Cutter Fellow Noah Barsky outlines 10 unconventional rules for helping us identify critical risks. He argues that we should not relegate risk management to our compliance or legal departments. On the contrary, we need to transform the mindset that says risk management and mitigation are the responsibility of specialists within specific functional areas. Instead, it must become everyone’s responsibility. Many risks remain stubbornly hidden in organizations. Barsky closes his article by suggesting, quite astutely, that we need to “listen to the kids” in our enterprises.
Digital era opportunities and dangers challenge traditional approaches to risk management. For decades, organizations vested risk oversight in legal, compliance, and HR functions. Despite the fact that tech-driven business models demand far more dynamic and adaptive approaches, entrenched corporate behaviors, incentives, and bureaucracy often stall strategy and thwart innovation.
Ten unconventional “rules” can shatter that inertia and help senior leaders identify, assess, and manage digital era risk. At a minimum, each rule sparks the type of candid conversation that boards and C-suites must have to thrive. At best, they shift risk management’s focus from what could go wrong to what must go right.
Rule #1: Establish an Anti-Vision
Too often, leaders agonize over wordsmithing vision and mission statements, only to learn they rarely anchor and guide employee actions. Hollow rhetoric results in unfulfilled aspirations, weakened competitive position, customer disengagement, workplace churn, and diminished financial performance.
Executives would be better served by mulling the strategic consequences of inaction. Fear of demise can be a great change motivator. What might the future hold if the company does not adapt and transform? Can key stakeholders truly accept and afford rigidity’s downside?
A discussion of the cost of inaction raises many unsettling questions. To start, if digital transformation achieves all of its operating goals for the next three years, will the company be strategically relevant at that time? Are budgets and targets credible? Is operational obsession placing the enterprise in strategic jeopardy? Do employees spend scarce time chasing reports, managing metrics, and sacrificing long-term viability? Have leaders occupied their time with daily activities and abandoned their fundamental responsibilities as mindful stewards?
Statisticians often refer to such choices as the tradeoffs between Type I (false positive) and Type II (false negative) errors. This is similar to medical diagnoses that result in over-testing (inefficiency) or missed maladies (ineffectiveness). Digital transformation fits this analogy well, as a company’s viability rests on its success.
Like all strategic ventures, digital transformation requires capable oversight and meaningful accountability. Metrics must drive value-capturing outcomes, rather than memorializing measurable outputs. With meaningful executive leadership and credible performance goals, companies can sharply raise employee engagement and success odds. Otherwise, digital aims devolve into yet another change management project with a predictable ending.
Rule #2: Separate Digital Strategy from Operational Technology
Executives are struggling to maintain operational excellence while accelerating digital strategy. Ultimately, strategic competitiveness will not be determined by how well or poorly companies upgrade their systems, but by how well they reimagine their digital futures.1 That’s why C-suites can never afford to use operational readiness to filter strategic initiatives.
Frequently, as tactical projects flounder, falter, and fail, digital strategy is easily deferred, derailed, or ignored. To remain competitive, executives must focus on the urgency of digital strategy over commoditized tech improvements.
Rather than focusing on project management checklists, backlogs, and resource gaps, senior leaders must ask if the company has a deep stable of professionals who can deliver operational excellence and strategize — separately. Leadership must let tacticians maintain and upgrade infrastructure while equipping true strategists to shape the company’s future.
That imperative fails when executives are themselves incrementalists or legacy functional leaders who lack the experience, foresight, and creativity to execute strategy. That flaw is magnified in rapid, competitive markets that demand candor and insight, unencumbered by daily operational goals, needs, and barriers.
Companies serious about the digital era must recognize the fundamental difficulty in prioritizing strategy acceleration and be bold enough to act differently.
Rule #3: Outlaw Entrenched Revenue Drivers
Overreliance on flawed, rigid, entrenched revenue forecasting is another widespread corporate problem. Grandiose strategic ambition and promises should never displace business fundamentals.
In efficient enterprises, revenue variances are well anticipated and addressed. New and existing customer-buying behavior, when analyzed thoroughly, predicts future top-line growth and likely returns on marketing investment. When C-suites truly understand why customers stay or switch, there are few “surprise” results.
Lofty strategic visions often lose sight of basic customer spend metrics: what, why, how, and how much customers buy and the likelihood of future loyalty. Many simplistic valuation methods focus on total revenue growth rates, but customer-based corporate valuation (CBCV) focuses on customer-unit economics, including acquisition costs, retention rates, purchase frequency, and average transaction measures.2 Most C-suites have ample data to rethink forecasting.
Solutions can start with three overlooked, data-driven business stewardship questions: (1) what value would investors or lenders assign to revenue projections? (2) do customer-unit economics match strategic vision aspirations? and (3) which signals warn of potential revenue decline? Weighing transaction-level revenue streams against the aggregate costs to acquire and retain customers provides the critical cash-flow estimates investors seek.
From a C-suite perspective, such predictive analytics mitigate costly customer churn and reveal whether strategy aims will meet tomorrow’s market targets.
