Risks and Governance Basics

Digital risk is the potential for loss, harm, or failure arising from the use of digital technologies, digital data, or digital processes. Organisations need a consistent vocabulary for digital risk before they can manage it. Without a shared taxonomy, risk registers become inconsistent and boards receive incomplete pictures.

Five categories cover the majority of digital risk in UK organisations. The Uber incident spans all five, which is why it is an instructive starting point.

Cyber risk encompasses unauthorised access, data breaches, ransomware, and denial-of-service events. In Uber's case: credentials stolen from a GitHub repository gave attackers access to an AWS environment holding 57 million records. The ICO reported 3,952 personal data breach notifications in the first half of 2023.

Data risk covers the handling, retention, and accuracy of data assets. Uber's 57 million affected records included driver licence numbers and personal contact details. The GDPR notification obligation that Uber violated existed precisely because regulators recognised data risk as distinct from cyber risk.

Operational risk covers process and people failures that affect digital services. Uber's concealment required its bug bounty programme to process a payment outside the programme's legitimate scope. That is an operational process failure.

Regulatory risk is the risk of non-compliance with laws and regulations. UK GDPR requires breach notification to the ICO within 72 hours of becoming aware. Uber failed to notify for 12 months. The GBP 385,000 fine was the direct regulatory risk materialising.

Reputational risk is the risk that an organisation's standing with users, partners, and regulators is damaged. The concealment decision compounded the breach's reputational damage: the story became "Uber covered up a breach" rather than "Uber suffered a breach." Both are damaging; the cover-up is harder to recover from.

Three frameworks are most widely adopted for digital and IT governance in UK organisations. Each addresses governance at a different level of detail and for a different audience.

COBIT 2019 (Control Objectives for Information and Related Technologies), published by ISACA, is the most thorough governance framework for enterprise IT. It organises governance and management objectives into two domains. The governance domain covers Evaluate, Direct, and Monitor (EDM). The management domains cover Align, Plan and Organise; Build, Acquire and Implement; Deliver, Service and Support; and Monitor, Evaluate and Assess. COBIT 2019 introduced design factors that allow organisations to tailor the framework to their size, regulatory environment, and risk profile.

ISO/IEC 38500:2024 provides high-level principles for corporate governance of information technology. ISO/IEC 38500 is intentionally brief and principles-based, written for boards and senior leaders rather than technical practitioners. Its six principles are:

1. Responsibility: individuals and groups understand and accept their responsibilities
2. Strategy: organisation's IT strategy aligns with business objectives
3. Acquisition: IT acquisitions are made for valid reasons, on appropriate evidence
4. Performance: IT is fit for purpose in supporting the organisation
5. Conformance: IT complies with all mandatory legislation and regulations
6. Human behaviour: IT policies and practices respect human behaviour

NIST Cybersecurity Framework 2.0, published in February 2024, added a sixth function specifically for governance. The framework now has six core functions:

1. Govern - covers organisational context, risk management strategy, roles and responsibilities, policy, and oversight. New in CSF 2.0; places cybersecurity governance at board level.
2. Identify - understand the assets, data, and risks that need managing.
3. Protect - implement safeguards to limit or contain a cyber incident.
4. Detect - identify the occurrence of a cyber incident in a timely way.
5. Respond - take action regarding a detected cyber incident.
6. Recover - maintain plans for resilience and restore capabilities after an incident.

Adding Govern as a first-class function signals that cybersecurity governance is a board-level responsibility, not a technical one. The NIST CSF 2.0 Govern function directly addresses the Uber scenario: had Uber's incident response plan included clear escalation and disclosure obligations, the concealment decision would have required overriding documented governance controls.

Three concepts are frequently conflated. They overlap but are distinct disciplines, and treating them as interchangeable creates governance gaps.

IT governance covers how technology investment decisions are made, how IT resources are deployed, and how technology performance is assessed. COBIT 2019 and ISO/IEC 38500 are IT governance frameworks. IT governance was designed for an era when technology supported the business from behind the scenes: it managed back-office infrastructure that enabled business processes to run. One consequence of underinvesting in governance is accumulation of technical debt - systems that continue operating but become increasingly expensive and risky to maintain or change.

Data governance covers how data is defined, owned, classified, quality-assured, and controlled. It answers specific questions: who owns this dataset, what does this field mean, how long is this data retained, who can access it. The UK GDPR requires documented accountability for personal data processing. Data governance is the organisational structure that makes GDPR compliance possible, not just the legal obligation itself.

Digital governance is broader than either. It covers how digital products, services, and platforms are governed as business assets: their risk management, commercial terms, compliance obligations, and alignment with organisational strategy. A bank whose primary channel is mobile banking cannot rely on IT governance frameworks designed for back-office infrastructure. The Uber incident required digital governance at executive level because the decision involved data risk, regulatory risk, reputational risk, and a product decision (whether to continue operating normally after a breach). None of those decisions fit neatly into IT governance or data governance alone.

The UK Corporate Governance Code, published by the Financial Reporting Council (FRC), places ultimate accountability for material risks with the board of directors. The 2024 edition of the Code strengthens board accountability for risk and resilience compared to its predecessor.

Boards of UK premium-listed companies face four specific obligations regarding digital risk. First, they must understand the organisation's principal digital dependencies: which systems, platforms, and third parties support important business services, and what the failure scenarios are. Second, they must satisfy themselves that controls are proportionate to the risk, not merely confirm that controls exist. Third, they must disclose material digital risks substantively in annual reports, not just name them. The FRC monitoring reports have repeatedly noted that risk disclosures are too generic to demonstrate genuine board engagement. Fourth, they must ensure sufficient digital expertise is accessible to the board to enable informed challenge.

Risk appetite for digital risk must be measurable to be actionable. An appetite statement reading "we have a low appetite for cyber risk" cannot be used to make an investment decision, set a control threshold, or determine whether a specific incident is within or outside tolerance. Measurable thresholds specify the parameters: maximum acceptable downtime per year (e.g., 99.9% availability = 8.7 hours annually), maximum acceptable data breach notification rate, maximum third-party concentration in any single cloud provider.

Third-party risk arises from digital dependencies on suppliers, cloud providers, and SaaS platforms. When an organisation's digital service depends on a third party's uptime, availability, and security posture, the third party's failures become the organisation's operational incidents. Poorly negotiated contracts can also create vendor lock-in, where switching providers becomes prohibitively expensive - concentrating both commercial and operational risk in a single supplier.

The SolarWinds compromise in late 2020 is the definitive supply chain risk case. Attackers compromised the build process for SolarWinds Orion, an IT monitoring tool used by approximately 18,000 organisations including US federal agencies and multiple FTSE 100 companies. A malicious update was digitally signed by SolarWinds, making it indistinguishable from a legitimate update. Organisations that had verified SolarWinds as a trusted supplier received a verified update that installed a backdoor.

SolarWinds illustrates why supply chain risk cannot be managed by vendor approval alone. A vendor that passed all due diligence checks in 2019 was compromised at the build level in 2020. The National Cyber Security Centre (NCSC) published Supply Chain Guidance specifically in response to SolarWinds, establishing a framework for assessing supplier security beyond initial approval.