“How are organisations transforming their business models to ensure resilience, value and growth in the digital age?”
To answer this important question, Cass Business School, City University London, studied a number of leading organisations who are active stakeholders in the space of digital transformation. The ‘Roads to Ruin’ report published by Airmic in 2011 looked at high-profile crises of companies which left their reputation in tatters. The ‘Roads to Resilience’ report published by Airmic in 2014 looked at how companies could be helped to avoid corporate catastrophe by learning from those who were leading the way in creating resilient organisations. The report introduced the Airmic Resilience Model. The main objective of the ‘Roads to Revolution’ report is to provide pragmatic advice for risk professionals and board members, executives and other top management. It is aimed at those who want to ensure that risk management, resilience and digital transformation permeate their organisations to constantly protect brand and reputation. It must be stressed that achieving resilience and transformation is challenging and it requires significant board-level support.
Walking the “Roads to Revolution” is not an option
Walking the “Roads to Revolution” is an existential must. This report highlights the research findings on some of the business and organisational trade-offs that leaders and managers will have to grapple with while walking these revolutionary roads. This report shows the implications of the trade-offs for risk management and governance. This report makes the point that while at face value some definitions and practices for risk management and governance might seem unaffected by the digital revolution, the underlying business and organisational dynamics are so different from the past ones, to trigger the need of a major rewiring of both. For instance, this report shows that boards will have to deal with the digital revolution not just as a cybersecurity issue. Cybersecurity is, and will remain key for any organisation, but boards will have to reskill and introduce new mechanisms to ensure effective and efficient management monitoring, strategic leadership and, ultimately, legitimacy for their organisation.
Achieving resilience is challenging and it requires significant board-level support, but achieving and maintaining resilience and successful digital transformation is even more challenging.
The Airmic Resilience and Transformation Model
The research into the impact of digital transformation on the Airmic Resilience Model discovered that additional components are required for the model to take account of digital transformation. Also, enhancement of the existing components of the Airmic Resilience Model is required, so that they became more aligned with advances in technology. The additional components are identified as ‘redesign processes’; ‘retain stakeholders’; and ‘reinvent purpose’. The research has resulted in the development of the Airmic ‘Resilience and Transformation Model.’ The Airmic ‘Resilience and Transformation Model’ at Figure 1 provides a comprehensive and coherent structure to enable organisations to embrace advances in technology.
Aligning Resilience with Digital Transformation
The eight principles for achieving resilience and digital transformation are summarised as:
- risk radar focused on emerging risks and developments in technology
- resources and assets able to take full advantage of developments in technology
- relationships and networks that are constantly developed and extended
- rapid response supported by excellent communication within the organisation
- review and adapt to events to protect and enhance reputation
- redesign processes to embrace new technologies and encourage innovation
- retain stakeholders during the transformation by analysing big data
- reinvent purpose by opportunity awareness, commitment and capabilities
Board members require assurance that the eight principles of resilience and transformation are implemented. However, the board conversation about resilience and digital transformation is most likely to focus on the associated business enablers within the organisation, rather than the principles. The business enablers identified in this report are (1) leadership and governance; (2) business structure; (3) strategy, tactics and operations; and (4) people and culture. The importance of these business enablers is explored further.
Organisational structures, the economy and society are evolving very fast. Alongside this, the world of the risk professional has to evolve too. Technology is driving greater connectivity and interdependence at an escalating speed, which in turn means that risk can be more connected and concentrated. Risk that previously might have been considered distinct may develop blurred boundaries. All this is happening in a global context. Companies may have to synchronise risk management activity across several jurisdictions, yet keep it locally relevant and across different operational, tactical and strategic business levels, yet keep it business division relevant.
Building on the four business enablers
Resilience and transformation can be summarised by considering four types of organisational resilience. Table 1 presents the features of the four types of organisational resilience and these can be used to guide the board conversation on resilience and transformation. Each type of resilience aligns with robust and dynamic implementation of one of the business enablers at Table 2.
