What is Digital Risk Management?

Risk management is a recurring theme across all management disciplines. Traditional frameworks — from project management and service management, to IT governance and enterprise architecture — consistently emphasise its importance. Even Agile frameworks acknowledge its value.

Essentially, risk management is (or rather should be) a way to deal with uncertainty. However, in practice, it is often applied as a bureaucratic exercise, ritualistically following procedures without a proper understanding of their purpose or impact.

One reason for this is magical thinking (or what we call the “cargo cult” of risk management): the conviction that risk will be managed correctly just by applying a predetermined set of procedures.

Another reason is a shift in purpose from actually managing risks, to demonstrating that the prescribed risk management activities have been performed. In this case, the real focus becomes compliance: proving that appropriate controls are in place in order to meet regulatory requirements and internal policies.

As a result, risk management tends to exhibit a strong bias toward threat mitigation (and especially toward security-related threats), while completely overlooking the management of opportunities. However, in business like in sports, a team that focuses solely on defence and neglects offence will eventually become ineffective at both.

The most pressing challenge that businesses face today is how to navigate continuous waves of disruption driven by cutting-edge technologies, such as artificial intelligence, the Internet of Things, blockchain, robotics, and cloud computing. Technological acceleration has made the digital world VUCA: Volatile, Uncertain, Complex, and Ambiguous. Consequently, it is crucial to shift the approach to business development from a deterministic “if-then-else” view to a probabilistic “if-then-maybe” one, aligning more closely with the Agile mindset that emphasises adaptability, experimentation, and continuous learning.

“Digital Risk Management” is the continuous process of identifying, assessing, prioritizing, and treating both positive and negative risks, to optimise their impact on the enterprise’s objectives. Effective Digital Risk Management helps enterprises thrive in an increasingly hypercompetitive digital landscape.

It is important to stress that Digital Risk Management is not a break from traditional risk management, but rather its natural evolution in a context where, as highlighted in The DevOps Handbook, every organization can be viewed as a technology company, regardless of the sector in which it operates[i].

Many technological innovations do not originate from novel inventions, but from recombining pre-existing ideas and technologies. For instance, blockchain technology is rooted in the integration of peer-to-peer networking, cryptography, and a revised form of double-entry bookkeeping.

Similarly, artificial intelligence has advanced thanks to the convergence of enhanced computational capacity, large-scale datasets, and decades of algorithmic research; while cloud computing emerged from the combination of virtualization, distributed systems, and high-speed internet connectivity.

Management disciplines should follow the same approach, by contextualizing their longstanding principles in light of the new conditions. Digital Risk Management (DRM) exemplifies this approach by reconfiguring traditional risk practices to address the contemporary digital reality. Within the context of ongoing digital transformations, DRM may be re-envisioned as comprising the following components.

A rigorous definition of core risk concepts is foundational to effective risk management. In a VUCA environment (defined by volatility, uncertainty, complexity, and ambiguity), there is a new relevance for 20th-century concepts such as epistemic probability (which has been developed by epistemology and Bayesian theory).

Such concepts address the fundamental challenge of reasoning and making decisions under uncertainty in digital contexts, where every phenomenon unfolds from a unique and unrepeatable configuration of conditions, forces and variables at play — the effects of which are often nonlinear and complex to isolate.

Decomposing a risk into its constituent logical components, and understanding their interdependencies, enables better observation, analysis and control of each, thereby offering more opportunities for effective intervention.

Every risk can be understood as a combination of the likelihood of an event and its effect size (should it occur). For example, consider a company that wants to enter a new market segment, and has an opportunity to displace an already established competitor. This opportunity can be conceptualised as the product of the likelihood of success and its effect size (i.e., the extent of the captured market share).

The likelihood of achieving the objective, however, depends on several sub-factors. One is the degree to which the target is accessible or protected by entry barriers: to gain a better understanding of this aspect, the company can try to acquire deeper knowledge of the targeted customers. Another is the company’s confidence in initiating action, based on a business case that weighs benefits, costs, and risks (including potential counterattacks from competitors).

Other factors include the possibility of catching competitors off guard (thereby preventing defensive actions) and the relative capabilities and resources mobilised by both the company and its competitors.

