Risk Management: the often overlooked dimension of Digital Transformation

I have to confess that I’m not good at keeping New Year’s resolutions: I find it hard to change my behaviour on the basis of a single decision that happens to coincide with the end of the year. The ubiquity of broken New Year’s resolutions also seems to give me permission to break my own. But this year will be different! I’m going to try something that I hope will not be too hard and will be of some interest: to share some thoughts about Digital Transformation which have been bouncing around my head for a while - and through sharing them, give them form.

As these thoughts form, I expect they will almost fall into the classic people, process and technology triad. The one difference is that, when we talk about Digital Transformation, I think that we should talk about practices rather than processes. This might seem like a fine semantic point but, to me, a process is something that people follow (the process is in charge), whereas a practice is something that people do (the people are in charge). Practices seem to fit a world of autonomy, skill and expertise - people doing the work that cannot be done by machines.

Let’s start with a practice which is often overlooked when we speak of Digital Transformation - that of risk management. I think that this practice is often overlooked because, when we think of Digital Transformation, we naturally think of the more obvious, outward signs of that transformation: we think of customer experience, we think of innovation, and we think of culture.

Yet, when we attempt to digitally transform our enterprises, we place ever more faith and reliance on technology platforms. If we are successful in that transformation, we may grow the number of people - our customers - who rely on those platforms to many millions or even billions. When that many people place that much reliance on technology, we had better know what happens when things go wrong: we had better get good at managing risk.

It’s important for us to remember, though, that managing risk is not the same as eliminating risk: most risks can be reduced or mitigated, but not eliminated. If you have worked in enterprise technology for any time at all, you will know that anything can fail - and if you operate at digital scale, things fail all the time. You cannot eliminate these failures - but you can design your platforms to survive them.

I started this article with a confession, and I have to end with a confession. For much of my career, I did not appreciate the true importance of risk management. I did my best to identify and manage risks when I was designing systems, running operations and leading delivery programmes. But I regarded risk management as a necessary but unexciting chore. And I got away with it because I was living through a slower, earlier phase of the Digital Transformation of the world when the consequences of failure were less catastrophic.

In recent years, I have learnt how wrong I was. Not only is risk management important but, in the context of Digital Transformation, it is fascinating. The problems of designing global scale solutions to resist attacks and survive failures - and to do so in ways which preserve and promote speed and agility - are some of the most interesting problems to solve.

In traditional enterprises, risk functions often get a hard time, and are often stronger in risk management disciplines than technical disciplines. If you want to succeed in Digital Transformation, I recommend learning to think differently and seriously about risk, and cross-pollinating risk and technical expertise between teams.