“How are organisations transforming their business models to ensure resilience, value and growth in the digital age?”
To answer this important question, Cass Business School, City University London, studied a number of leading organisations who are active stakeholders in the space of digital transformation. The ‘Roads to Ruin’ report published by Airmic in 2011 looked at high-profile crises of companies which left their reputation in tatters. The ‘Roads to Resilience’ report published by Airmic in 2014 looked at how companies could be helped to avoid corporate catastrophe by learning from those who were leading the way in creating resilient organisations. The report introduced the Airmic Resilience Model. The main objective of the ‘Roads to Revolution’ report is to provide pragmatic advice for risk professionals and board members, executives and other top management. It is aimed at those who want to ensure that risk management, resilience and digital transformation permeate their organisations to constantly protect brand and reputation. It must be stressed that achieving resilience and transformation is challenging and it requires significant board-level support.
Walking the “Roads to Revolution” is not an option
Walking the “Roads to Revolution” is an existential must. This report highlights the research findings on some of the business and organisational trade-offs that leaders and managers will have to grapple with while walking these revolutionary roads. This report shows the implications of the trade-offs for risk management and governance. This report makes the point that while at face value some definitions and practices for risk management and governance might seem unaffected by the digital revolution, the underlying business and organisational dynamics are so different from the past ones, to trigger the need of a major rewiring of both. For instance, this report shows that boards will have to deal with the digital revolution not just as a cybersecurity issue. Cybersecurity is, and will remain key for any organisation, but boards will have to reskill and introduce new mechanisms to ensure effective and efficient management monitoring, strategic leadership and, ultimately, legitimacy for their organisation.
Achieving resilience is challenging and it requires significant board-level support, but achieving and maintaining resilience and successful digital transformation is even more challenging.
The Airmic Resilience and Transformation Model
The research into the impact of digital transformation on the Airmic Resilience Model discovered that additional components are required for the model to take account of digital transformation. Also, enhancement of the existing components of the Airmic Resilience Model is required, so that they became more aligned with advances in technology. The additional components are identified as ‘redesign processes’; ‘retain stakeholders’; and ‘reinvent purpose’. The research has resulted in the development of the Airmic ‘Resilience and Transformation Model.’ The Airmic ‘Resilience and Transformation Model’ at Figure 1 provides a comprehensive and coherent structure to enable organisations to embrace advances in technology.
Aligning Resilience with Digital Transformation
The eight principles for achieving resilience and digital transformation are summarised as:
Board members require assurance that the eight principles of resilience and transformation are implemented. However, the board conversation about resilience and digital transformation is most likely to focus on the associated business enablers within the organisation, rather than the principles. The business enablers identified in this report are (1) leadership and governance; (2) business structure; (3) strategy, tactics and operations; and (4) people and culture. The importance of these business enablers is explored further.
Organisational structures, the economy and society are evolving very fast. Alongside this, the world of the risk professional has to evolve too. Technology is driving greater connectivity and interdependence at an escalating speed, which in turn means that risk can be more connected and concentrated. Risk that previously might have been considered distinct may develop blurred boundaries. All this is happening in a global context. Companies may have to synchronise risk management activity across several jurisdictions, yet keep it locally relevant and across different operational, tactical and strategic business levels, yet keep it business division relevant.
Building on the four business enablers
Resilience and transformation can be summarised by considering four types of organisational resilience. Table 1 presents the features of the four types of organisational resilience and these can be used to guide the board conversation on resilience and transformation. Each type of resilience aligns with robust and dynamic implementation of one of the business enablers at Table 2.
