Disruptive Technologies

The Agile Risk Manager

Conventional risk frameworks are not attuned to the "hidden risks of transformation"

Friday, June 21, 2019

By Haydn Shaughnessy and Fin Goulding


Can there be such a thing as an agile risk management function? The question is deeply important because competitive conditions are forcing more and more companies into agile and digital transformations. Risk management could have a key enabling role. Let's look at why.

According to a McKinsey Global Survey, only 16% of companies interviewed considered their digital transformations a success. That sounds depressing. It means that the majority of companies are not able to construct a platform for the future.

Haydn Shaughnessy Headshot
Haydn Shaughnessy
Fin Goulding Headshot
Fin Goulding

There is nuance there, so let's look at the whole picture. The 16% say their transformation “successfully improved performance and also equipped them to sustain changes in the long term.” On top of that, “an additional 7% say that performance improved but that those improvements were not sustained.”

In a recent Harvard Business Review article, David Yoffie, Annabelle Gawer and Michael Cusumano similarly concluded that ~80% of platform strategies fail.

Against this backdrop, it is hard to argue against the need for risk agility, but what does that mean?

The question for a risk manager is usually, would these transformation failures pose a challenge to solvency? The answer has to be yes, but over time.

Innovator's Dilemma versus Transformation Dilemma

Companies that can't lay a platform for future business can continue to exploit the “rent” inherent in their current assets for a finite but relatively short period of time.

In fact, that's an attractive short-term option. But if that rent comes under persistent attack from competitors, then solvency will be an issue, not necessarily because of the immediate danger, but because the firm's inability to transform will undermine investor confidence and limit a CEO's ability to act.

This point was made by the late Steven Klepper in his studies of industry consolidation and firm failure. The route to absolute failure begins when a board and investors lose confidence in strategy and execution, rather than with any single risky event.

The rent problem is a serious one. It is akin to the innovator's dilemma, as charted by Clayton Christensen. In that theory, incumbents are undermined when cheap, and often low-quality, products capture a market that incumbents ignore because margins are perceived as too low.

Once an entrant has cash flow, however, it can ramp up product quality and mount an attack on the incumbent from a dynamic market position. This constitutes a big enterprise risk that few incumbents see coming.

The solution to the innovator's dilemma was for incumbents to release lower-cost products to compete with their top-of-the-range items. (Famously, Intel's Celeron chip was a low-cost market entrant by an incumbent.)

The Path to Business Agility

Transformation risk is different. It is not the risk of a cheaper product so much as a better targeted product, one that slices off important parts of the market and associated revenues. The “slice” can come as a consequence of lower prices or better product-market fit in an age of multiple niches.

This market risk is not usually made explicit during transformations even though it is a main motivator of change. But, by explicit, we mean articulated in a way that can be measured.

Typically, firms dabble in internal agile transformations in order to speed up innovation. These usually involve changes to software development methods (scrum agile).

We are now seeing that the software transformation often delays difficult decisions around market or economic risk.

The tougher decision is when to embark upon broader business agility, extending the idea of fast iterations of work and reduced hierarchical reporting to all areas of the business. What makes this a tough decision is that it implies some recognition that rent is coming to an end. In other words, not only is there a need to transform internally, but the incumbent needs to find new “franchises” where it can draw future rent.

Rent in the incumbency is compressed for a number of reasons. Partly because of startup entry; partly the transformation caused by mobility and connectivity and China's superior strategies around that; and partly because technology allows us to address multiple niches at very low cost. Changing customer needs also play a role.

The rise of money transfer startups is a good example of the first of these. So too are insurance entrants that focus on single item policies such as digital goods. They are targeting rich niches.

Behind both of them is the availability of platforms that reduce costs, dramatically. By reducing operating costs, firms are able to invest their funds in activities like community building and content and swapping out old transaction systems for systems that support subscription or recurring revenues.

Transformation Risks

GE Appliances is a relevant example of a great enterprise struggling to transform to a future platform.

Under previous CEO Jeff Immelt, GE labored hard to make GE Appliances a dynamic, agile division. In 2016, GE sold it to Haier of China, which promptly fired 10,000 managers and gradually reorganized it into much smaller business units.

Haier is now improving and broadening it oduct range, building a future platform around home device connectivity.

The lesson? Transformation is nearly always possible, but it has to be appropriate to changing customer needs and dynamic market conditions. The two go hand in hand.

Implicit in any rigorous risk analysis should be insight into the dangers of misaligning four elements:

- An adaptive strategy

- Product-market fit

- Delivery platform(s)

- An adaptive organizational design

In fact, implicit in any risk analysis should be all the seeds of growth, because, after all, if you can identify the risks, you have identified the opportunity.

Risk managers should be thinking, then, of making their knowledge a proactive tool for the business during transformation.

Conventional Risk Analysis Needs to Change

Enterprise risk management usually encompasses risk in all dimensions, whether that be strategy, compliance, finance, market orientation and customer relevance, operations, treasury management, and so on.

In all cases of transformation, two or more of the main functions are perceived to be faltering, if not failing - operations (maybe logistics or IT), customer relevance, strategy, finance, compliance, efficiency, and so on.

Problems arise with the stability of each of these functions during a transformation.

As Klepper pointed out, companies usually delay transformation until external pressure impacts investor confidence. In GE Appliances' case, that happened because profitability could not climb out of single digits. It was felt the problem lay in being unresponsive to customers, so the company developed an agile transformation focused on responsiveness.

