The Evolving Role of CFOs in De-Risking Technology and Data
-
2025年10月17日
-
In today’s fast-evolving digital economy, small and medium-sized businesses (‘SMBs’)1 are becoming increasingly dependent on technology. Yet, 69% of Australian CFOs believe they are working with outdated technology and tools, underscoring the challenges many face in keeping pace with change.2
As data takes centre stage in everything from core operations and customer engagement to regulatory compliance and decision-making, the role of the CFO is undergoing a profound transformation. No longer limited to financial stewardship and reporting, SMB CFOs are emerging as pivotal figures in managing and mitigating technology and data-related risks.
This white paper outlines the changing responsibilities of the CFO and explores how they can lead practical, budget-conscious and scalable initiatives to de-risk technology and data, even in the absence of a fully resourced IT, security or privacy function.
The Expanding Role of the CFO
Within SMBs, the CFO is often the most senior executive responsible for oversight of risk. Traditionally, this has meant financial controls, audits and compliance. Today, as digital transformation accelerates across industries, that risk remit has expanded to include cybersecurity threats, third-party technology vendor risk, regulatory changes in data privacy and internal data governance. For many smaller businesses, the CFO has by default become the most senior person thinking about and acting on these risks.
Embracing this expanded role doesn’t require the CFO to become a technologist, but it does require strategic curiosity and the investment of time in understanding how technology is impacting operations across the business, and to then implement pragmatic controls. Recognising and accepting this evolution is the first step toward strengthening both financial and operational resilience.
Regulatory Obligations and Personal Liability
Under the Corporations Act 2001 (Cth), directors and officers, including CFOs, are subject to a statutory duty to exercise due care and diligence.3 This duty encompasses the responsibility to understand and respond to risks arising from data breaches, cyberattacks, information misuse, and information governance failures. Australian Securities and Investment Commission has reiterated that executives may be held personally liable for failing to manage foreseeable and preventable cyber risks that result in material harm to the organisation or its stakeholders.4
This guidance reinforces a critical shift: data risk has become a financial, legal and governance issue. CFOs must ensure that cyber risks are appropriately reflected in financial risk registers, insurance coverage, operational resilience plans and board-level reporting.
For CFOs with accountability for data governance, obligations under the Privacy Act 1988 (Cth), alongside the current reform agenda, require compliance with the 13 Australian Privacy Principles.5 These include ensuring that personal information is accurate, up to date, used only for specified purposes and protected through reasonable security measures. Failing to meet these standards can expose organisations to regulatory enforcement, reputational damage and significant remediation costs.
Delegation and Accountability: Creating a Data Ownership Culture
Managing data risk is not a one-person job. One of the most effective approaches for CFOs to reduce their personal burden while improving outcomes is to embed shared responsibility throughout the organisation. This begins by appointing data owners, usually senior staff responsible for key systems or business areas, and data stewards, those involved in day-to-day data handling and upkeep. These roles do not have to be in IT or data analytics, they can be embedded across support office functions that understand and use the systems, such as HR, sales, marketing, operations and finance.
This model ensures that data quality, access, classification and retention become part of everyday operations. While responsibilities may be distributed, the CFO remains ultimately accountable and must implement clear expectations, regular check-ins and basic training for those with data responsibilities. This not only improves control but also encourages a culture where every team sees data as an asset that must be safeguarded. In a smaller business, this approach reduces reliance on central IT or compliance teams, fostering a broader sense of ownership.
Understanding the CFO’s Position in the Data Risk Ecosystem
The CFO sits at a critical junction in the organisation’s data risk ecosystem, reporting upward to the board, audit committees, and in some cases, private equity stakeholders who demand clear, concise and strategic insights. These audiences expect high-quality reporting that balances financial outcomes with emerging non-financial risks, including those tied to data. Directors will expect reassurance that their executive team has their back when it comes to data risk.
Reporting into the CFO are key corporate functions such as IT, risk, compliance and HR, each with a stake in data governance but often approaching risk through different operational lenses. This diversity can create fragmented views of data risk unless harmonised through consistent reporting frameworks.
To enable effective, data-driven decision making, CFOs need access to normalised dashboards and reporting tools that align cross-functional perspectives. Standardised metrics and unified reporting structures are essential to transforming siloed insights into coordinated, strategic action.
A Practical Framework: The Three Lines of Defence
To manage risk with limited resources, SMBs can benefit from adopting a simplified version of the “three lines of defence” model. It helps clarify who is responsible for what and creates the foundation for proactive management of technology and data issues:
- First line: Business users and data owners who are responsible for implementing operational controls and using systems appropriately.
- Second line: The CFO and other designated governance leads who establish frameworks, provide education, monitor risk indicators and ensure alignment with company strategy and regulation.
- Third line: Independent external experts, such as auditors, legal advisors or managed service providers, who perform assessments and provide strategic advice.
Even if only lightly implemented, this framework improves visibility, accountability and business continuity. Over time, it can scale to accommodate more formal processes as the company grows or prepares for key inflection points such as funding rounds or acquisition.
Top Risks and Strategic Responses
The CFO doesn’t need deep technical expertise to manage tech-related risks, but they do need a clear view of where the threats are and how they can be addressed through policy, training and vendor management. Key focus areas include:
- Cybersecurity: SMBs are increasingly targeted by cybercriminals, making data protection a critical priority. More than half of CFOs (55%) now rank cybersecurity as essential to safeguarding sensitive financial information and ensuring long-term stability.6 Key cybersecurity processes to implement include enforcing strong password policies, enabling multi-factor authentication (‘MFA’), maintaining secure backups and considering cyber insurance as a financial safeguard.