Table 1: Features of the types of organisational resilience
|1. Integrative Resilience|
|2. Structural Resilience|
|3. Transformational Resilience|
|4. Contextual Resilience|
Table 2. Business enablers, outcomes and relationship to the principles
|1. Leadership and Governance|
|Prevention, Protection and Preparation
Dynamic ‘Leadership and Governance’ business enabler
results in robust implementation of the ‘Resources and Assets’ and ‘Relationships and Networks’ principles
|2. Business Structure|
|Response, Recovery and Review
Dynamic ‘Business Structure’ business enabler results in
robust implementation of the ‘Rapid Response’ and
‘Review and Adapt’ principles
|3. Strategy, Tactics and Operations|
|Invention, Innovation and Improvement
Dynamic ‘Strategy, Tactics and Operations’ business enabler results in robust implementation of the ‘Redesign Processes’
and ‘Retain Stakeholders’ principles
|4. People and Culture|
|Confidence, Commitment and Capability
Dynamic ‘People and Culture’ business enabler results
in robust implementation of the ‘Risk Radar’ and
‘Reinvent Purpose’ principles
All four types of resilience are required for an organisation to achieve successful resilience and digital transformation. None of the styles of resilience is more important than the others, although they do represent an aspiration hierarchy. Arguably, integrative resilience is the starting point for successful resilience. Ultimately, the most successful organisations have strong people and culture business enablers and this represents a position where resilience and transformation results from the confidence, commitment and capability of individuals.
Although all four types of resilience are required in order to achieve successful resilience and digital transformation, it is often integrative resilience that is the strongest within an organisation. It is from this point that the three other types of resilience are developed towards structural, transformational and ultimately contextual resilience. This progression represents developing maturity in the resilience agenda of the organisation. Transformational resilience will be enhanced by redesigning processes and retaining stakeholders. In many ways, the ultimate and most difficult to achieve form of resilience is contextual resilience. By developing people and culture and ensuring robust implementation of risk radar and reinvent purpose principles, risk and opportunity awareness will be improved and contextual resilience will be achieved.
Extending the Resilience Principles
Extending the existing resilience principles
The components of each resilience principle identified by the ‘Roads to Resilience’ research is described in that report. This research identifies the need to extend the five resilience principles to include digital transformation. A range of resilience and transformation practices that extend the existing principles was identified by the research. One example under each of the existing resilience principles is provided below.
Enabling enhanced resilience and transformation
The business enablers define and support the business model for the organisation. They are ‘leadership and governance’; ‘business structure’; ‘strategy, tactics and operations’; and ‘people and culture’. As indicated at Figure 3, the enablers can, in combination, be used to support resilience and transformation. The ways in which the business enablers lead to increased resilience and transformation are context specific, as they are dependent on the size, nature and complexity of the organisation, as well as the business environment and organisational capabilities
All organisations have these business enablers in place, but the different nature of the enablers in each organisation indicates why there are different roads to resilience and transformation. Every organisation has the capability to achieve increased resilience and digital transformation, but it requires risk professionals and boards to decide how each of the enablers can be managed, to change the way an organisation views risk management and the achievement of increased resilience and successful transformation.
Implications for risk professionals
Taking advantage of the new opportunities requires a shift of emphasis in three areas:
Strategic, tactical and operational technology risks must be synchronised to avoid the creation of lags. Risk management must synchronize the different speeds at which the strategic (or external) risk, tactical risk and internal (or operational) risk run. The job of the risk professional is to challenge the organisation to make sure that lags do not emerge and that all the “clocks” illustrated at Figure 4 are synchronised, move smoothly and in the same direction.
To take this forward, some risk leaders may need to expand their comfort zone. But those who can mesh strategic vision, influencing skills, and technological fluency on top of their core risk-management expertise will be best positioned to help their firms negotiate dynamic risk environments laden with potential shocks and disruption. A cultural change is required because risk professionals have historically been technical people. There is a need for risk managers to become business partners. They need to go and talk to people and champion the new type of risk. The job of the risk professional will involve challenging the leadership team. Tools such as the risk register might be misleading and give a false sense of confidence. In these legacy governance models based on risk registers, risk used to be concerned with events. Therefore, organisations are moving away from static risk registers and towards horizon scanning / scenario analysis. In the words of John Ludlow: “The risk professional is someone who understands context and business and becomes a business partner.”
“This report provides some clear signposts for the new knowledge and skills our members must have. The future is now and risk and insurance professionals and their professional acumen must reflect this”.