Risk Management in a Digital Business

I had the pleasure to have had a 6 months sting with a digital tech startup – it looks and feels very different from the previous company I was in. From the size, people, to the culture, operational priorities, they are all different. But there are common things below the surface– revenue bottom line, customer value as a key driver and back office support functions such as HR, Finance. What is fundamentally different is the pace it operates, its responsiveness, use of data and the capacity to transform concepts from ideas to products at an amazing speed (GTM).

Managing two priorities

The very nature of digital means that you constantly managing two competing priorities – constant and speedy innovation vs. the achievement of long term strategy – or as a respected CIO put it in analogy – growth pain of a teenager wanting to party hard but also grow up. While in traditional environment, balancing tactical and strategic decisions is not a new concept, in the new digital age, this must be done ‘on the fly’. Much of the short-term innovation (tacticals) actually helps solidify/confirm/reinforce the longer-term strategy and the ability to quickly pivot becomes a key ingredient for success.

This is where aspects of Agile and Lean methodology I believe is the underlying factor. And I believe it’s an irreversible trend. It helps to deal with this constant change and being agile becomes a way of thinking and way of work, rather than a simple project management methodology.

See my previous posts on How does risk management stay relevant in a fast-evolving digital world? And How does risk management stay relevant in a fast-evolving digital world? (Continued)

Trial and error and de-risk

Underneath all great innovations is a common thread, which is the meeting of a demand of a customer. Because customer needs change all the time, the ability to innovate must adapt to it. What drives the success of a tech company is this concept of minimum viable product – being able to deliver incrementally and quickly, but also shut down those not meeting the needs. Forget about elaborate planning, business casing, projection etc, get the hands dirty and trial, test, de-risk, iterate and refine.

Not all projects survive because not all of them were good ideas to start with. Baby steps and thin slices make achieving something tangible easier, make decision making easier and worst case it makes the failure feel less painful and costly. The company I was in had a half yearly ‘hack days’ where all employees are encouraged to down tools and collaborate with anyone they like and work on a mini project for whatever the problem they feel passionate about solving. The end result is one that surpasses all expectations – lots of great ideas, lots of happy employees, lots of team building and lots of commercialised products.

Agile culture and risk culture

Arguably building this sort of culture is harder to do than building a risk-aware culture – yet I believe a collaborative, transparent and agile culture will embrace concept such as risk just like anything else. I’d go further to say that digital environment will foster a risk-aware culture faster and more effective than traditional management environment.

The culture that fosters innovation ultimately is the culture that allows for experimentation and failure. Whilst superficially it sounds not so rosy and presents challenges to risk professionals – because failures actually can result from a lack of risk consideration and can mean the eventuation of the risk you want to prevent at the first place, I believe it can be managed because the ingredient of a risk aware culture is there – collaboration, transparency, value driven. In this sort of environment, its more likely that whatever the decision made is actually a risk-informed decision and the team is conscious of the risks involved in getting down to the path we chose.

Cross-functional Collaboration

Another driver behind digital success comes from a deep-rooted concept that is cross-functional collaboration. Sales, marketing, finance and aspects of IT all become part of an extended team. To bring all these personalities together is a monumental challenge. The tech teams are not motivated nor challenged in the same way that Sales or Marketing teams. I had been to standups, inceptions, townhalls and retros and everyone has something different to contribute. How does risk present itself amongst all of these dynamic people remains an interesting challenge for me. But one thing for sure. Risk people need to be physically present, and only being present you can demonstrate that you are trying to understand the problem at hand, the thinking, the approach and the solution adopted. From there, maybe a well-thought out risk advice can be provided.

Different dynamics in IT

I also happen to have spent a lot time with our IT community. My take is that IT has a totally different definition in a digital environment. Using agile, the boundary between IT and business is ever blurred. IT is ‘actually’ the enabler to execution of the strategy. Nowhere else I saw IT being so value driven and collaborate with the rest of the business community so seamlessly. Via delivery leads and technical leads, real collaboration happen and everyone focus on one common delivery goal – customer.

In many businesses the IT team are purely infrastructure and or operations as a service function. However in digitally centric businesses the IT teams are your conduits to execution. And, much like how sales and marketing staff are evolving so are these IT teams. Even within IT community itself, evolution occurs as we speak, concepts such as scaled agile framework, scrum, lean, devOps, extreme programming are being trialled, adapted and matured. Logical organisation structure such as squad, tribe and guild are created to allow for one thing – better collaboration.


