Competitive manufacturers need tech governance

Governance is a key tool to manage the risks and drive the efficiency of digital transformation. It’s a tool that many manufacturers don’t realize.

Manufacturers might use governance to guide their regulatory compliance, safety, product quality and supply chains. However, they typically lack mature, enterprise-grade governance for employee downloads, departments procuring their own tools, enterprise data, cybersecurity, identity access and other digital issues. This is partly because manufacturers have not faced the regulations that apply to industries such as healthcare or financial services.

Companies in highly regulated and tech-driven industries have compliance obligations that require the internal oversight of their digital initiatives. “A big bank or insurance company might have a regulatory compliance function with 50 to 75 people, while a manufacturer might not have that function at all,” said Grant Thornton Technology Modernization Partner Tony Dinola. “Manufacturers haven't been forced to deal with these governance regimes in the same manner as a heavily regulated entity,” said Grant Thornton Risk Advisory Partner Johnny Lee.

While manufacturers might not face the same regulations as other industries, they share the same risks and inefficiencies when they expand their digital strategies and solutions. To help ensure efficient and secure digital transformation, including AI, companies need governance that expands across the enterprise.

To govern digital initiatives, companies need to include teams beyond IT — and that can be a challenge.

“Digital governance is hard, and it's hard because it requires a multidisciplinary approach to something that has historically been considered IT-centric,” Lee said. “Some manufacturers have robust technology, and they structure teams that are great with digital initiatives. But that doesn’t mean anyone outside of IT is good at those things — HR, finance, legal, operations — and to do digital transformation work, you have to enlist all of those constituents. You have to get their perspectives, since their requirements around data access, retention and security can all be different.”

“One of the things that has been a hallmark of security for OT systems, at least historically speaking, is that very few of them have been Internet-facing,” Lee said. “That is what cybersecurity calls ‘air gapping.’”

“But that is changing, and it has been for some time,” Lee said. “As you modernize OT, that brings presuppositions that haven’t always been true, like the need to access an OT system remotely for security, operational reporting, administrative purposes or other reasons. That destruction of the air gap presents significant issues. So, now, we are talking about bringing IT and OT under a unified security architecture, which has real challenges.”

As manufacturers advance their digital transformations, they need to advance governance, and they need to set a realistic pace for both.

“The crawl-walk-run metaphor truly applies here,” Lee said. “Build your governance from the policy layer, vet it through feedback loops with the operators implicated by that governance, and then implement that tailored approach through training and reinforcement. As you begin to moderate those things, you can automate those things.”

Learn crawling

In the crawl phase, manufacturers need to:

1. Define the objectives and scope of technology governance, aligned with business goals and compliance requirements
2. Confirm executive sponsorship to ensure authority, resources and organizational buy-in
3. Assess the current digital landscape of existing systems, processes and policies to identify gaps and risks
4. Develop a governance framework including policies, standards and roles for managing data, technology and digital initiatives
5. Assign roles and responsibilities for governance committees, data stewards and accountability structures
6. Implement supporting tools and processes to monitor and enforce governance policies
7. Communicate and train stakeholders on governance principles and their responsibilities
8. Monitor, solicit feedback, measure and refine to continuously improve governance practices

To complete these steps successfully, manufacturers need to establish their cross-functional governance collaboration. They also need to reconcile existing solutions.

“You’re often moving from little or no governance to build a governance framework over the top of your various digital initiatives,” Dinola said. “So, you need to determine the people involved, how they are organized, what their roles and responsibilities are and how you define the technology — this is where we get into IT versus OT.”

Dinola said that IT solutions might have more governance in place, but “when you get into OT solutions, with IoT devices or other hardware that’s potentially creating and managing data in your environment, consider the risks associated with that.” Evaluate whether solutions are being consistently patched, and whether they have cybersecurity integration to perform regular vulnerability assessments. “There has to be an agreed-upon risk framework from a governance perspective, with people from across the organization to bring that together.”

After your organization defines technology governance, it needs to practice.

Practice walking

“Once you have a regime in place, you really only achieve resilience by considering realistic risks — ones that could have a large impact on the enterprise, like a cyberattack or a ransomware event — and then practicing for those,” Lee said. “Your resilience quotient comes from developing that so-called muscle memory.”

For a cyberattack, manufacturers should consider questions like:

1. Do you have a disaster recovery plan?
2. Have you exercised it through practical restorations and/or simulations?
3. Have you done this more than once?
4. When was the last time you did it?

Lee explained, “Once companies have policies and training, then they build resilience by practicing: If we were attacked or lose system A, B or C, how would we get back online within a calendar week? How do we know that we have confidence to do that? Have we ever exercised that muscle to give us that resilience?”

As companies build a resilience quotient over time, they can move on to the run phase.

Automate running

Companies in healthcare, financial services and other industries have already implemented governance automation. So, manufacturers might feel tempted to implement governance automation as a way to skip the crawl and walk phases.

However, governance is unique to your organization. “Until you have a generally agreed-upon framework and operating model, it’s difficult to automate anything,” Dinola said. “You have to get the people and process aspect of it right before you can tech-enable the compliance.”