Risk : Mega Trends
I've been thinking more about mega trends applied to risk, specifically operational risk (people, process, technology & external events). Planning for these immense and relentless forces that shape the world is critical. This list is likely not complete.
Mass Digitization – "Software Eats the World". All businesses have become or are becoming digital businesses, the amount of software and infrastructure is increasing dramatically. Everything is connected and expected to work 24x7, so, we feel the impact of events more closely, whether it’s a bank system outage or an airline delay. There are less and less manual fall backs. Resilient systems have to be good at tolerating component failure - in an Internet-scale environment even meeting 99.999% reliability can still mean 10,000’s component failures per day.
Extended Enterprise – the API Economy. There will always be some physical store fronts and customer interactions through web and mobile apps, but more businesses will be constructed through components connected by Application Programming Interfaces. New products are constructed from vendor provided components being stitched together and frequently re-combined. Not only do organizations have to worry about their own downstream 3rd, 4th or even 5th party relationships they also have to worry about the customer’s environment that connects to them.
Concentration Risk – Winners Take All [the risk?]. The consequences of the API economy are more exposure to network effects which in many cases creates Pareto distributions of how services are provided. This results in many large markets dominated by key service providers which represent significant concentrations of risk across cyber, resiliency, privacy and other dimensions.
Automation and Digital/Physical Convergence – Rise of the Robots. Manual processes will continue to be automated, often in fundamentally good ways but sometimes just glued together with scripts (so called Robotics Process Automation). This may well reduce the operational risks of manual error but can also increase the risk of unintended consequences and make environments have less slack and natural resilience. How many major issues have been detected by people spotting something that just “didn’t look right”? Autonomous agents as well as AI/machine learning will have tremendous benefits but also will carry significant risk as well as represent new attack surfaces. The operational risk consequences of all this will be further amplified when automation more regularly changes both the virtual and physical worlds - managing "digital twins" might be just as risky as managing the actual physical object.
Internet and National Fragmentation - "Digital Balkanization". Privacy legislation and regulation is crucial, but the ongoing embedding of explicit or implicit data nationalization rules risks fragmenting the Internet and other infrastructure. Internet censorship and IT services provision restrictions can similarly put pressure on operational risk mitigation strategies that depend on trans-national resilience and common infrastructure controls.
Programmable Instruments – Virtual Everything. While the future of crypto-currency is unclear, it seems more likely that programmable money and other instruments based on the use of distributed ledger technology/stable-tokens will stimulate business process redesign. This has the potential to reduce current operational risk – if done correctly (but, that's a big if).
Hazardous World – "An Age of Rage". We will continue to be challenged by geo-political events and conflict (often with cyber consequences), disease, climate risks, misinformation and information warfare operations and much more. Many of these will carry more reputation risk than actual direct loss exposure – but given Risk = Hazard + Outrage we will likely have to care just the same.
Bottom line : if your strategy for managing risk depends on any of these not being true then you might want to challenge that.