This report is based on research and focusses on building dynamic approaches to risk and resilience throughout a digital revolution that is transforming the way in which organisations create, deliver and capture value. The research focussed on answering the question: “How are organisations transforming their business models to ensure resilience, value and growth in the Digital Age?” To answer this question, Cass Business School, City University London, studied a number of leading organisations who are active stakeholders in the space of digital transformation.
The ‘Roads to Ruin’ report published by Airmic in 2011 looked at high-profile crises of companies which left their reputation in tatters. The ‘Roads to Resilience’ report published by Airmic in 2014 looked at how companies could be helped to avoid corporate catastrophe by learning from those who were leading the way in creating resilient organisations. The report introduced the Airmic Resilience Model.
The main objective of the ‘Roads to Revolution’ report is to provide pragmatic advice for risk professionals and board members, executives and other top management. It is aimed at those who want to ensure that risk management, resilience and digital transformation permeate their organisations to constantly protect brand and reputation. Achieving resilience and transformation is challenging and it requires significant board-level support.
WALKING THE “ROADS TO REVOLUTION” IS NOT AN OPTION
Walking the “Roads to Revolution” is an existential must. The report highlights the research findings on some of the business and organisational trade-offs that leaders and managers will have to grapple with while walking these revolutionary roads and shows the implications of these trade-offs for risk, risk management and governance.
The report makes the point that while some definitions and practices for risk management and governance might seem unaffected by the digital revolution, the underlying business and organisational dynamics are so different from the past ones, they trigger the need for a major rewiring of both risk management and governance. For instance, this report shows that boards will have to deal with the digital revolution not just as a cybersecurity issue. Cybersecurity is, and will remain key for any organisation, but boards will have to reskill and introduce new mechanisms to ensure effective and efficient oversight, strategic leadership and, ultimately, legitimacy for their organisation.
The lack of a common language is one of the most material issues standing in the way of good governance. We need a structure for the digital conversation to take place. Technology, information and security expertise needs to be deployed to help the decision makers ask the right questions to build strategy and allow effective board oversight.
THE AIRMIC RESILIENCE AND TRANSFORMATION MODEL
The research discovered that additional components are required for the Airmic Resilience Model to take account of digital transformation. The additional components are identified as ‘redesign processes’; ‘retain stakeholders’; and ‘reinvent purpose’
Enhancement of the existing components of the Model is also required, so that they become more aligned with advances in technology.
The research has resulted in the development of the ‘Airmic Resilience and Transformation Model’. This provides a comprehensive and coherent structure to enable organisations to embrace advances in technology.
Taken individually, some of the transformational capabilities are not particularly new. For instance, the first industrial revolution was spurred by automation, and organisations and businesses have sought connections and used ‘data’ since the early days of human trading. But while these ‘capabilities’ in isolation are not particularly new, the research shows that, together, they shape some peculiar “born-digital” strategic and organisational challenges and risks for the case study organisations.
The eight principles for achieving resilience and digital transformation are summarised as:
- risk radar focused on emerging risks and developments in technology
- resources and assets able to take full advantage of developments in technology
- relationships and networks that are constantly developed and extended
- rapid response supported by excellent communication within the organisation
- review and adapt to events to protect and enhance reputation
- redesign processes to embrace new technologies and encourage innovation
- retain stakeholders during the transformation by analysing big data
- reinvent purpose by opportunity awareness, commitment and capabilities
Board members require assurance that the eight principles of resilience and transformation are implemented. However, the board conversation about resilience and digital transformation is most likely to focus on the associated business enablers within the organisation, rather than the principles.
The four business enablers identified in this report are
- Leadership and governance
- Business structure
- Strategy, tactics and operations
- People and culture
IMPLICATIONS FOR GOVERNANCE
Organisational structures, the economy and society are evolving very fast. Alongside this, the world of the risk professional has to evolve too. Technology is driving greater connectivity and interdependence at an escalating speed, which in turn means that risk can be more connected and concentrated. Risks that previously might have been considered distinct may develop blurred boundaries.
