An Effective Risk Management Methodology for an Innovation is…

We all know that innovation-centric mindset is a cool skill and when someone wants to make a proper career, working on a destructive technology always makes a profit. However, human history is full of catastrophes caused by unpredictable risks. It is also pretty weird that we all tend to see every ‘’ danger’’ more important than it is. (a.k.a negativity bias) It is completely another philosophic discussion and I never understand why we always more motivated to get the innovation and ignore the risks it creates. I mean, just think a minute the (un)happy endings of destructive innovations of human history;

  • 2008 Financial Crisis
  • Ups and Downs in Cryptocurrencies
  • Cold-War Era or
  • Countless cyber security cases and I think we can count hundreds more…

What I’m trying to tell is, it is not fortune-telling that recent innovations like IoT, big data, cloud applications or blockchain have some risks and these risks will cause some troubles for some people, nations or companies as well. Real pioneers of the technology should aware potential innovations have some risks and these risks may cause a (un)happy ending for them.

If you have the right resources, you can easily find the risks and manage them. Of course, it’s a reasonable idea that risk management is growing slower than the innovation itself because you should first ‘’innovate’’ to define the risks. Besides, you don’t have time to manage the risks while innovations are so hard to keep up with.

The solution is pretty straight-forward, you should have a methodology that covers all (I understand there is no all, so the best you can do is ‘’ most of the’’) risks for an innovation. The steps that you need to perform is only an expertise area and you can integrate these to your methodology with the right expert. And I assume that you have gone through the first risk of an innovation: Finding the right people. If you don’t achieve that then you probably fail before you assess the risks of the innovation.

So, let’s ask these questions for your company and build an effective risk methodology with answering the questions;

1. Do I have the right people for the innovation: It’s not a shame for a company to ask this to itself. I think that this is the biggest obstacle for the successful implementation of an innovation. If you don’t have the right person, just don’t start.

2. What are the risks: In my perception, the steps are taken without considering the risks are meaningless. Define the risks.

3. Who is responsible for the risk: There is always someone to be asked when something goes wrong. Therefore, find a responsible and tell him/her that he/she is responsible for every success and fail of the process.

It is very important to define the following personas for a risk. Of course, you can define a person in multiple roles, but at this point you should not forget to establish a control mechanism for risks.

Risk Management Owners

4. What are the root-causes and the potential impacts of the risks: Understanding the reasons and the potential impacts are one of the most important dimensions of innovation. If the impacts are not so noteworthy, just ignore the risk.

5. What are the possible actions can be taken for these risks: Yes, we decided that we have some risks and one of the most important questions is ‘’what can we do?’. So just list the possible actions for these risks, assign a responsible person for it and put a deadline and track these actions.

6. What are the key risk indicators and how can we automate it: This is the MOST IMPORTANT and the MOST EFFECTIVE way to track the risks that we have. Finding the right metrics for a particular risk, defining the thresholds for it and track the values automatically. Raw material price fluctuations, payment term changes in a particular order, penalties or new laws due to regulations are just a few examples for thousands of possible controls for particular risk indicators of innovation. Just keep in mind that, tracking these values are the most ‘honest’ indicators of the risk. By the way, there is a common confusion; what is the difference between an automated control and a key risk indicator? In my opinion, to build an effective compliance culture in an organization, three layers of control framework should be as below;

Three Layers Of Control Framework

7. Can we analyze these risks: Experts can analyze the risks periodically. Considering key risk indicators, response deadlines and analyzing the current situation of a risk is examples of the most valuable actions can be taken. Besides, executives like to see the risks and how they evolve within a period with meaningful metrics. It’s also important to gain a holistic view of the process.

8. Can we define a lifecycle for risks: Every risk arising from new technologies grows and dies. All the steps we discussed before should be involved in this lifecycle so that we can keep track of the risk at the right time with the right people. An example lifecycle of a risk can be as below;

An example lifecycle of a risk

9. Can we aggregate the risk scores according to our strategic goals: This is a common challenge for the risk people. I call this, “so what” phase. Due to a large number of risks at the operational level, we cannot measure the marginal impact of risks and senior management cannot derive strategic values from these risk data. Thus, companies need an algorithm which collects data from daily operations based on their impacts and shows the overall up and downs of particular strategic goals. Also, depending on the focused fields of your organization, the aggregation algorithm can be run by different objects such as department, location and so on… Let’s assume that we have five risks for the organization to consider;

  • Cyber-security risks
  • Data consistency risks
  • Receivables risks
  • Fraud possibility
  • Leave Cost risks

We can aggregate these risks with different dimensions as below;

9.1 Risks by Operational Categories

Risks by Operational Categories

9.2 Risks by Functional Areas of an Organization

Risks by Functional Areas of an Organization

9.3 Risks by Business Functions

Risks by Business Functions

10. Can we create a “Story” with all of this info: This is the presentation part. As you can imagine, this is the part that you can create value with the bunch of information that you gathered already. You can build a compliance universe with all the functionality you can use, but if none of the key people doesn’t understand and digest the whole story, then there is more than nothing to do with this. Designing “cool” dashboards and visualize and summarize the story is one of the key elements of building a risk-aware culture within your company. There are millions of cool report templates on the web but these are the main criteria that I recommend to consider;

  • Quantify the risk score as much as possible.
  • Categorize the risks by;
    • Business objectives,
    • Functional areas or location,
    • C-level or directorates,
    • Risk categories,
    • or whatever you think it can add strategic value to your organization.

As I said before, there are millions of examples you can use, but here are a few examples that we made before;

Risk Management Analysis
One View Of Risk

Last but not least, we are all fascinated by the opportunities that innovation brings. However, being aware of the risks posed by each innovation can sometimes give us a great opportunity as well. I’m not saying just sit back and never make an investment for the new technologies, but understanding and measuring the risks in a structured way may take you one step further.


Supporting your business processes with emerging technologies is the main goal of our business.