While few of us devote hours each day to thinking about risk, it surrounds us and should influence each decision we make. Most of us calculate risk without conscious thought. The risk of a poor restaurant choice may be opportunity cost or a hospital visit. The risk of an uninformed business decision could be service disruption, crippling fines, and even bankruptcy.
To date, risk management has not been a salient theme of the digital transformation movement. For example, a 2018 report from CapGemini profiles “Digital Masters,” companies that innovate in their value chains, partners, and product release processes. It’s striking that the word “risk” appears nowhere in the 32-page report.
Most people aren’t great at understanding their risks. Yet we don’t get to outsource or opt out of risk management. “If you choose not to decide, you still have made a choice,” in the immortal words of Neil Peart. We can outsource process, infrastructure, oversight, and production, but the risk accountability remains with us. It’s our reputation, margin, and customer satisfaction scores that are at stake, not the provider’s.
Risk is inherent in typical business decisions, such as:
- Should I ask for a bigger budget or more headcount?
- Should I re-org for greater efficiency?
- Is it time to change vendors?
- What spending do I shave down to support this new initiative?
- Am I investing to be competitive, to win, or to check the box?
These decisions all involve risk and reward tradeoffs. Most corporate leaders are used to thinking through these risks, using experience, business partners, and peer advice to inform their calculations. Digital transformation involves less familiar digital risks. It brings problems previously relegated to IT and auditors to the center of your decision-making process.
Make no mistake: The success of your business depends on how well you understand these new risks.
What’s old is new again
Traditional risk management focused on IT systems, fraud, and loss. These approaches are still important, but they aren’t sufficient. Digital transformation initiatives often involve extended supply chains, disruptive vendors, and global partners with unusual risk profiles and localization requirements. The risks include information exposure, sabotage, hacking, and much more.
These initiatives frequently involve third parties and agile development practices that sometimes devolve into “corner cutting.” The challenge is balancing the risks associated with these tactics against the rewards you hope for.
Writing in the Harvard Business Review, Shameen Prashantham offers suggestions to help companies manage contractor relationships in the modern economy. By carefully selecting and limiting your partners to match goals, risk sensitivity, and available relationship support, companies can get more value from them while minimizing risk.
Many companies are expediting this process with vendor risk management systems that use vendor portals, risk scoring, digital workflows, and automated exception handling to help companies manage third-party risk. These systems are designed to discourage line of business executives from hiring unvetted or outright shady providers, and to simplify reuse and onboarding for these business partners.
Data leaks
A clear risk in digital transformation is that new flavors of sensitive data can leak in unexpected ways as you introduce new systems, partners, and connections. There are many examples of data access run amok. In August 2018, PG&E was fined $2.7 million after a contractor improperly copied sensitive system data from PG&E’s network to its own network and made it freely available on the Internet, according to a report in Power Engineering, a trade publication.
If you proactively manage the risk to your business, you can remove limitations and maximize the rewards of digital transformation.
“When you move from data collected but buried in an unstructured way to data collected and published in a structured way, that data becomes accessible to everyone, for good or bad,” says Magaly Drant, senior director of engineering program management at ServiceNow. “Think of resumes. We used to manage paper printouts, but now we store them in digital instances where they are much easier to find.
“With SaaS, the barriers to access are very low,” Drant adds. “A lot of thought goes into finding the right place on the spectrum between allowing too much and denying everything.”
Drant has helped ServiceNow build more nimble recruiting applications, while still meeting the privacy and confidentiality expectations of applicants and regulators. “We knew what we wanted to build, but we lacked information about privacy and new regulatory regimes like GPDR,” she says. “So we wrote down our requirements and then asked our colleagues in HR and IT to help us define rules for access based on roles and other business details that were already in the platform. It was a team win.”
Another area of risk has been introduced with modern product development practices. Agile development and delivery involve rapid iteration and testing to achieve customer and market fit. An agile truism is that the earlier a flaw is caught, the less it costs to fix. The same is true with risk. The earlier a risk (cyber, availability, integrity, etc.) is identified, the easier it is to mitigate and the lower the overall exposure to the business.
Integrated risk management
Effective risk management means breaking down silos of data, processes, policies, and knowledge. The resulting data sharing and increased visibility can help organizations improve their decision-making and performance, and often reduce duplicative tools and efforts. Gartner has recognized the importance of this approach with a new category called Integrated Risk Management (IRM), which is about connecting IT, operational, and strategic risk domains to manage risk holistically across an enterprise.
Taking risk is an integral part of achieving reward. If you proactively understand and manage the risk to your business, you can remove limitations and maximize the rewards of digital transformation. Tap into your risk leader as one of your innovation partners, and you’ll discover that embedding digital risk management in your business processes can reduce friction and open up opportunities.
For more ideas on managing risk, watch ServiceNow’s risk leaders’ webinar on ServiceNow’s own GRC journey or read the new Gartner Magic Quadrant on Integrated Risk Management.