In the predictable markets of the 20th century, risks could be forecast years into the future without much change. Revisiting and updating your identified risks on anything more than an annual basis seemed like overkill. Regulators and investors were satisfied as long as you could evidence a risk management process, regardless of whether it produced the right outcomes.

Today, life comes at you much faster than that, in most, if not all sectors and regulators are struggling to keep up. The sheer pace and complexity of shifting market dynamics that have become the hallmark of the digital age, means that the only constant is change. Yet instead of seeking to find alternative risk approaches that can better cope with an uncertain environment, it seems traditional organisations have decided to double down on the old way of doing things.

This is not wholly unsurprising. In times of extreme pressure, the natural response is to stick to what is known and practiced in order to gain back control. The problem is, this heightened focus on risk prevention and overly engineered risk management process is not working. Worse, it is actually causing a different kind of risk: that of being blindsided by disruption.

Recently, I co-led a research project investigating alternative approaches to developing digital strategy, as part of which we analysed risk approaches from companies’ annual reports. Whilst these rarely disclose the specifics of their risk management practices, it is still possible to diagnose the mindset and assumptions that lie behind their approach.

The board assessed the risks to the company over a three-year period.” (Education company)

What we found was a distinct difference between FTSE100 companies and companies lauded as digital leaders, in how they think about risk. Most traditional organisations focussed on evidencing their risk process over their outcomes with many proudly showcasing their 3-5 year outlook cycles. The problem with this is that it assumes that the future is knowable over that length of time, which is nothing short of a delusion. The biggest trap of risk management today is assuming that success relies on predicting outcomes. That worked in the past, when a strategic direction could be set, complete with risk forecasting, and not need revisiting or updating for years, if not decades.

It’s probably no shock to hear that the same education company quoted above, later sheepishly stated in the same report: “We failed to see the accelerated level of disruption taking place in US market”. It is clear that this misguided, 20th century focus on process over outcomes is no longer fit for purpose as it leads to reactive responses to disruption rather than pre-empting and capitalising on opportunities that come from change.

Today, a more mature approach is needed to better navigate the uncertainty of the digital age, but we found that, amazingly many organisations still try to demonstrate meaningless 3, 5 and even 10 year outlooks. Instead, managing risk in the 21st century requires demonstrating your ability to continually allow for and learn from outcomes that were not intended as new information becomes available and new capabilities are developed in your organisation.

Upend your risk toolbox

Interestingly, many of the executives we interviewed for our research project, knew deep down that current practices were not working. The reason they hadn’t changed was not due to lack of awareness, but rather a perceived lack of alternative options. Whilst markets shift more rapidly than ever before, control still needs to be demonstrated. So if not the traditional approach, then what?

We investigated digital-age leading organisations to understand what the alternatives could be. We deliberately sought out digital leaders across a range of industries to avoid the trap of focussing on digital-native firms. What we uncovered were three key practices to a digital-age approach to risk management:

  1. Embed channels to gather intelligence The first step in being able to respond to shifting market dynamics is being able to sense the changes taking place. You will not be able to predict all of the risks to your business, and to be ok with that you will need to create a robust sensor network. Many of the organisations we spoke to had processes and mechanisms in place to gather intelligence. Several were assigning this responsibility to dedicated teams or interest groups. However, those leveraging the most value were using digital collaboration tools – such as their ESN or team based apps – and inviting all employees to take part. Making the sharing process visible to everyone means the ‘ambient awareness’ of the entire organisation increases. In turn, ideas and thoughts can be discussed and a crowd-sourced direction can emerge.
  2. Distribute authority to enact change. In the digital age, the ability to sense and respond quickly to disruptions in the market, will be the mark of success. Digitally mature organisations empower the employees closest to the information to take action in service of the strategic direction. The direction – or ‘what’ – is set by the executive team. However, ‘how’ the direction is achieved is not prescribed. Instead, teams are trusted to work out how this is achieved themselves and given the authority to do so, using techniques and ways of working that suit them best. One media organisation we spoke to took this approach and managed to slash their ad creation process from 4 weeks to half a day.
  3. Spot future revenue plays through combining capabilities. Once your organisation’s sensor network is working effectively to cope with change, the next step is to spot new revenue areas to take advantage of change. This is best done by considering the capabilities your organisation has or is building and which of these can be framed as ‘services’ that could combine to form new products or services for your customers. These are likely to be revenue areas not considered before and not immediately obvious to many at the centre. But by leveraging your sensor network to gather intelligence from the edge, these opportunities can start to emerge and experimental ideas tested.

“Our businesses are rapidly evolving, subject to changing technologies, and shifting user needs” (Alphabet)

These mature practices to managing operational risk acknowledge the velocity and unpredictability of the world today. They recognise their employees as the best early warning system they have and work to involve them as a “human sensor network”, entrusting them to spot, flag and mitigate risks in real-time. This sense-and-respond approach to risk requires empowering employees to be able to take action, which in turn means sharing information and data to enable them make judgement calls – a complete upending of the traditional risk toolbox.

I recognise that managing risk means you encounter multiple stakeholder demands – your investors, your board and the market – and it is less easy to influence some towards a different approach. Then you face the battle against legacy processes and assumptions that have prevailed for decades. The luxury of simply ripping up the rules is one that seems only available to start-ups or smaller, unlisted companies with no obligations.

However, I hope that through our research, we’ve shown some clear tangible steps that can be taken that provide not only an alternative to risk management, but also how you too can nurture the open, collaborative, distributed behaviours that enable you to master navigating the uncertainty of the digital age.