Rule #4: Question Analytics
In many organizations, analytics groups are becoming the administrative functions they purported to usurp. Companies can no longer afford to limit database use to transaction processing, history referencing, periodic reporting, and validating intuitive expectations.
Organizations need data tools that are predictive and drive proactive actions and preventative defenses. That requires staffing, culture, and commitment to evidence-based decision making that can shatter project-protective norms in addition to massive, high-hurdle-rate program investments.3
Too often, analytics groups founder not from longstanding data-modeling limitations (i.e., clean, comprehensive, validated data), but from scarcity of the right mix of strategists, technologists, and statisticians (in that order) who challenge the orthodoxy and increase competitiveness long before reporting quagmires feast on swelling data pools.
Truly strategic leaders proactively mine data in novel ways to drive future results. Unfortunately, too many data analytics initiatives are funded on the allure of “what could go right,” without adequate plans for “what could go wrong.” Analytics claim to make companies smarter, swifter, and stronger, but is that real or digital era rhetoric? Encumbered progress, diluted results, and cash burn tell the story.
Rule #5: Don’t Excuse Technological Glitches
Recent cybersecurity scares, emerging regulations, and heightened audit scrutiny motivated boards to rethink digital risk. Executives fear system breaches, asset theft, and data hijacks that tarnish reputations and derail strategy.
Although downside risk often grabs boardroom attention, strong IT controls serve a second valuable and underappreciated purpose: helping businesses run smoothly. CFOs and CIOs must go beyond loss prevention to ensure that system designs do not impede what must go right for key stakeholders. Such unforced errors can be damaging to a company’s strategy, reputation, and bottom line.
This summer, for the second time in less than five years, American Airlines reported that a scheduling platform glitch left thousands of flights without pilots.4 The underlying problem of this example and others is that many C-suites tolerate the term “glitch” as a comfortable excuse for lax management oversight. Too often, system designers and software engineers lack fundamental business process insights; in turn, their operations peers conveniently blame “systems” for mistakes.
As companies aim to digitize workflows, tech leaders must thoroughly understand routine business activities, critical resource paths, and risk points. Cross-functional leadership teams must regularly ask these three questions:
Do system designers understand how digitized business processes speed throughput and improve revenue generation?
Do decision tools connect operating decision quality to financial consequences?
Do credible plans exist to deploy and use automated analytics to proactively identify, diagnose, and curb transaction variances?
The (non-) responses reveal much about digital era readiness.
Rule #6: Promote Business Acumen, Not Digital Transformation
Digital transformation is the hottest trend and spend in technology circles these days. But how can employees possibly transform a business they don’t fully understand?
Companies may have ample tech skills, but functional experts often fall short when asked to be strategic difference makers. That’s the major problem with most grand-scale initiatives — technology alone cannot transform a business.
Digital transformation risks becoming the latest IT project remembered for inflated promises, cost overruns, and few results. Executives and tech leaders can rewrite that narrative by realizing that success depends far more on how they develop people than how they deploy technology.
Technology is an overpriced, underutilized tool in the hands of employees who either don’t know or don’t care enough about the business. Strategy has low success odds when employees can explain what they do but not why they do it.
Employee acumen requires far more than mandatory training sessions. Are employees aware of key financial indicators like revenue growth, expense ratios, and balance sheet health? Which three IT metrics drive financial outcomes? Do IT teams understand how transformation decisions affect planning, budgeting, and results? Unless technology connects correctly to strategy, there could be nothing left to transform.
Rule #7: Make Everyone Risk Responsible
By nature, businesses are risk-seeking enterprises that navigate in treacherous environments, even in stable and growing economic times. Proactive business risk management, distinct from urgent and finite crisis management, offers the greatest potential for lasting competitive advantage.
However, most risk surveys commonly show that executives rank regulatory oversight and economic conditions highest. Such views often underweight strategic risk and result in static, simplistic risk methods aimed at dodging what could go wrong while neglecting relentless pursuit of what must go right.
Strong controls and compliance adherence are necessary, but they are insufficient for meaningful strategic differentiation. Embracing the concept that all employees are risk responsible requires a fundamental shift in leadership and several visible actions. First, executives must clearly and concisely communicate purpose. Second, risk management must be considered a core competency of every job and workplace expectation at every stage of decision making.
Such thinking is not merely a semantic change, it’s a transformation in mindset. Risk management has the potential to be a source of competitive advantage and a differentiator but is often overlooked and relegated to avoidance, control, compliance, and mitigation efforts. Those who truly “know” risk are most apt to “know” reward.5
Rule #8: Share Bad News
Despite our best efforts, breaches occur. What’s important is how, when, and how fast they are handled. For instance, in 2021, the US Securities and Exchange Commission (SEC) cited real estate title insurance company First American Financial for “disclosure controls and procedures violations” related to a cybersecurity vulnerability that exposed more than 800 million images of highly sensitive customer data.6 The SEC concluded that ensuing company disclosures preceded executives’ knowledge of unaddressed, months-old IT security reports. That’s truly every C-suite’s worst nightmare and likely not an uncommon event.