All this is happening in a global context. Organisations may have to synchronise risk management activity across several jurisdictions, yet keep it locally relevant and across different operational, tactical and strategic business levels, yet keep it business division relevant.
Building on the four business enablers, resilience and transformation can be summarised by considering four types of organisational resilience. Table E.1 presents the features of the four types of organisational resilience and these can be used to guide the board conversation on resilience and transformation.
All four types of resilience are required for an organisation to achieve successful resilience and digital transformation. None of the styles of resilience is more important than the others, although they do represent an aspiration hierarchy. Arguably, integrative resilience is the starting point for successful resilience. Ultimately, the most successful organisations have strong people and culture business enablers and this represents a position where resilience and transformation results from the confidence, commitment and capability of individuals.
Although all four types of resilience are required in order to achieve successful resilience and digital transformation, it is often integrative resilience that is the strongest within an organisation. It is from this point that the three other types of resilience are developed towards structural, transformational and ultimately contextual resilience. This progression represents developing maturity in the resilience agenda of the organisation. Transformational resilience will be enhanced by redesigning processes and retaining stakeholders. In many ways, the ultimate and most difficult to achieve form of resilience is contextual resilience. By developing people and culture and ensuring robust implementation of risk radar and reinvent purpose principles, risk and opportunity awareness will be improved and contextual resilience will be achieved.
The business enablers define and support the business model for the organisation. They are ‘leadership and governance’; ‘business structure’; ‘strategy, tactics and operations’; and ‘people and culture’. As indicated by Figure 3, the enablers can, in combination, be used to support resilience and transformation. The ways in which the business enablers lead to increased resilience and transformation are context specific, as they are dependent on the size, nature and complexity of the organisation, as well as the business environment and organisational capabilities
All organisations have these business enablers in place, but the different nature of the enablers in each organisation indicates why there are different roads to resilience and transformation. Every organisation has the capability to achieve increased resilience and digital transformation, but it requires risk professionals and boards to decide how each of the enablers can be managed, to change the way an organisation views risk management and the achievement of increased resilience and successful transformation.
IMPLICATIONS FOR RISK PROFESSIONALS
Taking advantage of the new opportunities requires a shift of emphasis in three areas:
- Better alignment with business priorities: Risk professionals need to demonstrate strong business and commercial acumen and engage more intensely with the company’s strategic ambitions and major investments. This will sharpen their ability to develop valuable insights into emerging concerns and help scope innovative risk mitigation solutions.
- More flexible deployment of resources: Enhanced analytical skills and methodologies, including the introduction of new data science and automation techniques, should free up capacity in risk teams for more project-based (as opposed to routine) risk work and the provision of advice to business and functional leaders.
- Greater dynamism in stakeholder engagement: A more creative lens with regard to emerging risks will enable risk teams to engage with institutional and individual biases and blind spots and help build an appreciation of threats for which evidence may be limited or conflicting.
Strategic, tactical and operational technology risks must be synchronised to avoid the creation of lags. Risk management must synchronize the different speeds at which the strategic (or external) risk, tactical risk and internal (or operational) risk run. The job of the risk professional is to challenge the organisation to make sure that lags do not emerge and that the typically faster speed of external developments is synchronised with those of the organisation, that they move smoothly and in the same direction.
To take this forward, some risk leaders may need to expand their comfort zone. But those who can mesh strategic vision, influencing skills, and technological fluency on top of their core risk-management expertise will be best positioned to help their organisations negotiate dynamic risk environments laden with potential shocks and disruption. A cultural change is required because risk professionals have historically been technical people. There is a need for risk professionals to become business partners. They need to go and talk to people and champion the new type of risk. The job of the risk professional will involve challenging the leadership team. Tools such as the risk register might be misleading and give a false sense of confidence. In these legacy governance models based on risk registers, risk used to be concerned with events. Therefore, organisations are moving away from static risk registers and towards horizon scanning and scenario analysis. In the words of Airmic CEO John Ludlow: “The risk professional is someone who understands context and business and becomes a business partner.”