Digital Disruption and Transformation Risk - Top Actions ERM Leaders Can Take

While some spend time trying to define and identify exactly what is happening... one thing is clear: this digital disruption and transformation risk is real and it is important. Companies and leaders sense the risk and are reacting. What makes it difficult is distinguishing the hype from reality. Making that even more difficult is the fact that so much angel investor type money has moved earlier in the process, seeking companies and ideas before they ever go public. The result is that executives seeking to learn what others are doing must look elsewhere (other than public filings and public information). ERM leaders gathered at the Center for Excellence in ERM Fall 2018 ERM Summit to discuss what others are seeing, the impact of these disruptions, the associated risks, business changes, expectations, and how companies are responding. The white paper can be dowloaded here.

The really big strategic risk

Attended the Lean Startup Summit in Berlin this past February. In my view, ERM needs to play a bigger role because the risks must be identified and managed in innovation just as in daily objectives. One thought at the conference that got discussed was that the really big strategic risk is related to different dimensions. Those dimensions are revenue (not new) but also how the new idea/project/innovation might transform the organization. See the map here. Organizations feeling more disruption might want to map their projects using a similar approach. The most important place is probably location 1. This perspective can help organizations consider which projects to prioritize.

The risk - talent connection

Once we’ve got the risk risk identified, a key question for leadership and the board is do we have the right talent to manage this risk?

Collin’s “Good to Great” highlighted the importance of getting the right people. The same thing applies in managing risks. I’ve seen this show up in several companies and know of others who have closed this loop. A few example questions:

  • If your organization is facing massive disruption and digital changes and no one on the board or in leadership has a good understanding of this then the risk could be higher.

  • If your organization plans on opening new locations but hasn’t thought through the implications of not having the talent already in place and trained, then the likelihood of not meeting the objectives goes up.

The importance of being agile in strategic risk management

Our current and preliminary data analysis in the tech industry shows:

  • half of value killers are strategic setting

  • half of value killers are strategic execution.

The big ones:

  • Almost 90% of big value killers are strategic setting

The agility link:

  • the strategic setting mistakes and losses take 2.5 times longer to recover.

One lesson:

  • ERM around strategic setting risk can pay off in big ways.

But which strategic risk dimension is the most important?

I’ve seen all those studies and slides from so many organizations and consultants that state that strategic risk is the most important risk out there that leads to lost value. I don’t think anyone disagrees with those general findings.

My academic brain keeps wanting to know more. If COSO has strategic risk in 3 dimensions is it possible for us to know which of those is the problem? In other words, is the lost value because of strategy setting, strategy alignment, or strategic execution? To me, that’s the bigger question.

Well, i’ve got this one bright graduate student helping me trying to answer this question.

Very very preliminary but the interesting finding (so far…) is:

  • most value killers that are small are strategic execution related.

  • the largest value killers? they are primarily strategy setting.

If we want to really help our organizations with strategic risks then we must get involved in the questions around whether we have the right strategy set!

Managing a portfolio of risky projects

I heard a talk in Berlin recently that inspired me to think of risk in new projects this way. Take all the disruption or new projects and map them as follows:

Vertical axis is new growth

Horizontal axis should include transformational/blue ocean dimensions like:

  • improved relationships with customers

  • new customers

  • future new business model to make you more competitive

High growth projects with high transformational / blue ocean possibilities are the key in a disruptive / ultra competitive world. That doesn’t mean we don’t identify the risks in those projects - we still should do that because it may be even more important. But here’s a lesson from long ago in my career. Identifying the risks takes serious thought and the most important risks come up at the end, not in the first 5 minutes. It takes deep thinking.

Preliminary Results from the Center for Excellence in ERM on Digital Disruption

Although the final white paper is forthcoming, it seems wise to share some of the interesting findings:

  • 85% of ERM leaders agree that digital disruption and transformation will have a significant impact.

  • The # 1 reason companies are moving forward with digital disruption efforts is because they believe their business model is at risk. 76% listed “remaining relevant” as the reason for making a change.

Using ERM to Make Innovation More Successful

I recently attended the Lean Startup Summit in Berlin. A few ERM/startup takeaways:

First, use an ERM approach to identify the risks in the startup. Instead of COSO’s risk categories or strategic objectives, consider using the dimensions of usability, feasibility, and value. Use these prompts to get the team to identify and map the risks on impact and likelihood. Manage the big ones right away. The startup may depend on it.

