Organisational alignment - risk and resilience

In our previous article in the Twelve Shifts of Digital series, we explored the new methods for teams to deliver value, shifting away from traditional overly cumbersome documentation, analysis and strategising towards experimentation and continuous delivery. In our final blog, we turn our attention to Risk and Resilience, which describes the shift from isolated controls and afterthought to building advocacy and trust through pro-active and integrated controls that are proportionate to organisational value.

Historically, organisations were founded upon physical distribution and as a consequence risk frameworks have evolved to rely on human interaction. As the level of direct human interaction has diminished, so too has the appropriateness of manual risk processes. The tipping point has been reached. Risk frameworks with reactive, isolated controls are no longer meeting the cyber, operational and regulatory expectations of a digital world. Instead, leading digital organisations build advocacy, trust, and encourage the entire organisation to manage risk and build in resilience in new ways – not just their risk function. Organisations that are most effective at managing risk are able to assimilate good risk practices and accountability across the business.

Whilst digital transformation is unlocking new value for organisations, it is also introduces new types of threats and changes the nature of existing known risks. This mandates a new way of managing risk. We outline our top three recommendations below:

1. Adopt a risk-based mindset: From prevention to optimisation

In an increasingly distributed environment, digital leaders are taking a more proactive and risk based approach to threats facing their business (e.g. cyber, operational risk) and shifting away from the traditional prevention and maturity based view. This has been evident in how organisations have started to respond to cyber threats.

In today’s hyper-connected world with ever increasing cyber threats, the question is no longer ‘How secure are we?’, but ‘How much loss are we prepared to tolerate?’ This new approach acknowledges that all loss events cannot be protected equally against and mandates:

Senior leaders to be aligned on their understanding of what assets are most important to protect and how these assets support business services;
Risk reduction as the primary goal and that organisations set tolerances that reflect their risk appetite; and
Investments in security controls are commensurate to potential loss.

But we know this can be a daunting and complex task. Therefore, knowing what business services are most critical and how these services could come under threat are the key questions to answer.

Organisations at the cutting-edge take this further by implementing principles found in “chaos engineering” where a disciplined approach is used to identify failure points and bottlenecks across their technology stacks. In real-world terms, this means stress-testing systems until breaking point to better understand your own limitations. This represents a cultural shift away from resilience as an afterthought to resilience by design and is only possible if stakeholders focus more on recovery rather than solely prevention. We believe that by taking the principles of ‘chaos engineering’ and applying them to your systems and processes will help to build greater resilience.

Netflix is a leader in chaos engineering with a dedicated team that runs experiments to see what happens when things go wrong without causing customer visible problems. JP Morgan and Uber have also invested in chaos engineering teams, hardening their systems and running game day exercises.

Other organisations have evolved their focus to promote effective risk management as a business imperative that drives trust and advocacy and strengthens their brand promise. For example, Apple’s commitment and expertise in managing privacy and security has evolved their brand promise from ease of use, to one based on trust. In turn, this has given Apple the right and credibility to launch its digital wallet and the recent Apple credit card.

2. Measure risk intelligently and holistically

Today, many risk management programmes are reactive and create point-in-time assessments which are not in tune with the tempo of the business and the evolving sophistication of cyber threats.

However, leading digital organisations recognise the interlinkages of risks and provide a holistic and dynamic view across risk types. To effectively measure risk in the digital-era, organisations should:

Build and refine intelligent dashboards: Artificial Intelligence and Machine Learning capabilities are used to provide a view into what could go wrong in the future and be traceable to an organisation’s strategic objectives and broader industry and regulatory benchmarks;
Adopt an enterprise view to risk: Measurement of risk needs to be enterprise wide, transcending organisational siloes. It should not be confined to senior management and board reports, but instead be openly shared and discussed (e.g. the number of operational risk incidents available on the intranet in real-time); and
Ensure risk metrics are meaningful: It is important that senior leaders define and commit to strategic and tactical risk objectives and performance metrics, as opposed to highly technical, granular metrics that provide little value to management. Senior leaders should ask themselves ‘what do the risk metrics say about what we ultimately care about?’.

3. Embed controls to engender trust

Risk controls need to be part of strategic planning, proposition design and incorporated within day-to-day operations. This reflects a change from a reactive, checklist based approach to pro-actively working with the first line to define, automate and integrate risk management across processes, products and controls.

From a cyber lens, security practices are designed and integrated into wider agile organisational structures, for example, in Agile ways of working, automating security into the development pipelines and tool-chains, placing security champions on scrum teams and training developers on secure coding. It is clear that the security function can no longer “inspect for security”, as this inhibits agile practices.

Embedded controls can also be in the form of built-in redundancy and the use of ‘fail-over’ strategies to develop greater operational resilience. The topic of operational resilience has been tested in many ways recently as COVID-19 has triggered extreme changes in demand. The imperative to migrate to the Cloud, reducing the reliance on internal data centres so businesses can ‘always be on’ has never been greater although simply selecting a reliable and global Cloud partner is not always the answer.

AWS, Microsoft Azure and Google Cloud, which all have access to the leading engineers, software and hardware available, can be susceptible to downtime with all experiencing a number of outages over the last 5 years. For some organisations, the move to a multi-cloud environment is an important option to consider in order to strengthen the resilience of a digital architecture. Storing backups of data not just in different physical locations, but also with other providers safeguards access, builds additional redundancy into IT systems and protects against geographic or physical risks.

As organisations become more digital, the range of risks needed to be addressed also increases. Traditional approaches and mindsets are no longer fit for purpose. In response, organisations need to adopt a pro-active risk-based mindset, supported by intelligent risk measurement and embedded controls to engender trust.

Over the past few months, we have explored the twelve distinct shifts that define the key changes organisations need to consider to be remain competitive in the digital-era. These changes are not confined to a single department, capability or role and whilst the emphasis will differ depending on the sector. Digital Transformation cuts across the entire operating model spanning business models and ecosystems, propositions and experiences, platforms and data and organisational alignment.

If you haven’t already, read more of the Twelve Shifts of Digital blog series here.