Digital is the buzz word now and disruption to the existing business is what most fear. As many embark on the digital transformation journey, risk management can play a unique role in making sure the end objective is achieved. Having a risk view to the whole digital landscape provides a balanced view on the pros and cons. Importantly, it ensures the adoption of a technology or digital initiative is not made independent of the benefit it can provide. A conversation (risk assessment) on the ‘value’ from moving to digital can save millions on what otherwise would have been spent on just another ‘feel good’ solution. Technology is an enabler, risk professionals need to remain objective and inform management that the customers forever sit at the heart of the solution and technology is there as merely a conduit.

How to make the whole organisation agile?

Storytelling is a crucial tool for culture change, because often, nothing else works. Charts leave listeners bemused. Prose remains unread. Dialogue is just too laborious and slow. When faced with the task of persuading a group of managers or front-line staff in a large organization to embrace a major change, storytelling is the only thing that works.


What constitutes risk management – A senior management’s view

When discussing how to improve the value contributed by risk management, I typically start by saying ‘where do we start?’. At the heart of this question is the desire for a simple and practical point of view that makes sense in practice. Because risk profile, appetite and tolerance are different in different organisations, risk management presents itself differently. However, there are 4 fundamental pillars:

  1. Process

Like any value adding activity, risk management requires a process and it entails a purpose, inputs, activities and outputs. According to ISO31000, the activities typically include risk identification, sourcing, assessment, measurement, mitigation and monitoring. The purpose of the process varies from organisation to organisation too. It may be reducing performance variability, prevention of incidents or taking more risks to maximise returns.


  1. Integration

Traditionally as well as in financial services sector, risk management is focused on protecting the value of assets tabled in the company’s balance sheet, related contractual rights and obligations. Typical risk management methods include insurance, tools for treasury risks, mitigation of environmental risks such as health and safety concerns. Whilst these forms of risk management had served a useful purpose in the past, contemporary risk management serves a higher and better use. The relevance of the risk management process increases if it is integrated with core management processes that help the organisation in achieving its objectives and executing its strategy. The degree of the integration again varies and typically include core processes such as strategy formulation, business planning, performance management, capital and funding planning, M&A and project management etc.  effective integration means risk management is embedded into the rhythm of the day to day business decisions and contribute to establishing competitive advantage and boosting performance.

  1. Culture

Effective risk management requires a top down sponsorship and consistent application of conducive behaviours. If the reward system is not balanced with shareholder interests, if the board doesn’t question the assumptions and risks taken for a strategy, or if risk management is restricted to compliance or after-fact firefighting and not focused on strategic issues, risk management will not be able to have an impact at the crucial moment. Robust risk culture promotes open communication, knowledge sharing, promoting best practice and continuous improvement and more recently a focus has been placed on value-driven commitment to ethical and responsible behaviours.

  1. Infrastructure

No given the risk management processes, how it integrated with core business processes and the elements of an organisation’s culture, the focus then turns to whether the organisation has what it takes to get the job done – its infrastructure – its policies, procedures, organisational structure, reporting lines, systems and people related to managing risks. If the infrastructure requires improvement such as a lack of risk management policy, unclear risk appetite, unclear roles and responsibilities, lack of risk reporting process or IT systems (GRC), resources must be diverted to have these areas addressed.

Essentially these 4 elements are the foundation of an effective risk management framework and it should be what senior management and the Board look for when establishing risk oversight, or what a maturity assessment be looking at. Ask some of these questions when you think about your company’s risk management practice:

  • Do we have a process to identify risks related to our strategy?
  • Is our risk management only focused on insurable and financial risks?
  • Is our risk management capabilities coordinated across the company or operate in silos
  • Do we have risk materialise primarily because there is a lack of risk culture or understanding?
  • Is risk management restricted due to resourcing limitations?

What are your thoughts and your experiences in your organisation???

Change management, Resistance and risk management – a hard lesson learnt


I came across this brief slide – I didn’t hear the presentation first hand but the topic itself prompted a great deal of thinking and reflection upon a valuable lesson I learnt recently.