Table 1: Features of the types of organisational resilience
|1. Integrative Resilience
- controls in place for the expected risks, as described in the risk register
- robust risk awareness to assist with design and implementation
- of strategy
- optimal utilisation of resources and assets to take advantage
- of opportunities
- supportive relationships and networks to build successful brands and reputation
|2. Structural Resilience
- ability to achieve rapid response to a crisis, cope with the unexpected and learn lessons
- knowledge of emerging risks to help develop and test crisis management plans
- crisis plans to respond successfully to adversity and achieve enhanced profile
- identified lessons to review and adapt business model to gain competitive advantage
|3. Transformational Resilience
- procedures in place to encourage creativity invention and advancement
- ability to redesign processes and to achieve business innovation
- communication with all interested parties to retain stakeholders during changes
- governance of implementation of changes and measurement of improved performance
|4. Contextual Resilience
- continuous alertness and awareness of emerging risks by robust risk radar
- involvement and commitment of stakeholders to identifying opportunities and concerns
- confidence and capability to progress changes and reinvent purpose
- constant awareness of context and willingness to challenge the assumptions
Table 2. Business enablers, outcomes and relationship to the principles
|1. Leadership and Governance
|Prevention, Protection and Preparation
Dynamic ‘Leadership and Governance’ business enabler
results in robust implementation of the ‘Resources and Assets’ and ‘Relationships and Networks’ principles
|2. Business Structure
|Response, Recovery and Review
Dynamic ‘Business Structure’ business enabler results in
robust implementation of the ‘Rapid Response’ and
‘Review and Adapt’ principles
|3. Strategy, Tactics and Operations
|Invention, Innovation and Improvement
Dynamic ‘Strategy, Tactics and Operations’ business enabler results in robust implementation of the ‘Redesign Processes’
and ‘Retain Stakeholders’ principles
|4. People and Culture
|Confidence, Commitment and Capability
Dynamic ‘People and Culture’ business enabler results
in robust implementation of the ‘Risk Radar’ and
‘Reinvent Purpose’ principles
All four types of resilience are required for an organisation to achieve successful resilience and digital transformation. None of the styles of resilience is more important than the others, although they do represent an aspiration hierarchy. Arguably, integrative resilience is the starting point for successful resilience. Ultimately, the most successful organisations have strong people and culture business enablers and this represents a position where resilience and transformation results from the confidence, commitment and capability of individuals.
Although all four types of resilience are required in order to achieve successful resilience and digital transformation, it is often integrative resilience that is the strongest within an organisation. It is from this point that the three other types of resilience are developed towards structural, transformational and ultimately contextual resilience. This progression represents developing maturity in the resilience agenda of the organisation. Transformational resilience will be enhanced by redesigning processes and retaining stakeholders. In many ways, the ultimate and most difficult to achieve form of resilience is contextual resilience. By developing people and culture and ensuring robust implementation of risk radar and reinvent purpose principles, risk and opportunity awareness will be improved and contextual resilience will be achieved.
Extending the Resilience Principles
- Resilient organisations have exceptional risk radar. Transformational organisations additionally require that the risk radar capabilities are specifically focused on emerging risks. This will require enhanced risk radar with a focus on the developments in technology that offer opportunities for the organisation to enhance their business enablers.
- Resilient organisations have resources and assets that are flexible and diversified. Transformational organisations additionally require specific focus on the need to strengthen resources where they are insufficient to take full advantage of developments in technology. The additional resources will be designed to ensure that the best advantage is taken of relevant developments in technology.
- Resilient organisations value and build strong relationships and networks. Transformational organisations additionally examine the need to extend the existing networks. Joint-venture partnerships with organisations previously viewed as competitors is often a means of achieving transformational capabilities.
- Resilient organisations have the capability to ensure decisive and rapid response. Transformational organisations additionally require that communication barriers within the organisation are removed. The need for greater cooperation and/or elimination of silos within an organisation is required in a way that does not create confusion of roles and responsibilities.
- Resilient organisations review and adapt to changes and adverse events. Transformational organisations additionally require specific focus on protection and enhancement of the reputation the organisation. This can often result in more successful crisis management which, when successfully achieved, can build the reputation of the organisation by demonstrating the quality of management and governance capabilities within the organisation.
- Revolutionary organisations can also successfully redesign processes. This requires the successful embracing of new technologies to ensure process improvement. Successful redesign of business processes is based on encouraging innovation, whilst retaining adequate mechanisms to validate decision-making. The requirement for successful implementation of the redesign processes principle is fundamentally based on a forward-looking culture within an organisation.
