The recent PwC 2022 Global Risk Survey gives a glimpse into what senior leaders think about their business efforts. The report opens with some expected highlights worth repeating: 

  • Change is increasingly fast and disruptive
  • The COVID-19 pandemic caused disturbances in the labor and supply markets
  • Geopolitical risk is on the rise
  • New regulations, including an increased emphasis on risk, audit and compliance issues, refocus and redirect organizations’ priorities
  • Supply chains, cyber risks and public safety issues all feel pressure from the above factors. 

In view of these issues, digital transformation and risk management are more important than ever. What’s the difference between them, if any? In fact, they are much more closely linked than their names suggest.

Can You Blindly Transform?

In a word: yes. Whether that is a sound business decision is a different issue. As we noted before, there are many different puzzle pieces to strengthening an organization, but those different pieces have connective tissue: the risk assessment.

You see, a strong risk management program gives an organization a sober and clear-sighted approach to its decision: 

  • When to spin off a business unit? What are the risks to brand, reputation and cash flow?
  • How about a multi-year digital transformation project? What qualities are we looking for in vendors? How will operations be impacted? Are we future-proofing ourselves with a solution that can last for more than a few years?
  • Flying to the moon? Do we have the capital and technology needed to do that? What partnerships will we require?

These simple examples illustrate that at the heart of any strategic issue, there is some underlying risk issue, too. And, as we previously saw, program maturity and posture will be driven in large part by the organization’s risk appetite. Running a digital transformation strategy is no different. 

Complex Problems, Simple Solutions and Difficult Implementations

You have probably seen a ‘heat score’ matrix in your professional travels. They’re color-coded scores, translating some qualitative assessment into a quantitative score, used to make quick decisions. In the heat of the moment – for example, during an incident response or crisis management scenario – these matrices are excellent tools. They don’t work as well for strategic planning, though.

Complex problems do not always require complex solutions. In fact, simple solutions are likely best, with the caveat that difficulty and complexity could come with implementation. For example, I know I need to go from point A to point B (the simple solution that gets me out of my complex problem), but going on that journey may be very difficult.

Remember, decision-makers do not have the time, and perhaps neither the patience nor tolerance, to navigate a complex or over-engineered solution. A board or C-Suite may need core questions answered, such as:

  • Are the right defenses in place and the right resources at hand?
  • Do the people who require permissions have them?
  • Will the solution impede our business needs?
  • How does this solution grow our business?

They want to know the details of the journey (point A to B) and not every pit stop along the way, even if prudent planning requires it. In the end, the question is: “If we undergo this digital transformation route, what are the risks and returns from the investment?” Digital transformation and risk management are connected, so we need a basic framework to tackle the complex problem.

Bringing It All Together for Cyber Resilience

So, what can we use for strategic planning? We already have a good primer. Here is a recap: 

  1. Know your resources
  2. Define your risk posture
  3. Get in the right frame of mind
  4. Step up to the challenge.

As basic as these steps may appear on the surface, they are deep and loaded with intricacies. For example, you will have technical challenges, such as defining your disaster recovery capabilities pre- and post-change. Or, you may need to assess the chance of deploying 5G/edge solutions or whether artificial intelligence is right for you.

Then, there are non-technical challenges that will require your chief information security officer to bring out their best game. Technical and non-technical staff will be forced to speak a common language, almost always dollars and cents.

Apples to Apples

And there is one of the keys to success: commonality. In order to make sound decisions, you need to trust people are talking apples to apples. 

There are some great industry frameworks out there – such as NIST SP 800-30, SP 800-34 and ISO 22301 – which focus on risk management and business continuity. Whichever framework you have deployed, there are a few things that need to happen in order to be successful: 

  • Taxonomy. Have impact categories and definitions been conveyed and agreed to across the organization? If one business unit thinks something is a risk, but another does not, you have a problem. Definitions matter and precision in language matters. Having a single pane of glass for common reference is crucial.
  • Governance. Is there any formal program in place, even if not running at its best? A formal program tries to distribute ownership and enforcement. It also shows some leadership buy-in already exists.
  • Collaboration. If specific teams don’t talk to each other, any effort is doomed to failure. For example, the technology and infrastructure team may want to make a wholesale move to the cloud. However, the business team may find that a business risk the organization cannot take on (say, for example, if a key selling point of the service is that nothing is cloud-based). These are the types of nuances that turn well-meaning efforts into potential business disasters. 

Useful Data to Make Informed Decisions

Common understandings are the key. The benefits can be extremely positive if they exist and consequences downright painful if they do not. Your staff and decision makers can get stuck on trying to make sense of what ‘risk’ means. Definition and precision will prevent that. 

In closing, digital transformation can happen without risk management, but it is risky. Conversely, if your risk management program isn’t informed by transformation strategies, it could be a possible opening waiting to be exploited. In the end, you can’t do one without the other. 

More from Risk Management

Detecting Insider Threats: Leverage User Behavior Analytics

3 min read - Employees often play an unwitting role in many security incidents, from accidental data breaches to intentional malicious attacks. Unfortunately, most organizations don’t have the right protocols and processes to identify potential risks posed by their workforce. Based on a survey conducted by SANS Institute, 35% of respondents said they lack visibility into insider threats, while 30% said the inability to audit user access is a security blind spot in their organizations. In addition, the 2023 X-Force Threat Intelligence Index reported that…

3 min read

Increasingly Sophisticated Cyberattacks Target Healthcare

4 min read - It’s rare to see 100% agreement on a survey. But Porter Research found consensus from business leaders across the provider, payer and pharmaceutical/life sciences industries. Every single person agreed that “growing hacker sophistication” is the primary driver behind the increase in ransomware attacks. In response to the findings, the American Hospital Association told Porter Research, “Not only are cyber criminals more organized than they were in the past, but they are often more skilled and sophisticated.” Although not unanimous, the…

4 min read

Machine Learning Applications in the Cybersecurity Space

3 min read - Machine learning is one of the hottest areas in data science. This subset of artificial intelligence allows a system to learn from data and make accurate predictions, identify anomalies or make recommendations using different techniques. Machine learning techniques extract information from vast amounts of data and transform it into valuable business knowledge. While most industries use these techniques, they are especially prominent in the finance, marketing, healthcare, retail and cybersecurity sectors. Machine learning can also address new cyber threats. There…

3 min read

Now Social Engineering Attackers Have AI. Do You? 

4 min read - Everybody in tech is talking about ChatGPT, the AI-based chatbot from Open AI that writes convincing prose and usable code. The trouble is malicious cyber attackers can use generative AI tools like ChatGPT to craft convincing prose and usable code just like everybody else. How does this powerful new category of tools affect the ability of criminals to launch cyberattacks, including social engineering attacks? When Every Social Engineering Attack Uses Perfect English ChatGPT is a public tool based on a…

4 min read