- Spam Act & privacy compliance: Marketing activities must comply with email marketing rules and privacy legislation. CFOs should ensure marketing teams understand consent requirements for contacting people, for example, always including an unsubscribe option in email marketing and not retaining personal data longer than allowed.
- Data breaches: Prepare an incident response plan. Know when you are required to notify customers, regulators or insurance providers. Conduct occasional drills or tabletop exercises to assess readiness.
- Third-party data risk and vendor assessments: Evaluate the data handling practices of key technology vendors, especially those with access to sensitive customer or operational data. Regularly review contracts, security certifications and breach history to ensure third-party risks are being actively managed.
- Shadow IT: Identify and reduce the use of unsanctioned software and cloud services. Promote an approved list of tools and educate teams on risks associated with using personal or free tools.
By addressing each of these areas with clear, scalable actions, SMB CFOs can significantly reduce the likelihood of financial and reputational damage from avoidable data or technology failures.
Budget Allocation and Strategic Planning
While the CFO may not control every aspect of technology strategy, they do control the budget, and this makes them a key decision-maker in shaping the company’s risk posture. Instead of viewing IT-related spend as a sunk cost, the CFO can frame it as a critical business enabler. Smart budgeting includes allocating resources to:
- Secure, cloud-based productivity tools
- Cybersecurity basics like MFA, endpoint protection and secure backups
- Staff training on phishing and data handling
- Legal or compliance support for regulatory readiness
Importantly, investment levels should be guided by the company’s strategic direction. Preparing for a capital raise, acquisition or significant partnership might not justify a full maturity uplift, but it does require demonstrable, auditable risk controls. Focus on the short-term wins, clear documentation, basic metrics and third-party attestations that boost credibility in the eyes of investors and partners.
External Support for Risk Mitigation
CFOs of SMBs don’t need to tackle risk alone. Strategic use of external support can significantly improve the effectiveness and efficiency of risk mitigation efforts. By partnering with external specialists, CFOs can access deep technical knowledge and proven methodologies without overextending internal resources.
- Consulting specialists: When facing complex technology, regulatory or transformation challenges, such as data privacy compliance, information governance or AI adoption, specialist advisors can help assess maturity, develop policies and implement fit-for-purpose solutions. Engaging the right expertise, even on a short-term basis, accelerates progress and reduces long-term risk.
- Managed service providers: These partners deliver essential IT services such as infrastructure management, patching, secure access, endpoint monitoring and help desk support. A strong provider can ensure foundational controls are in place, freeing the CFO to focus on strategy. During consulting engagements, FTI Consulting can provide direction to managed services providers to support a go-forward maturity position.
- Security operations centres: For businesses with more sensitive data or regulatory exposure, outsourced or virtual security operations provides continuous threat detection, alerting and incident response capabilities. This adds a layer of protection that would otherwise be cost-prohibitive to build in-house. As with other prevention, monitoring and alerting services, configuration is key. FTI Consulting can translate known business risks into technical controls for service refinement.
These partnerships give the CFO access to specialist expertise, best practice insights and the ability to scale risk management activities in line with the company’s growth and ambition.
AI as an Enabler: The Importance of Data Quality
AI is increasingly being added to business systems architectures through upgrades and updates to existing software, and AI may start to impact the risk environment irrespective of any considered decisions to invest in AI specific tools.
AI holds immense potential as a transformative tool for businesses, driving efficiency and innovation. However, the success of AI initiatives is heavily dependent on the quality of the underlying data. Poor data quality can hinder AI implementation, turning what should be a strategic advantage into a stumbling block.
For CFOs, who often oversee data management, ensuring high data quality is crucial. If left unaddressed, poor data can turn the CFO from a champion of innovation into a hurdle, potentially stalling the adoption of new and emerging technologies. This underscores the importance of taking proactive steps to improve data quality, ensuring that the organisation stays on the right path toward a mature and innovative future.
Leading the Risk Conversation
Today, the CFO is more than a finance leader. They are an integrator of operations risk and strategy. By acknowledging their expanding role, enlisting support across the business, implementing foundational frameworks like the “three lines of defence” model and aligning risk spend with strategic priorities, SMB CFOs can lead from the front.
This is not about perfection. It’s about practical, incremental progress, so CFOs can help ensure their organisations are not only financially sound but also digitally resilient, reputationally protected and operationally ready for what’s next.
Navigating Data Risk Complexity
The fast-evolving landscape of digital and data risk can be overwhelming, often characterised by conflicting priorities, unclear direction and competing demands on budget. To help organisations focus on what matters most, FTI Consulting offers data risk assessment. This enables CFOs to gain clear visibility of priority risks across data assets and platforms, supported by actionable advice, practical strategies and a roadmap for improving data maturity, reducing risk and enhancing compliance.
Success lies in taking proportionate, defensible and coordinated actions across the full spectrum of data disciplines, ensuring that high-priority risks are addressed in a more structured and effective way.
To discuss how we can help CFOs manage data risk, contact Chris Hatfield or Ben Shrimpton.
Footnotes:
1: CGT small business entity, ATO, 8 October 2024; Medium business income tax gap - Latest estimate and trends, ATO, 31 October 2024
2: CFO Strategies: 2025 CFO Report – Australian Deep Dive, FTI Consulting, 2 April 2025
3: Corporations Act 2001, Section 180, Australian Government, 15 July 2019
4: Cyber risk: Be prepared, ASIC, 15 July 2022
5: Australian Privacy Principles, Office of the Australian Information Commissioner, 25 July 2022
6: CFO Strategies: 2025 CFO Report – Australian Deep Dive, FTI Consulting, 2 April 2025
関連するインサイト
Related Information
出版
2025年10月17日
主な連絡先