crucial that processes are centrally developed and consistently applied consistently by all stakeholders – and are repeatable. This is where integrated GRC technology has considerable advantages over manual processes and standalone point solutions. How Diligent One draws the threads of GRC together to deliver robust assurance Diligent One GRC platform is tailor-made to help businesses identify, prioritise, and manage enterprise risk effectively, linking it to the underlying controls and internal audit procedures that provide the assurance needed by the board so directors can make a confident Provision 29 declaration. In addition to advanced governance and board management capabilities, it includes: Enterprise Risk Management (ERM) solution: Supports the business to map principal material risks to strategy with risk identification and prioritisation workflows based on the ISO31000 risk standard. Creates repeatable processes for risk identification, scoring, tracking and remediation. Internal Controls: Curates a single catalogue of risk and control matrices, including related control documentation such as narratives and process flows, for financial and non-financial controls. Generates automated alerts to control performers reminding them to perform the control. Provides first line control attestation workflows. Supports second line control testing workflows and includes automated control testing. Internal Audit: Provides internal audit planning and third line risk assessment capability. Automated audit workflows to reduce team burden. Allows consolidation of risk and control ratings across the three lines of defence. Crucially, these ERM, internal controls and internal audit capabilities are integrated into a single user-friendly dashboard giving comprehensive oversight of risk management, controls and assurance data. This can be communicated to the board whenever needed, providing an ongoing picture of performance, rather than just a point-in-time snapshot. Automation is supported throughout to reduce the burden on teams and enhance data accuracy, which in turn supports transparency and confidence. By implementing a unified GRC tool like Diligent One platform, businesses can: Build a clear, comprehensive narrative around risk, control and assurance that delivers assurance to the board. Design a realistic, achievable action plan to increase internal controls framework maturity. Eliminate information siloes while building relationships between stakeholders in audit, risk and internal controls throughout the business. Utilise automation to reduce the administrative burden of managing risk while increasing stakeholder engagement. Ensure consistency and repeatability of risk collation, analysis and management. This will create an appropriate, effective response framework for meeting the requirements of Provision 29, underpinning the final declaration with clearevidence. It also provides a strong foundation on which to base continuous improvements in internal controls maturity. Want to learn more? Discover all the significant changes introduced in the 2024 U.K. Corporate Governance Code, focusing on director accountability, risk management, internal controls and board leadership, by downloading our U.K. Corporate Governance & Audit Reform report.
