• Phil Venables

Risk Megatrends - Updated

Megatrends are long-term, large-scale forces that shape the world around us. They are the driving forces that have tactical consequences and also manifest at a strategic level. In identifying and following megatrends it is possible to plan further ahead, take advantage of these epic forces and to position yourself to ride these in the right way.


  1. Mass Digitization – "Software Eats the World". All businesses have become or are becoming digital businesses, the amount of software and infrastructure is increasing dramatically. Everything is connected and expected to work 24x7, so, we feel the impact of events more closely, whether it’s a bank system outage or an airline delay. There are less and less manual fall backs. Resilient systems have to be good at tolerating component failure - in an Internet-scale environment even meeting 99.999% reliability can still mean 10,000’s component failures per day. The goal is not to avoid failure absolutely but to operate despite it.

  2. Extended Enterprise – the API Economy. There will always be some physical store fronts and customer interactions through web and mobile apps, but more businesses will be constructed through components connected by Application Programming Interfaces. New products are constructed from vendor provided components being stitched together and frequently re-combined. Not only do organizations have to worry about their own downstream 3rd, 4th or even 5th party relationships they also have to worry about the customer’s environment that connects to them.

  3. Managing Concentration Risk. The consequences of the API economy are more exposure to network effects which in many cases creates Pareto distributions of how services are provided. This results in many large markets being dominated by key service providers which can represent concentrations of certain risks. The existence of this megatrend is usually positive as there are economies of scale and function to deliver overall risk reduction in those services. The concentration is generally recognized and planned for by those services at the junctions of this concentration. Increasingly it is also important for consumers of services to manage that consumption in resilient ways.

  4. Automation and Digital/Physical Convergence – Rise of the Robots. Manual processes will continue to be automated, often in fundamentally good ways but sometimes just glued together with scripts (so called Robotics Process Automation). This may well reduce the operational risks of manual error but can also increase the risk of unintended consequences and make environments have less slack and natural resilience. How many major issues have been detected by people spotting something that just “didn’t look right”? Autonomous agents as well as AI will have tremendous benefits but also will carry risk that needs to be managed as well as represent new attack surfaces. The operational risk consequences of all this will be further amplified when automation more regularly changes both the virtual and physical worlds - managing "digital twins" might be just as risky as managing the actual physical object.

  5. Sovereignty Reigns Again. Many nations or jurisdictions are finding it necessary for various reasons to instate (or reiterate) laws and regulations that dictate the provision of services and the storage of data within their control. Organizations will need to adapt to this while still preserving resilience, distribution and management of concentration risk. Fortunately, new technology architectures, cooperative deployment arrangements and innovative controls will enable balance.

  6. Programmable Instruments – Virtual Everything. While the future of crypto-currency is unclear, it seems more likely that programmable money and other instruments based on the use of distributed ledger technology/stable-tokens will stimulate business process redesign. This has the potential to reduce current operational risk – if done correctly (but, that's a big if).

  7. Hazardous World – "An Age of Rage". We will continue to be challenged by geo-political events and conflict (often with cyber consequences), disease, climate risks, misinformation and information warfare operations and much more. Many of these will carry more perceived risk than actual direct loss exposure – but given Risk = Hazard + Outrage we will likely have to care just the same.

  8. Complexity Management - Rise of the Cartographers. As our physical and digital worlds become more complex and interdependent then risk transmission (for various risks) will bring more surprises. It becomes an imperative for risk professionals across all risk disciplines, especially cyber, to develop increasingly reliable and up to date maps of their environments at multiple levels of abstraction. These ever more effective maps will be needed for proactive risk identification as well as event response - from running scenario analyses to find supply chain hot spots to finding embedded software vulnerabilities deep in your code or dependencies.

Bottom line: if your strategy for managing risk depends on any of these not being true then you might want to challenge that.

1,794 views0 comments

Recent Posts

See All

There is a great little book I read recently, “Obvious Adams - The Story of a Successful Businessman", it’s available on Amazon, but it’s sufficiently old (1916) that there are plenty of free archives

I spoke on a CIISEC panel a few months ago about the state of the information security profession. This post is based on remarks I made there. How is the profession doing? First of all let’s look a th

When starting or reinvigorating a security program, focus on a small number of meta-objectives that can have sustained outsize effects in addition to diving into the immediate and very specific things