• Phil Venables

Risk Megatrends - Updated

Megatrends are long-term, large-scale forces that shape the world around us. They are the driving forces that have tactical consequences and also manifest at a strategic level. In identifying and following megatrends it is possible to plan further ahead, take advantage of these epic forces and to position yourself to ride these in the right way.


  1. Mass Digitization – "Software Eats the World". All businesses have become or are becoming digital businesses, the amount of software and infrastructure is increasing dramatically. Everything is connected and expected to work 24x7, so, we feel the impact of events more closely, whether it’s a bank system outage or an airline delay. There are less and less manual fall backs. Resilient systems have to be good at tolerating component failure - in an Internet-scale environment even meeting 99.999% reliability can still mean 10,000’s component failures per day. The goal is not to avoid failure absolutely but to operate despite it.

  2. Extended Enterprise – the API Economy. There will always be some physical store fronts and customer interactions through web and mobile apps, but more businesses will be constructed through components connected by Application Programming Interfaces. New products are constructed from vendor provided components being stitched together and frequently re-combined. Not only do organizations have to worry about their own downstream 3rd, 4th or even 5th party relationships they also have to worry about the customer’s environment that connects to them.

  3. Managing Concentration Risk. The consequences of the API economy are more exposure to network effects which in many cases creates Pareto distributions of how services are provided. This results in many large markets being dominated by key service providers which can represent concentrations of certain risks. The existence of this megatrend is usually positive as there are economies of scale and function to deliver overall risk reduction in those services. The concentration is generally recognized and planned for by those services at the junctions of this concentration. Increasingly it is also important for consumers of services to manage that consumption in resilient ways.

  4. Automation and Digital/Physical Convergence – Rise of the Robots. Manual processes will continue to be automated, often in fundamentally good ways but sometimes just glued together with scripts (so called Robotics Process Automation). This may well reduce the operational risks of manual error but can also increase the risk of unintended consequences and make environments have less slack and natural resilience. How many major issues have been detected by people spotting something that just “didn’t look right”? Autonomous agents as well as AI will have tremendous benefits but also will carry risk that needs to be managed as well as represent new attack surfaces. The operational risk consequences of all this will be further amplified when automation more regularly changes both the virtual and physical worlds - managing "digital twins" might be just as risky as managing the actual physical object.

  5. Sovereignty Reigns Again. Many nations or jurisdictions are finding it necessary for various reasons to instate (or reiterate) laws and regulations that dictate the provision of services and the storage of data within their control. Organizations will need to adapt to this while still preserving resilience, distribution and management of concentration risk. Fortunately, new technology architectures, cooperative deployment arrangements and innovative controls will enable balance.

  6. Programmable Instruments – Virtual Everything. While the future of crypto-currency is unclear, it seems more likely that programmable money and other instruments based on the use of distributed ledger technology/stable-tokens will stimulate business process redesign. This has the potential to reduce current operational risk – if done correctly (but, that's a big if).

  7. Hazardous World – "An Age of Rage". We will continue to be challenged by geo-political events and conflict (often with cyber consequences), disease, climate risks, misinformation and information warfare operations and much more. Many of these will carry more perceived risk than actual direct loss exposure – but given Risk = Hazard + Outrage we will likely have to care just the same.

  8. Complexity Management - Rise of the Cartographers. As our physical and digital worlds become more complex and interdependent then risk transmission (for various risks) will bring more surprises. It becomes an imperative for risk professionals across all risk disciplines, especially cyber, to develop increasingly reliable and up to date maps of their environments at multiple levels of abstraction. These ever more effective maps will be needed for proactive risk identification as well as event response - from running scenario analyses to find supply chain hot spots to finding embedded software vulnerabilities deep in your code or dependencies.

Bottom line: if your strategy for managing risk depends on any of these not being true then you might want to challenge that.

2,542 views0 comments

Recent Posts

See All

I typically don’t do book reviews, but this book was impressive and it resonated with many information security and risk management topics. To take a step back, I’ve developed a distaste for business

How much of your work that you would like to describe as a “grand” challenge is really more of a “grind”? As an industry we like to talk of grand challenges, moonshots and other grandiose terms. At on

In this, fourth and final post in the series of Crucial Questions I’m going to focus on those from governments and regulators. This builds on the topics covered before: Crucial Questions from CISOs an