Board Governance over Transformation and Tech Operations, Cybersecurity and Data Governance, and AI

Jojo Aquino, FICD, Melo Alcala, FICD,

and Armand Cacacho, FICD

Institute of Corporate Directors

Transformation is a long-term effort to create new value for customers, employees, and stakeholders. While technology is a good part of it, transformation is ultimately a people-change activity. It requires investment in people, capital, and time for oversight. It has to align with long term strategy. Board governance means: set transformation and maintenance directions, ensure discipline in the change process and hold management to their benefits promises, attention to stability of operations and cybersecurity, and oversight to mitigate risks. With AI in the wings (or front and center), board governance must also include ensuring that company data and systems are ready for machine learning initiatives.

Digital Transformation and Technology Operations

The Board exercises oversight over technology activities that impact the strategic objectives and long term viability of the company.

Digital Transformation programs are long term/multi-year initiatives to build capability that unlocks new value for customers, employers, shareholders, and other stakeholders. The board needs to hear the proposals, require benefit commitments from executives, approve investments, and ensure that risks are identified and mitigated.

Digital transformation is about enhancing the capability of people. It typically has 4 streams of initiatives: people, process, culture, and technology. It should be clear what success looks like so that the organization moves together.

Transformation is best done and led by internal leaders and experts. People skills in business, technology, and AI need to be invested in. Business people can be cross posted across units, into IT, and analytics teams; IT people should be good in business. High potential personnel should be trained in AI foundational disciplines: statistics, linear algebra, calculus, and machine learning.

Lastly, technology platforms should be stable, collect data for use in new applications and predictions.

Should the Board of Directors have a representative in the multi-year program's management board? Yes. Should the Board get monthly program status reports via a new committee or to the Risk Mgt Committee? Definitely.

The second area for the board is to ensure the stability of the technology platform. This includes IT organization, people competency and succession, stability and flexibility of the operating systems tools and hardware, maintenance and enhancement of the applications. The board can validate adherence to industry standards for quality and service management.

The ultimate concern of the board is mitigation of risks to service delivery.

Cybersecurity and Data Governance

Cybersecurity and data governance are now boardroom issues. They are not just IT problems or compliance checklists. For company directors, especially in the Philippine business environment, the goal is to make sure the organization understands its most important systems, protects its critical data, and is prepared to respond when something goes wrong.

A strong board does not need to know every technical detail. What matters is asking the right questions. Directors should know who is accountable, what risks are most serious, which data and systems are most valuable, and whether management has a clear plan to reduce those risks. The board’s role is to guide, challenge, and make sure management can back up its answers with evidence.

The topic also shows that cybersecurity and data privacy go hand in hand. A company cannot protect data well if it does not know what data it has, where it is stored, who can access it, and how long it should be kept. Good data governance helps reduce the damage from cyber incidents and supports compliance with Philippine privacy requirements.

Another important takeaway is that boards need a common language for cyber risk. Frameworks such as the NIST Cybersecurity Framework help directors talk about cyber oversight in practical terms: how the company governs risk, identifies what matters, protects key assets, detects threats, responds to incidents, and recovers after disruption.

This topic highlights several areas that deserve close board attention, including identity and access controls, third-party vendors, cloud services, ransomware, employee awareness, breach reporting, backups, recovery planning, and cyber insurance. These are not purely technical topics; they affect business continuity, customer trust, reputation, and legal obligations.

Finally, the board should expect clear and useful reporting. A good cyber and data governance dashboard should not overwhelm directors with technical jargon. It should show what has changed, what is outside risk appetite, what actions are overdue, who owns the issue, and what decisions the board needs to make.

In the end, the message for directors is this: do not settle for reassurance. Ask for evidence. Ask what the company’s most important data and systems are, whether key controls are working, whether the company can respond under pressure, and whether investments are truly improving resilience.

The board’s most powerful question is often: “Show us the evidence.”

AI

AI is no longer just a technical tool; it is a fundamental shift in how business operates globally. For board directors, this means overseeing AI as both a core strategic asset and a critical risk factor. Establishing ethical frameworks is now paramount to ensuring long-term trust and regulatory compliance. Directors must proactively address data privacy, algorithmic bias, and transparency in AI systems. When governed with foresight, AI becomes a powerful engine for competitive advantage and innovation. Staying ahead of evolving global AI regulations is a vital component of modern fiduciary duty.

Success requires fostering an AI-ready culture that starts with leadership from the top down. Because this landscape moves fast, continuous learning is essential for effective board oversight.

As corporate governance warriors, we must build a future of responsible and strategic AI governance.

"