- Revolutionary organisations retain stakeholders during the transformation. The ability to retain stakeholders is essential for successful digital transformation. Retaining stakeholders is based on engaging the stakeholders and analysing the big data available about the characteristics of those stakeholders. The key requirement is to discuss and share opinions with all interested parties and develop the options for digital delivery of the identified benefits.
- Revolutionary organisations have the ability to reinvent purpose. Successful achievement of digital transformation is dependent on a willingness of the organisation to reinvent its purpose. Reinventing purpose is based on opportunity awareness, the active commitment of stakeholders and the availability of necessary capabilities. Confidence in the purpose of the organisation is required to ensure constant evolution. There is a strong link between the ability to reinvent purpose and the risk radar of the organisation.
Extending the existing resilience principles
The components of each resilience principle identified by the ‘Roads to Resilience’ research is described in that report. This research identifies the need to extend the five resilience principles to include digital transformation. A range of resilience and transformation practices that extend the existing principles was identified by the research. One example under each of the existing resilience principles is provided below.
- Risk Radar
The risk radar principle has been extended by the inclusion of the additional component ‘Emerging Risks’.
- Resources and Assets
The resources and assets principle has been extended by the inclusion of the additional component ‘Strengthen Resources’ in response to identified opportunities.
- Relationships and Networks
The relationships and networks principle has been extended by the inclusion of the additional component ‘Extend Networks’.
- Rapid Response
The rapid response principle has been extended by the inclusion of the additional component ‘Remove Barriers’.
- Review and Adapt
The review and adapt principle has been extended by the inclusion of the additional component ‘Enhance Reputation’.
Enabling enhanced resilience and transformation
The business enablers define and support the business model for the organisation. They are ‘leadership and governance’; ‘business structure’; ‘strategy, tactics and operations’; and ‘people and culture’. As indicated at Figure 3, the enablers can, in combination, be used to support resilience and transformation. The ways in which the business enablers lead to increased resilience and transformation are context specific, as they are dependent on the size, nature and complexity of the organisation, as well as the business environment and organisational capabilities
All organisations have these business enablers in place, but the different nature of the enablers in each organisation indicates why there are different roads to resilience and transformation. Every organisation has the capability to achieve increased resilience and digital transformation, but it requires risk professionals and boards to decide how each of the enablers can be managed, to change the way an organisation views risk management and the achievement of increased resilience and successful transformation.
Implications for risk professionals
Taking advantage of the new opportunities requires a shift of emphasis in three areas:
- Better alignment with business priorities:
Risk teams need to demonstrate strong business or commercial acumen and engage more intensely with the company’s strategic ambitions and major investments. This will sharpen their ability to develop valuable insights into emerging concerns and help scope innovative risk mitigation solutions.
- More flexible deployment of resources:
Revised analytical methodologies, including the introduction of new data science and automation techniques, should free up capacity in risk teams for more project-based (as opposed to routine) risk work and the provision of advice to business and functional leaders.
- Greater dynamism in stakeholder engagement:
A more creative lens with regard to emerging risks will enable risk teams to engage with institutional and individual biases and blind spots and help build an appreciation of threats for which evidence may be limited or conflicting.
Strategic, tactical and operational technology risks must be synchronised to avoid the creation of lags. Risk management must synchronize the different speeds at which the strategic (or external) risk, tactical risk and internal (or operational) risk run. The job of the risk professional is to challenge the organisation to make sure that lags do not emerge and that all the “clocks” illustrated at Figure 4 are synchronised, move smoothly and in the same direction.
To take this forward, some risk leaders may need to expand their comfort zone. But those who can mesh strategic vision, influencing skills, and technological fluency on top of their core risk-management expertise will be best positioned to help their firms negotiate dynamic risk environments laden with potential shocks and disruption. A cultural change is required because risk professionals have historically been technical people. There is a need for risk managers to become business partners. They need to go and talk to people and champion the new type of risk. The job of the risk professional will involve challenging the leadership team. Tools such as the risk register might be misleading and give a false sense of confidence. In these legacy governance models based on risk registers, risk used to be concerned with events. Therefore, organisations are moving away from static risk registers and towards horizon scanning / scenario analysis. In the words of John Ludlow: “The risk professional is someone who understands context and business and becomes a business partner.”
“This report provides some clear signposts for the new knowledge and skills our members must have. The future is now and risk and insurance professionals and their professional acumen must reflect this”.