Reporting enforcement actions are common, but the SEC took new aim in this case by targeting inadequate internal management communication and delivered a stern warning to boards, C-suites, and tech leaders, writing:
As a result of First American’s deficient disclosure controls, senior management was completely unaware of this vulnerability and the company’s failure to remediate it. Issuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures.
In 2022, identity security firm Okta was breached and fell victim to a common leadership mistake: sacrificing customer trust for overestimated legal risk. When hacker group Lapsus$ infiltrated an Okta contractor’s computer, Okta relied on its vendor’s initial forensics and opted not to disclose the brief attack. The breach was eventually made public in March via a series of hacker posts. Okta’s attempts to minimize that bad news soon escalated into a public relations nightmare, stock downgrades, senior leader apologies, and a class-action lawsuit.7
These cyber-crisis spirals exemplify why companies must proactively prioritize what-must-go- right customer trust over what-could-go-wrong legal fears. These examples are a clarion call to all businesses to shatter workplace resistance to bad news.
Rule #9: Resolve Technical Debt
A major lurking source of competitive disadvantage is technical debt: outdated technology, flawed software, disconnected systems, and manual processes. No company wants to chase rivals, lose customers, frustrate suppliers, or battle regulators. To close these gaps, executives should try a different approach — ask what due diligence a potential merger partner or acquirer would perform.
An M&A approach assigns a value to each company division and quickly reveals the flaws that impair the company’s overall valuation. Similar to how a home buyer might hire an inspector to identify and quantify structural issues in need of remediation, astute due diligence experts scrutinize companies for hidden cashflow needs and strategic challenges. The findings recast IT needs in terms of two valuation tests that M&A specialists conduct regularly: estimating asset impairment and contingent liabilities.
Underfunded technology investments are similar to impaired assets like poorly performing subsidiaries, expiring patents, and obsolete factories. Aging servers, noncompliant software, and nonsecure user devices likewise impede customer experience and employee effectiveness. Unfunded technology initiatives are comparable to contingent liabilities like litigation payments, environmental remediation, and warranty claims. Costly unaddressed technology issues result in uninsured cyber breaches, service failures, and downtime.
Once measurable, understandable, and actionable, the odds of reducing gaps improve dramatically. Most importantly, a due diligence approach shifts the central technology funding question from “How much money?” to “Can we strategically afford the consequences of not investing?” That’s strategic.
Rule #10: Listen to the Kids
Digital transformation timelines will be short. The next half decade will include massive shifts in the economic order, industry power, and strategic alliances. Technology will fuel much of that change. How organizations employ such tools for lasting strategic differentiation and sustainability profitability depends on the foresight, courage, and acumen of board members and key executives. People will be the transformative force that fuels competitive advantage or the hidden-in-plain-view bug that derails even the best digital transformation plans.
For instance, technology is a priority to Walmart. It structures its board to draw on the most recent significant tech experience, not the longest. Nearly half (five of 11) of its directors have technology or e-commerce experience. The board is clearly composed of digital generation leadership: four members are under age 50, and only three are older than 60. Although age is an imperfect measure of board qualification, it’s an important start.
Executives can benefit greatly from speaking directly to younger employees about their consumer technology experiences. That vantage point can be incredibly valuable and relatively costless, helping companies avoid investing massive sums in interfaces that fare poorly with users. Such participation builds trust, promotes employee participation, and unearths new ideas — all hallmarks of excellence.
The pandemic exposed every company’s weaknesses. Resiliency failures were seeded long ago in functional silos, operational efficiency goals, and risk management designed to avoid what could go wrong. Workplace meetings became mired in discussions about messaging and how things might look; indeed, they should have focused on the need to relentlessly pursue what must go right.
When asked publicly about top risks, C-suite executives routinely cite the economy, regulation, and cybersecurity — safe, logical choices. Off the record, many wonder if they have the right people. Strategy has little chance of success when employees cannot explain why they do what they do. It’s time to rewire organizational thinking and mindsets — these 10 rules can help.
1 Andriole, Stephen J., and Noah P. Barsky. “Why Digital Strategy & Operational Technology Must Remain Perfect Strangers.” California Management Review, Vol. 64, No. 4, 8 March 2022.
2 McCarthy, Daniel, and Peter Fader. “How to Value a Company by Analyzing Its Customers.” Harvard Business Review, January-February 2020.
3 Andriole, Stephen J., and Noah P. Barsky. “Overdue Diligence: Questioning the Promise, Not the Premise, of Analytics.” Communications of the Association for Information Systems, Vol. 50, 2022.
4 Josephs, Leslie. “American Airlines Scheduling Glitch Allows Pilots to Drop Thousands of July Flights.” CNBC, 2 July 2022.
5 Barsky, Noah. “Know Risk, Know Reward: Risk Is Everyone’s Job Responsibility.” Cutter Business Technology Journal (renamed Amplify), Vol. 33, No. 8, 2020.
6 Barsky, Noah. “The SEC Exposed Cybersecurity’s Fatal Flaw — Executive Resistance to Bad News.” Forbes, 31 August 2021.
7 Barsky, Noah. “Okta’s Fearful Cyber Response Worse Than Hackers’ Peek — How 3 Tempting Tech Crisis Shortcuts Cost More.” Forbes, 1 June 2022.