Second, identify the critical success factors in the launch of the startup (at the Summit this was applied to a product launch). Using those factors, attempt to reduce the risk of each product launch factor via testing. As the tests prove successful, the risk is lowered. Document the test results and (hopefully) reduced risk.

Third, once the product or company is launched the next steps are focus, focus, focus. This was labeled horizon one and the focus seemed to be on selling that product/idea and getting it out. But according to research done by this company on scaling companies, a considerable amount of effort must be put into new products. Stated differently, they suggest that true long-term success must focus on the next product and time must be continuously allocated to the new ideas even while focusing on the current success.

Note we have a white paper on the ERM - innovation connection that has valuable additional content.

Two easy ways to begin the risk-strategy connection

First, read your strategy document. I can’t emphasize this enough. We’ve got to know our own vision, mission, strategy, etc. Note that sometimes an understanding of this will cause a repositioning of certain risks.

Second, read what they read. Boards and executives are not necessarily reading COSO’s ERM Framework or the ISO Framework. Therefore, to understand their world and problems, read what they read. Some of my favorites in this area are:

Business Models

o  Business Model Generation (Osterwalder & Pigneur)

o  Value Proposition Design



o  No Ordinary Disruption (Dobbs et al.)

o  Big Bang Disruption (Downes & Nunes)

o  Your Strategy needs a Strategy (Reeves et al)

o  Create Marketplace Disruption (Hartung)

o  Superforecasting (Tetlock and Gardner)


Strategy (more general)

o  Strategy beyond the Hockey Stick (Bradley et. al.)

o  Blue Ocean Strategy (Kim & Mauborgne)

o  The Lean Startup (Ries)

o  Playing to Win (Lafley and Martin)

o  Brand Resilience (Copulsky)

o  Discovery Driven Growth (McGrath and MacMillan)

o  Upside (Slywotzky)

o  Innovator’s Toolkit (HBS)

o  Geography of Genius (Weiner)


Strategic Execution

o  Achieving the Execution Edge (Bart & Schreiber)

o  When Strategy Execution Marries Risk Management (Ow)

o  Seven Strategy Questions (Simons)

o  Strategy that Works – How Winning Companies Close the Strategy-to-Execution Gap (Leinwand & Mainardi)

And from the book above “Strategy beyond the hockey stick” I found the authors had an interesting favorite list of their own:

  • Strategy: A History

  • The Innovator’s Dilemma

  • Good Strategy/Bad Strategy

  • The Art of War

  • Coopetition: a revolutionary mindset…

  • The Lords of Strategy…

  • Antifragile: things that gain from disorder

  • The signal and the noise…

  • Thinking fast and slow

  • Decline and fall of the Roman Empire

  • On war

  • The strategy of conflict

Areas to improve in ERM

The Center for Excellence in ERM at St. John’s University recently released the white paper “The ERM Journey". While navigating strategy and disruptive risks gets many headlines some fundamentals are still necessary for ERM to be effective. The study shows:

  • 33% of ERM executives do not agree that their assessments are accurate,

  • 48% do not look at risk connections/correlations,

  • 58% have had unidentified risks impact them (surprises?), and

  • only 46% agree that decision making involves explicit consideration of risk.

The lesson? Get better at how you identify, how you assess, and get involved early (if possible).

Using key risk drivers to enhance action plans

There has been talk about key risk indicators, bow-ties, etc. for some time. However, one extra reason to at least set up these risk driver scenarios is that it can help:

  • identify new risks, and

  • help get better metrics.

When forced to not just identify metrics but to first think through the drivers and consequences of the risks, executives begin to see new risks as their minds work through what’s causing the risks. Additionally, as they consider the final and most probable drivers, they then, and I would argue only then, can get the best possible metrics to manage the risk.

Other reasons why ERM adds value

The Center for Excellence in ERM at St. John’s University recently released the white paper “The ERM Journey." One thing that stands out in that white paper is how ERM executives believe value is added. But the key to understanding that value are insights into some of the why it adds value. A couple of reasons stand out:

  • 54% of ERM executives believe they add value because they helped their organization identify previously unknown risks.

  • 76% of ERM executives believe they add value by helping their organization understand the real risks.

Discovering new risks and finally understanding risk is all about moving some unknowns into the known area. It’s got to add value.

Ways to add value with ERM

The Center for Excellence in ERM at St. John’s University recently released the white paper “The ERM Journey." One thing that stands out in that white paper is how ERM executives believe value is added.

One obvious answer is to build the ERM infrastructure. Table 1 shows that high performing ERM companies have a higher percentage of agreement with the statement “We have the necessary infrastructure to support the ERM process.”

