what-matters-in-security

12 risks to navigate as part of your digital work (Part 2)

This is Part 2 in a 3 part series where we explore the 11 types of risks you need to manage as you navigate the digital transformation journeys you are supporting.

Our progress so far

In "12 risks to navigate as part of your digital work (Part 1)" we:

  • Defined risk
  • What it means to you as a Digital Leader

In this Part 2 post we

  • Explore example projects and use cases that you will meet in your Digital Leadership journey as a CEO, C-Level, Executive or product manager.
  • Touch on the various angles you need to consider to create a risk profile and make informed decisions around the work you are engaging in.

Using actual examples

Let's explore some examples that you may meet as part of digital work engagements.

As you read through these 4 use cases, try to identify whether you have worked on similar projects in the past.

Take note of any key areas or considerations that:

  • Need to be better handled for success.
  • Introduce unnecessary or avoidable risk.
  • Reduce risk when handled or planned for.
  • Can benefit from a better risk management infrastructure.

I suggest you also try and notice the range of cross-functional teams involved as you assess the risk profile and impact of each consideration.

Use case 1: You are releasing an update that changes how you manage data within your product or website

Servers showing scope to consider in de-risking processes

Typically covering what information you save, where you store it, how you intend to use it, who has access to it, etc.

You need to consider whether the data:

  • Is held on systems that belong to you and are under your management?
  • Is stored on systems that are certified to meet international-grade compliance requirements (e.g. as done by Microsoft publicly sharing country-specific compliance audits, industry-specific audits, GDPR policies and other Data Transfer policies)?
  • Is saved on systems within specific regions/countries?
  • Is stored in encrypted form, and to what strength?
  • Can be replicated or transferred to alternative regions/countries?
  • Is protected by strong access control policies and technology solutions?
  • Is hardened by strong auditing capabilities that capture who accessed what, when and from where?
  • Is available 24/7/365?
  • Is subject to set SLAs and performance KPIs?
  • In the case of a security incident report, where will people go to enquire? Support? What is the expected response time?
Microsoft compliance center

Note how only a couple of these are related to the actual change in handling capabilities and are mostly there to ensure you can monitor, protect and manage eventualities and customer queries.

Your findings/outcomes may trigger the need to introduce additional technology or updates while also updating legal documentation and notices such as End User License Agreements (EULAs), Privacy & Data Protection Policies, Terms & Conditions, etc.

The legal team typically governs these agreements within the office of the CFO and are not necessarily renowned for their agile practices. If not handled in time, these risks may be so high-impact that your organisation, that they may cause your project to be delayed (leaving you to deal with the consequences of why these have not been handled earlier).

Use case 2: Changing how you license products, licensing agreements or prices for your services

Impact of risk assessment. Licensing of products and agreements

These changes require consideration with Sales, Channel Partners and operational systems to ensure you can implement the desired changes in licensing approach. Additional stakeholders may be needed to back up your changes with communications that are understandable and acceptable.

Typical considerations include:

  • Are you clear on your target licensing model: subscription, perpetual, pay-per-use, other?
  • Is the licensing model pre-paid in full, pre-paid in credits/units to be consumed, post-paid?
  • How do you plan to convert over 50% of your existing base to this new model, and over what time?
  • How will this be priced across regions, and in what currencies?
  • How does your pricing compare to the market capabilities you have? If you are charging 40% more than your competition, are you providing at least 40% more value than them? If not, what is your rationale for people to stay with you?
  • Are your licensing bands restricting value or capabilities to existing customers that may be using them?
  • Are there any existing bundles or cross-sell offerings that need to be retired with this move?
  • Have you scoped out your go-to-market message highlighting the customer value in moving to this new model?
  • Are your partners aware, set up and able to transact in this model?
  • Are your new offerings encoded in SKUs with descriptions that can be ingested and loaded into partner systems?
  • Are your operational teams able to receive orders and translate order components into customer entitlements?
  • Are there volume discounts planned out?
  • Are the sales teams and sales engineers enabled to understand and support transformations?
  • Are in-product communications aligned and personalised when they are sold direct, through distribution or reseller?
  • Are your evaluation periods impacted?
  • Are you soft-launching or hard-launching? What does it mean to your existing customers and partners?
  • Are you going to have a grace period for people who recently acquired and want to migrate to the new model?
  • Are you going to have a grandfather policy for existing customers, and for how long?
  • Is your user documentation updated to cover common questions, or will you rely on marketing, sales and support channels?
  • How is your renewal stream expected to be impacted?
  • How are your new sales rates expected to be impacted?
  • Has anyone in your industry done this before?
  • How will you measure and know that the strategy is working or failing?