The background

Recently I had a short spell in a tech company that had experienced huge growth and doing fantastically well in recent years. It deliberately maintains a startup mentality but has an aspiration to be more mature in its corporate governance aspects – processes, controls, compliance and risk management. Enter me to the stage – I signed up to a role in a tiny risk management and audit team and saw a great deal of opportunities in implementing risk management from ground up in a greenfield environment. Without going into much details, building a risk management framework is no mean feat – it entails tangible deliverables such as risk process, appetite, reporting, roles and responsibilities and ongoing compliance and maintenance. An effective risk management framework also includes a crucial soft element – risk aware culture that permeates through the organisation so people consciously talk about risk and weave risks into their daily business conversation.

Typically and conveniently, implementing the tangible stuff is the way to go. Usually backed by senior management or compliance regulatory requirements, certain things must be in place to discharge senior management and the board responsibilities. However, without the soft culture environment, many of these processes, reports and tasks remain a paper exercise or deliver limited business values. That’s one of the reasons that risk management sometimes is still perceived as functional support team and struggles to win a seat in the high level decision making round table (again another hefty topic).

Now back to my experience. Within the first 3 weeks, I had drafted a risk management maturity roadmap with strategic and tactical plan items – the tangible and soft elements. I managed to obtain an in-principle endorsement of it without an agreement on exactly what is to be done. I was then tasked with a number of incumbent ‘risk/audit’ projects – some must-dos and some operationally-focused topics that one would say that wasn’t derived from a risk-based planning (that’s a different topic). The only piece of risk-focused project was business continuity implementation, which deals with disruption and availability risks. I sought to leverage on this project to firstly get to quickly understand the most critical parts of the business and secondly, promote risk management as a school of thought and get to people’s mind about its importance and value adding capability. I conducted informal and formal interviews and workshops, always started the conversation with an introduction of who risk management team is – what we do, how we do it and what value we can add, before launching into a tangible risk topic that was business continuity. It was a rather exhilarating experience as I put risk ‘on the map’ – interviewing 50 plus mid and senior managers in a space of 2 months.


I was not Messi in risk management, but I was battling hard and much of time I was battling alone. I had the passion and desire in abundance and hoped hard work and persistence would overcome every challenge. I was working 10-12 hours a day in the office plus some hours at nights. Time flew by but I felt I was in the zone and making solid progress.

So I think I did…

In hindsight, I neglected an important thing to do. To put it in an analogy – I was a charged up and prepared warrior, carrying my swords and jumped right into the battlefield, with my fists clenched and eyes on the target, I fought a hard battle and importantly I made advances according to my war plan, I was hitting milestones. However, I forgot to stop in between battles and turn around and to communicate to my fellow warriors, to report on wins, losses and problems, to ask for reinforcement, to ask for advice, to tell them where I am going and most crucially why I am going that way and doing that thing. Well that’s a bit of exaggeration, I did, but not enough. I lost sight in my own backyard.


Especially when you are new to a company, what I did was doomed to fail – the odds were against me, I was going to fight to my death – either being recognised as a warrior that stupidly took up an unwinnable fight on my own and lost, or most likely I would be seen as someone who didn’t plan well, misjudged the problem, failed to come up with the right solution, failed to see negative obstacles, failed to communicate and most importantly failed to deliver.

I did fail by the way. I am no longer with this company.

When I reflected upon this experience, I could easily blamed a million other things that didn’t go my way.

  • I didn’t have a manager that understood my mission and my war plan, and failed to support me
  • It was a hard battle that no one had fought before
  • The team failed to see what I did was planting the seed and it will take time to yield fruits
  • The team didn’t recognise my efforts and I was helping the team
  • I could go on…

But as I look hard at myself and striping it all down, I was leading a project of change management – changing the risk culture in this case. This project invariably has a lot of obstacles and resistance – people, entrenched mindset, existing way of work, selling the value – the stuff on the battleground. Launching into the battle with a crafted game plan (maturity roadmap), armed with a set of weapons (risk management experience and tools) and a determined mindset can only last you so long. My success also depended on team support, collaboration and communication.

My battle was not lost on the battleground, but was lost in my war room and in my reinforcement and my support battalion. Like a game of football, Messi alone cannot win a game, he needs his team – a coordinated team, a team with shared belief and vision and a supportive team. I didn’t have it and I failed to build one before I went battling.


In any change management project in business or life, resistance is a false proposition – resistance to change doesn’t exist (well said Richard, even I don’t know you). In my case, the number one contributor to my failure that I had control of was ‘Communication’. A hard lesson to learn, but a valuable lesson learnt.

#failure, #lessonlearnt, #riskmanagement, #projectmanagement, #communication, #teambuilding