A second method is to integrate ERM better and in the right areas. Table 2 shows that high performing ERM companies have higher percentages of ERM integration in strategy, operations, and finance.

A third method shows up in Table 3. While building and integrating are important, some of the big ERM wins come from helping the culture become risk aware, building a relationship with risk owners, bringing “ah-ha” moments, and things like having business leaders promote and embed risk in their areas.

How ERM can help alleviate board pressure on disruptive risks

Adaptive Governance & Challenge. “In the Commission’s view, this will require boards to build… adaptive governance, which we define as… active involvement by directors in setting and maintaining a boardroom culture that is centered on open discussion, constructive challenge…” (NACD, 2018).

-      ERM Reaction: practice a challenge culture or contrarian view when risks are presented. Encourage boards to do the same. The goal is for the greater good of the organization.



Question Legacy Business Models. Allegiance to legacy business models with reluctance to question their future viability is a red flag according to board guidance (NACD, 2018).

-      ERM Reaction: include business model risk analysis in your risk assessment. 



Boards assess emerging risks. “The board should carry out a robust assessment of the company’s emerging and principal risks. The board should confirm in the annual report that it has completed this assessment, including a description of its principal risks, what procedures are in place to identify emerging risks, and an explanation of how these are being managed or mitigated. Principal risks should include, but are not necessarily limited to, those that could result in events or circumstances that might threaten the company’s business model, future performance, solvency or liquidity and reputation. In deciding which risks are principal risks companies should consider the potential impact and probability of the related events or circumstances, and the timescale over which they may occur.” UK Corporate Governance Code 2018.

-      ERM Reaction: First, strengthen your emerging risks process. Two, include business model risk analysis in the process. Note, if you’re not in the UK you might be tempted to ignore this UK Guidance but it captures the growing pressure on boards over emerging risks and business models.



Exogenous Risks. “Boards have concerns about less controllable, exogenous risks.” 2019 NACD Corporate Governance Outlook. 

-      ERM Reaction: Convince the board how you’ve done this. Use black-swan or disruptive workshops to attempt to pull out these risks.


Trigger risks. “Trigger events or risk thresholds are not always clear in advance: even if their causes are relatively familiar, these risks may “develop in a non-linear manner,” as a result of “tipping points that might be detectable only in retrospect,” Board Oversight of Disruptive Risks (NACD, 2018). 

-      ERM Reaction: Identify which risks could be the tipping point or the trigger. Develop key risk indicators, risk drivers, or mind maps to help see the triggers. Managing/monitoring the non-trigger risk could be too late.



Assess vulnerability to Disruptive Risks. “Establish time on the board agenda, at least annually, for a substantive discussion of the company’s vulnerability to disruptive risks. Consider using approaches such as scenario planning, simulation exercises, and stress testing to inform these discussions.” NACD, 2018

-      ERM Reaction: Just do it.



Skills to Navigate Disruptive Risks. Boards should invest in the skills—within the organization and on the board itself—needed to navigate disruptive risks. (NACD, 2018).

-      ERM Reaction: lead or train your board on how to identify disruptive risks and link them to the business model. Ask them to include ERM and Board Risk Oversight training as part of the new board member onboarding/training.

Big Problems are Opportunities (comments by Clayton Christensen) - An Opening for ERM Executives

This interview with Christensen points out that companies must address disruptive innovation (his first book) but his latest work also discusses problems and opportunities.

“His solution is simple, profound and right in front of your face: See big problems as big opportunities. Look for the intersection of non-consumption and what he calls “jobs that must be done.” Then create products—and processes—that serve those needs. By doing so, you’ll harness what he terms “market-creating innovation”—by far the most profitable, disruptive force in business (think electric light, iPhones and the Model T).”

For the practicing ERM executive or board member there is a valuable insight here. Look at your biggest risks on your map or register and seek the opportunity and upside of that risk instead of just identifying the risk and developing action plans. In other words, challenge management to think through the risk and find the opportunity. I’ve met one CRO that does this on their top risks in designated risk opportunity workshops. 

Corporate Risk Disclosures in Manufacturing: A U.S. and Japanese Comparison

A company’s annual report offers a description of that organization’s business and the risks it faces. Risk disclosures are an important part of that report and should provide external stakeholders with valuable information about significant risks.

This research study represents an analysis of risk factor disclosures from large manufacturing companies on both the Tokyo Stock Exchange (TSE) and the New York Stock Exchange (NYSE).

English version

Japanese version