The economy today, though, doesn't stand still. There is one interesting and very relevant feature of the risk management lexicon when it comes to assessing risk function fitness. It is risk appetite. It means that enterprise management teams should assess what risk they are prepared and able to absorb, and which not.

In times of transformation, there are many risks that we cannot choose to eat or not eat. The world throws up new risks regularly, and transformation throws up many more. Any number of those 84% of failures could have assessed risk appetite but been brought down by the hidden risks of transformation.

Set against this, risk frameworks generally have to assume stability. They have to assume the rent position, i.e., that the enterprise can continue to exploit its markets, more or less.

Not only risk managers assume this. Senior executives do too. They may speak to the need for change, but the change is often marginal. It often gets transmitted as “we need our people to be more agile,” or “we must become more customer centric.”

Haier and, indeed, many Asian companies view change as an opportunity to fundamentally challenge the western canon of business structures and thinking. Strip out management and go to small units of business. Create vast cartel-like ecosystems of businesses. Create communities of business. The nature of competition is now such that the very processes of business are up for grabs.

Emergent Risks and Situational Risks

The reason companies undertake agile or digital transformations should be to address these market forces in new ways.

That means they should cover a range of activities: digitizing back-office functions, of course, but also improving IT delivery capability (some companies now deliver updates to their systems multiple times a day), reducing complexity by pushing operations into the cloud, having an agile mindset, being more customer centric, targeting multiple niches, developing a platform organization.

Each represents new risk. Each has an impact on the relationships of people within the enterprise, for example. Each, to some degree, impacts the sense of security of employees.

These are usually hidden risks. There are many of those. A bank's use of a fintech partner signals to the internal IT department that they are not trusted to innovate. Worse, it sends a signal that they have failed the company.

Expect some passivity, if not passive aggression, after sending that message. These are serious culture risks.

Then there are new types of risks. If the freelance labor site Upwork went out of business, it would materially affect Amazon, given that Upwork is a major source of Amazon marketing know-how for small businesses. These are ecosystem risks.

Many people in the technical world believe a key risk to a transformation is the lack of vision of senior managers. Though t won't appear on a risk register, it can't be ignored. At the very least, a scorecard that compares strategy to that of peers is necessary.

IT, Cloud and Efficiency

Transformations and new market dynamics call for new skills; as GE found, those also include new ways to gain customer insight. But the IT department is usually conscious of senior managers' lack of know-how, not just vision, around digital. These are competency risks.

Another is the use of cloud. The inability of senior leaders to exploit cloud is an example of conflicting cultures within organizations. IT operations often do not want cloud because it reduces their role to zero.

Senior management can't get insight into its benefits because innovation in cloud environments becomes much more exploratory. So companies react to the cloud opportunity by continuing to do what they know. They replicate their data structures and governance in the cloud to allay conflict and perceived risks, forgoing business advantage. There are many such new technology risks, including efficiency risk.

Efficiency risk is particularly powerful during transformations. To understand efficiency risk, you need to grasp three concepts that might be new to risk managers. These make up what is known as flow efficiency:

- Lead time, or the time between receiving a request for work and delivering it.

- Cycle time, or the time from being given a task to completing it.

- Discovery time, or the time taken to determine if work has sufficient value to enter the flow of work.

Flow efficiency is measured in terms of the relationship between cycle time and lead time.

Measurements Are Lacking

For a sense of the efficiency risk that your company is probably not managing right now, we spoke to Dan Vacanti, a leading expert in software delivery and author of Actionable Agile Metrics for Predictability. We asked for his observations on flow efficiency during transformations. He started by saying that most companies are bad at measuring flow efficiency, if they measure it at all. And the concept itself is difficult to implement.

“Anecdotally, organizations are so bad at measuring it, yet it is probably in the low single digits. I have never seen an organization that is capturing more than 60% of this data, so that figure is often artificially inflated. My suspicion would be, though, that it is usually in the mid single digits.”

One of the key reasons transformations fail is that the conditions for good flow efficiency are not managed. In effect, your firm creates a vast pool of inefficiency, wasting something in the order of 95% of its software resources. Bearing in mind that you are transforming to a software-driven company, this transition risk is an important source of potential failure.


It is impossible in one article to explore all dimensions of transformation risk, particularly the dilemmas it throws up. There is a danger, however, in using risk frameworks that apply to stable conditions to a company in transformation.

If your firm is transforming, and it probably is, then it faces the dilemma of when to switch from rent to new revenues, but also the probability that flow efficiency will nose-dive.

In addition, it is likely that the company will struggle to work well with value discovery or product-market fit, simply because it is inexperienced at assessing the value of products in newer, initially smaller markets.

What's needed is an agile risk framework that takes account not just of the fact that stable processes are going to be disrupted, but is also able to identify emergent risk and recommend the right mitigants.

Haydn Shaughnessy (@Haydn1701) is the author of Flow: A Handbook for Change Makers, Mavericks, Innovation Activists and Leaders and 12 Steps to Flow: The New Framework for Business Agility. A recognized authority on innovation and an independent consultant to many major financial institutions, he is also a research fellow at the University of California, Irvine. Among his previous contributions to GARP Risk Intelligence was The Risks of Agile Transformation and How to Control Them.

Fin Goulding is the former International CIO at the insurer Aviva and former CTO at, Visa and Paddy Power. He and Haydn Shaughnessy are currently working on the design of adaptive operating models for financial services companies in transition.


BylawsCode of ConductPrivacy NoticeTerms of Use © 2024 Global Association of Risk Professionals