Unlike the earlier example around data, these considerations are primarily strategic, often needing proxy data, KPIs and marketing research to determine the risk level assessment of your next moves.

Use case 3: Putting a product in end-of-life

Hard decisions. Mapping opportunities to action

Putting a product in end-of-life is an extremely sensitive operation often requiring a deep understanding of

  • The current product usage landscape.
  • Financial impact.
  • Cost of migration.
  • Expected impact to your support organisation.
  • How customers will be guided and given time to discover and migrate to alternative options.

Does your end-of-life plan cover these:

  • How many customers are using the product today?
  • Did you determine the total count of subscriptions/customers using the product?
  • How many customers are using your solution for free?
  • How many are using in 'Not For Resale'?
  • How many do not have active support contracts?
  • How may have active support contracts & when do they expire: within the next 12, 24, 36 months?
  • By when will all customers with active subscriptions/maintenance agreements expire?
  • How long have these companies been using this solution?
  • How many customers are on older versions?
  • How many units/nodes are serviced per customer of the solution?

Read more about this at "How to end-of-life a product with minimal disruption."

Use case 4: Digitalising an existing process

Digital transformation in action

While all done for the betterment and advancement of the business, does your digitalisation project have clarity around:

  • What you are doing and why?
  • What is the value it will deliver to the business?
  • Who is involved as a stakeholder?
  • How will stakeholders use the system and access reports needed?
  • Are they the only people who can access the data?
  • Are there specific pieces of information that require more protection than others?
  • What technology stack is shortlisted and why?
  • What is the cost of initial implementation (or Minimum Viable Product - MVP).
  • What is the cost of maintenance?
  • Are there any OEM costs that need to be considered?
  • If using a no-code approach like MS Power Platform or hosting on online services like MS Azure or Amazon AWS, what are the ongoing licensing/hosting costs?
  • Are these part of the budget plan?
  • Is this to be developed in-house or outsourced?
  • What is the time needed to develop the MVP, and in what time frame estimate?
  • Will this be maintained in-house or outsourced? If hosted in-house, what monitoring is needed to ensure continued availability? Etc.
  • Why do we need to do this now?
  • What is the impact of not doing it or delaying it?

Key Take-away: Risk management is a team sport

People sitting around a table discussing risk

As Matt Kunkel articulated in one his Forbes articles:  

Sports can teach us a lot about life. As children, many of us learned discipline, work ethic and the importance of collaboration through sports. The lessons don't stop once we enter the business world. In fact, when it comes to approaching risk management, a "sports" mindset is a good starting point.


Things to consider to know if your organisation is applying good risk management practice:

  • Are your teams able to express work outcomes in terms of risk qualities across all levels of the organisation?
  • Have you had organised conversations with your teams to identify, document and categorise risks your organisation faces?
  • Do you have an organisation-wide, software solution that is capable to capture, communicating and escalating risks to the appropriate teams, or stakeholders effectively?
  • Do your senior leadership team have visibility to the risk assessment outcomes?
  • Do your senior leadership team periodically inquire about the risk assessment of the business?
  • Are your projects prioritised based on their risk impact and effectiveness in managing risk?
  • Are you in need of exploring and implementing a more formal Quality Risk Management program in your organisation?
Forming a team to successfully handle risk management is similar to forming a football team. Both involve leaders making decisions focused on the long-term health and success of the team, specific groups handling day-to-day operations and tactical activities, and ultimately, someone specific in charge of handling the finances.

Wrapping up

As a digital leader, you are constantly acting intentional actions to reduce the emergence of risks that can negatively impact your ability to advance financially, operationally or reputationally.

In "12 risks to navigate as part of your digital work (Part 1)" and Part 2 (this post) we:

  • Defined risk.
  • Expanded what it means to you as a digital leader.
  • Explored example projects and use cases that you will meet in your Digital Leadership journey.
  • Touched on the various angles, you need to consider to ensure you have enough information to create a risk profile and make informed decisions.

In "12 risks to navigate as part of your digital work (Part 3)" we compartmentalise and explore the 12 types of risk you will meet as a Digital leader.

Use the framing and understanding we explore in this risk series to better your understanding and articulation capabilities around the way businesses:

  • Talk about the value of work, and
  • Raise concerns and risks around work ongoing across the business.

Let us know what you think!. We believe in productive discourse and welcome opportunities to refine our understanding through discussion. Comment in the comments area below or reach out on hi@andremuscat.com

Comments

Follow Andre Muscat and join the conversation. As a follower, you will also receive new posts by email (you can unfollow at any time).

Share on


Tags

Follow today!

Keep up to date on new postings and materials

Follow Now