The recent PwC 2022 Global Risk Survey gives a glimpse into what senior leaders think about their business efforts. The report opens with some expected highlights worth repeating: 

  • Change is increasingly fast and disruptive
  • The COVID-19 pandemic caused disturbances in the labor and supply markets
  • Geopolitical risk is on the rise
  • New regulations, including an increased emphasis on risk, audit and compliance issues, refocus and redirect organizations’ priorities
  • Supply chains, cyber risks and public safety issues all feel pressure from the above factors. 

In view of these issues, digital transformation and risk management are more important than ever. What’s the difference between them, if any? In fact, they are much more closely linked than their names suggest.

Can You Blindly Transform?

In a word: yes. Whether that is a sound business decision is a different issue. As we noted before, there are many different puzzle pieces to strengthening an organization, but those different pieces have connective tissue: the risk assessment.

You see, a strong risk management program gives an organization a sober and clear-sighted approach to its decision: 

  • When to spin off a business unit? What are the risks to brand, reputation and cash flow?
  • How about a multi-year digital transformation project? What qualities are we looking for in vendors? How will operations be impacted? Are we future-proofing ourselves with a solution that can last for more than a few years?
  • Flying to the moon? Do we have the capital and technology needed to do that? What partnerships will we require?

These simple examples illustrate that at the heart of any strategic issue, there is some underlying risk issue, too. And, as we previously saw, program maturity and posture will be driven in large part by the organization’s risk appetite. Running a digital transformation strategy is no different. 

Complex Problems, Simple Solutions and Difficult Implementations

You have probably seen a ‘heat score’ matrix in your professional travels. They’re color-coded scores, translating some qualitative assessment into a quantitative score, used to make quick decisions. In the heat of the moment – for example, during an incident response or crisis management scenario – these matrices are excellent tools. They don’t work as well for strategic planning, though.

Complex problems do not always require complex solutions. In fact, simple solutions are likely best, with the caveat that difficulty and complexity could come with implementation. For example, I know I need to go from point A to point B (the simple solution that gets me out of my complex problem), but going on that journey may be very difficult.

Remember, decision-makers do not have the time, and perhaps neither the patience nor tolerance, to navigate a complex or over-engineered solution. A board or C-Suite may need core questions answered, such as:

  • Are the right defenses in place and the right resources at hand?
  • Do the people who require permissions have them?
  • Will the solution impede our business needs?
  • How does this solution grow our business?

They want to know the details of the journey (point A to B) and not every pit stop along the way, even if prudent planning requires it. In the end, the question is: “If we undergo this digital transformation route, what are the risks and returns from the investment?” Digital transformation and risk management are connected, so we need a basic framework to tackle the complex problem.

Bringing It All Together for Cyber Resilience

So, what can we use for strategic planning? We already have a good primer. Here is a recap: 

  1. Know your resources
  2. Define your risk posture
  3. Get in the right frame of mind
  4. Step up to the challenge.

As basic as these steps may appear on the surface, they are deep and loaded with intricacies. For example, you will have technical challenges, such as defining your disaster recovery capabilities pre- and post-change. Or, you may need to assess the chance of deploying 5G/edge solutions or whether artificial intelligence is right for you.

Then, there are non-technical challenges that will require your chief information security officer to bring out their best game. Technical and non-technical staff will be forced to speak a common language, almost always dollars and cents.

Apples to Apples

And there is one of the keys to success: commonality. In order to make sound decisions, you need to trust people are talking apples to apples. 

There are some great industry frameworks out there – such as NIST SP 800-30, SP 800-34 and ISO 22301 – which focus on risk management and business continuity. Whichever framework you have deployed, there are a few things that need to happen in order to be successful: 

  • Taxonomy. Have impact categories and definitions been conveyed and agreed to across the organization? If one business unit thinks something is a risk, but another does not, you have a problem. Definitions matter and precision in language matters. Having a single pane of glass for common reference is crucial.
  • Governance. Is there any formal program in place, even if not running at its best? A formal program tries to distribute ownership and enforcement. It also shows some leadership buy-in already exists.
  • Collaboration. If specific teams don’t talk to each other, any effort is doomed to failure. For example, the technology and infrastructure team may want to make a wholesale move to the cloud. However, the business team may find that a business risk the organization cannot take on (say, for example, if a key selling point of the service is that nothing is cloud-based). These are the types of nuances that turn well-meaning efforts into potential business disasters. 

Useful Data to Make Informed Decisions

Common understandings are the key. The benefits can be extremely positive if they exist and consequences downright painful if they do not. Your staff and decision makers can get stuck on trying to make sense of what ‘risk’ means. Definition and precision will prevent that. 

In closing, digital transformation can happen without risk management, but it is risky. Conversely, if your risk management program isn’t informed by transformation strategies, it could be a possible opening waiting to be exploited. In the end, you can’t do one without the other. 

More from Risk Management

Worms of Wisdom: How WannaCry Shapes Cybersecurity Today

WannaCry wasn't a particularly complex or innovative ransomware attack. What made it unique, however, was its rapid spread. Using the EternalBlue exploit, malware could quickly move from device to device, leveraging a flaw in the Microsoft Windows Server Message Block (SMB) protocol. As a result, when the WannaCry "ransomworm" hit networks in 2017, it expanded to wreak havoc on high-profile systems worldwide. While the discovery of a "kill switch" in the code blunted the spread of the attack and newly…

Why Operational Technology Security Cannot Be Avoided

Operational technology (OT) includes any hardware and software that directly monitors and controls industrial equipment and all its assets, processes and events to detect or initiate a change. Yet despite occupying a critical role in a large number of essential industries, OT security is also uniquely vulnerable to attack. From power grids to nuclear plants, attacks on OT systems have caused devastating work interruptions and physical damage in industries across the globe. In fact, cyberattacks with OT targets have substantially…

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…

Tech Stack Diversity: Security Benefits and Costs

If your remit protects the information technology estate, you might be tired of the constant fire drills and reminders of upcoming disruptions. The barrage from cybersecurity vendors claiming "we have the solution" is almost equally exhausting. Start here: there is no magic bullet cybersecurity solution. If there was, its inventor would be a gazillionaire and have a list of enemies miles long. However, well-stacked solutions can significantly reduce your risk posture. The key is to place dependability over dependence, reduce…