Digital Transformation is a Risky Business

Hi I’m Clive. Thanks for popping by for another Digital Dunk.

Recently I had the opportunity to speak at two events about how we have used risk management at NSPCC to frame and deliver a programme of digital initiatives this year and gain senior management and peer visibility, support and buy-in. We’ve found that it’s a good thing that Digital Transformation is a Risky Business 😊

Tom Cruise in the 1983 movie Risky Business. Fun film but we don’t endorse his chosen mode of fundraising :)

Risk management is very topical in the charity sector right now. Ahead of the recent launch of the Charity Digital Code, independent chair Zoe Amar summarised the key findings of a detailed cross-sector consultation :-

“Charities are facing multiple challenges in digital. We asked them to tell us about what they see as the key issues: 60 per cent said they wanted to increase their digital skills, with 49 per cent stating that they were using digital effectively but wanted take things to the next level; 39 per cent said they needed funding to progress with digital and 36 per cent wanted to know how to manage risk. The breadth of these issues shows the complexity of the problem the code is trying to solve.”

Zoe reinforced the importance of managing risk as one of her top 3 tips in this short video made for Small Charities Coalition (“how to explain the Charity Digital Code in 3 post-it notes”)

Speaking to many digital peers, I’ve found that almost everyone has a digital strategy but few currently have a specified digital risk. Whether that’s appropriate or not depends upon the circumstances and the organisational strategy which is why today’s blog might be helpful.

Managing organisational risk of all kinds at charities is part of ongoing governance and for many is a legal obligation.

The Charity Commission states that

“All charities that are under a legal requirement to have their accounts audited must make a risk management statement in their trustees’ annual report.”

and publishes some excellent guidance .

Other resources for charities include these :-

At a big complex charity like NSPCC, where much of our work to help children and young people is carried out in a high-risk environment, we might have a dozen or so live organisational risks on our “Strategic Risk Register” at any one time. These are managed and monitored by our Audit and Risk committee, which “oversees our systems for quality, performance, risk management and internal controls ensuring that our systems are robust, effective and fit for purpose”.

You can find out more about risk management at NSPCC in our annual report for 2017–2018, particularly pages 56–60.


When I joined NSPCC in May 2017 as Head of Digital, I was asked to review the digital risk identified at that time (2017–2018) which was capability.

Although we closed that risk at the end of the period, I was keen to highlight the ongoing continued development and momentum that the organisation needed to continue progress digitally. With the benefit of several months working in the organisation, I assessed that although we may have pockets of digital excellence and are blessed with a team bursting with talent and commitment, there is still room for improvement.

We never forget that the young people our services help have grown up in a digital-only world.


When I looked at the standard risk measures around likelihood and impact

risks are assessed and scored using an analysis of Likelihood and Impact

I felt I needed something extra to reinforce my observations and to gain support and buy-in.

My desk research uncovered studies like this from PricewaterhouseCooper
which mentioned that in some circumstances a third element was deemed relevant which is “velocity

“Risk velocity measures how fast an exposure can impact an organisation. It is the time that passes between the occurrence of an event and the point at which the organisation first feels its effects. For those risks with high velocity, having the appropriate controls in place in the event that the risk does materialise and impact the organisation, is crucial.” PricewaterhouseCoopers 2017

This was the lightbulb moment for me — by focussing on the PACE OF CHANGE I realised I suddenly had the framework to identify, capture and highlight the areas we needed to improve so that I could define our new digital risk.

With the new overarching risk defined, I could then define how insufficient pace of our digital transformation could lead to a series of undesired outcomes if proper measures were not put in place to measure and prevent.

With so much confusion and subjectivity around buzz words like “digital” and “digital transformation”, and to help give clarity and consistency across a variety of stakeholders, I used the digital risk document to define a common lexicon, for example :-

And then set to work on devising a series of “controls” to deliver positive action to mitigate the risk. These fall under four work streams :-

Finally, I framed these risks through three perspectives :-

Taken together across this financial year 2018–2019,

this programme of digital initiatives (‘controls’) delivers quick and tangible improvements in our operations, skills and strategic understanding to improve performance today and make better plans for tomorrow so that we can do even more to help children and young people.

I’ve learned a great deal from approaching digital strategy from the perspective of risk. Coming from the commercial sector, I am used to scoping opportunities, pitching the upside against a target return on investment (ROI), winning support and being accountable for delivering successful results. Risk is the flipside ie imagining what could go wrong and/or what if something didn’t happen ; and then taking actions to prevent the worst case occurring.

Working with the Risk and Audit committee, Directors and our in-house experts, I’ve needed to learn a new language, process and framework to gain the support and buy-in needed to get the necessary approvals so that the team and I can crack on and get things done.

And that’s why it’s a good thing that Digital Transformation is a Risky Business 😊

Tom Cruise in the 1983 movie Risky Business. Fun film but we don’t endorse his chosen mode of fundraising :)

Thoughts, Comments, Likes and (especially) Shares welcomed. It’s new for us to share learning out in the open, so we’d love to know what you think.

You can read another 20 Dunks and follow us on here at Medium.

And you can find us on Twitter here.

Special thanks to Ludic Creatives who scribed my presentation at the Digital Transformation Conference to make this wonderful summary in one image.