Finally, note that the overall effect of successfully capturing an asset may exceed its intrinsic value: for instance, it may also enhance the company's reputation. Social networks, in particular, can serve as powerful amplifiers of both victories and defeats — as is often the case in sports, where fans, media, and viral attention quickly magnify a match’s outcome.

Targeted controls are specific to each element of the Risk Conceptual Decomposition. They can be exercised both by actors pursuing an opportunity (i.e., seeking to overcome obstacles and gain access to some value) and by those defending against a threat (i.e., trying to avert loss or disruption).

In both cases, controls help reshape the probabilities and the potential effects of unfolding risk scenarios, transforming risk management into a dynamic and bidirectional process that is more similar to a game than to a purely defensive mechanism.

The process of risk management encompasses the identification of risks, their qualitative and quantitative assessment, and the iterative planning and execution of risk responses, which involve the deployment of a balanced set of RCD-based controls. Throughout the process, the communication and management of risk-related assumptions and information are maintained as ongoing activities, ensuring transparency and adaptability.

Digital Risk Management may operate as a stand-alone process at the enterprise level, in business operations, and in contexts where non-Agile approaches are adopted. At the same time, in Agile environments, it should function as a complementary technique embedded within existing frameworks.

Agile can be regarded as intrinsically concerned with risk management, as it progressively reduces uncertainty iteration by iteration[i]. Therefore, iterative and incremental methodologies (such as Scrum or AgilePM3) can incorporate DRM as an integrative layer.

Following this approach, Scrum Product Owners should identify risks by specifying their agents and causes, the risk events, and their effects on assets; then estimate them and assess their monetary value to prioritise them alongside other Product Backlog items. Should one give priority to a backlog item that will generate a guaranteed profit of one million within a year, or to an opportunity that has a 50% chance of yielding three million in the same period?

Traditional techniques, such as Monte Carlo simulations, can be used to provide accurate estimates of the likelihood and effect of each element of the RCD. A Decision Tree may help the Product Owner optimise the order of items in the Product Backlog by taking into account the non-linear nature of value.

Moreover, just as backlog refinement breaks down coarse user stories into finer ones, risks can be decomposed into their multiple causes using Fishbone Diagrams, thus enabling the targeted reinforcement or mitigation of each. If we know which butterfly in Brazil will cause a tornado in Texas, we can easily take it and nail it to the wall, thus avoiding the risk with very small expenditure.

During each sprint, developers can plan and implement the controls provided by the RCD for its various elements. More importantly, they can test the modelling of each identified risk and the controls applied to it, by following the Deming cycle (Plan, Do, Study, Act).

The human mind wants to base choices on certainties; however, in a VUCA world, certainties are often illusions. Those who fail to learn how to manage risks cannot compete; the remedy lies in cultural change. Again: imagine one company invests in a backlog item that will generate a guaranteed profit of one million within a year, while another puts its resources into an opportunity that has a 50% chance of yielding three million in the same period. Which is better positioned to survive digital disruption?

The primary benefit of Digital Risk Management is not the increased effectiveness in mitigating digital threats; it is the ability to restructure the enterprise in order to increase its long-term adaptability and survival.

DRM seeks to transform enterprises into fractal systems, capable of continuously exchanging information and knowledge, and of replicating effective operational models across multiple levels of the organisation. An enterprise practicing DRM develops adaptive, self-similar structures that enhance flexibility, promote knowledge sharing, and sustain long-term competitiveness, while also establishing a framework for AI-enabled risk modelling and decision-making.

This structural transformation enhances the organization’s capacity for continuous learning, positioning it to capitalise on digital opportunities and to achieve sustained competitive advantage.

To build effective risk management capabilities, enterprises can reuse proven methods from fields such as military science and cybersecurity. Scenario-based military exercises and cybersecurity’s purple teaming can be adapted to business contexts.

For example, one internal team can simulate a competitor’s attack, while another team responds by fixing exposed vulnerabilities and launching countermeasures, and a third team plays the role of customers, deciding which side to support.

This type of simulation not only strengthens teamwork and competitive thinking, but also accelerates the development of a Digital Risk Management culture — one where resilience, adaptability, and data-driven decision-making become integral to the enterprise.

Digital Risk Management transforms disruption into momentum, making it the engine of effective and sustainable growth in the digital age.