A little history and context
Jose María Coma Fort, a good friend and expert on Roman law (1969-2015), told me about the importance of the Twelve Tables in Roman law, the precursor to what is now civil law.
The Twelve Tables were the first written code of laws in ancient Rome, created around 450 BC. This set of laws was fundamental to the development of Roman law and established rules for various aspects of daily life, such as property rights, family law, and contractual obligations.
The laws were engraved on twelve bronze tablets and displayed in the Roman Forum so that all citizens could read them. This code sought to guarantee equality and justice by providing a clear and accessible legal framework for all Romans.
There are other references to regulatory frameworks that provide solutions to future problems for the successful coexistence of society. The Code of Hammurabi, created around 1754 BC in Mesopotamia. The Laws of Ur-Nammu, created around 2100 BC in Sumeria, and the Laws of Lipit-Ishtar, drafted around 1930 BC in Lower Mesopotamia.
Why carry out risk management in a digital transformation project?
It might seem strange to think that a reference to Roman law or previous regulations could be useful when talking about risk management in digital transformation. Leaving aside the purpose of each of these, we cannot ignore the fact that, just as in the time of Gaius or Justinian, the Twelve Tables were created to provide a solution to problems that could arise in Roman society, risk management also raises potential problems in order to offer solutions or mitigate their future impact with the actions to be taken in each case.
The Twelve Tables created a structural framework for a legal and equitable environment. With the experience of the present and the past, they provided solutions to future problems or difficulties. In the risk management of a transformation project, we must also put ourselves in context to identify possible cases and possible actions based on established rules and policies in the organisation to anticipate possible future risks and solutions. The way in which principles of protection and redress were sought in ancient societies is similar to how they are now used to establish risk mitigation strategies in the digital transformation of organisations. These strategies involve identifying those responsible who, in the face of risks that have been assessed and prioritised, are capable of reviewing them and taking action to prevent or mitigate their consequences.
Another fundamental point that ancient references teach us is to document and make this public in the initial phases of the project and to carry out periodic reviews. This minimises negative impacts during the transformation process, ensures regulatory compliance and increases the chances of success and sustainability of the project.
This is the first of several articles on risk management. Risk management can be carried out in various fields (health, finance, insurance, construction, etc.), but I will focus on risk management in digital transformation projects, although in more than one case the comments are shared. We will discuss the points that I consider most important and that should be taken into account.
Forming an interdisciplinary team
For me, the most important point is team training. Having the right profiles is a guarantee that risk management will meet the objectives set. From a people perspective, it is important that they have not only technical and analytical skills, but also certain personal skills:
Knowledge of standards and methodologies: They must be familiar with ISO, BS, NIST, ITIL, CRAMM, EBIOS, PMBOK, SCRUM and other methodologies, as well as agile methodologies for risk and digital project management.
Ability to analyse and detect potential risks: They must be able to identify, analyse and prioritise risks both quantitatively and qualitatively.
Knowing how to put risks into context is key to managing them. You must have a global vision and strategic thinking to understand how risks impact business objectives and reflect on how they impact in the short, medium and long term.
Technological knowledge of the project and knowledge of the business in the organisation where it is implemented is essential to understand not only the vulnerabilities that may arise, but also the opportunities it may generate, both from a technical point of view and in terms of the new capabilities it may create in the business.
You must have the ability to solve problems and make decisions under pressure, acting quickly but without rushing and in a thoughtful manner, using criteria that have already been validated in the project.
The importance of teamwork and shared leadership for optimal collaboration, motivation and participation of all members.
Change management is an inherent part of the evolution of a project and risk management, and a culture of adaptation and continuous learning must be promoted.
Methodology and tools
We will discuss the methodologies and tools we use to carry out proper risk management.
Different methodological approaches allow for an optimal structure adapted to each project. As far as possible, bureaucratic procedures should be avoided and a balance should be struck between agility and overly fragmented structures and analysis.
The process can be applied to any type of company, including SMEs, by adapting methodologies and tools, as explained by researchers at the University of Navarra in their article ‘Project risk management methodology for small firms’.
In terms of tools, it is essential to have reporting and decision support systems that enable monitoring to facilitate decision-making.
The impact of technology
We will discuss one of the points to consider in risk management with regard to technology. The technical solution and how it is implemented are essential for adapting to business requirements, so that risk management can anticipate potential problems, reduce negative impact and ensure that digital transformation brings positive and sustainable value to the organisation. Among the points to consider are:
Data security and privacy and access to data.
Business continuity, which is essential for providing good service to our customers.
Regulatory compliance to ensure that the technical solution is implemented in accordance with the laws of each country and the internal regulations of the organisations. Compliance with information security and data protection regulations, continuous reporting, and supplier management.
Technological obsolescence and the evaluation of new emerging technologies, considering the capabilities they offer, their degree of maturity and support.
Evolution and monitoring
In risk management, we must be able to identify and monitor each of the points identified as risks with the associated measures. Just as we can use KPIs (Key Performance Indicators) to measure and analyse performance and see if we are achieving our objectives, we will need to determine KRIs (Key Risk Indicators) to anticipate problems, managing and mitigating risks.
EIS (Executive Information System) and DSS (Decision Support System) platforms, or comprehensive reporting systems, allow us to monitor the risks and KRIs established.
Trends
Not only agile methodologies, but also new technologies enable us to adapt risk management procedures. Blockchain and IoT facilitate risk monitoring, and artificial intelligence and digital twins allow us to make better decisions in managing these risks.
Conclusions
Risk management is important not only for the success of a digital transformation project, but also because it raises potential problems within the organisation that must be corrected, adding value beyond the objectives of the process itself. Risk management is an art that takes into account the composition of the team, knowledge of methodologies and tools, knowledge of the business, technology, risk monitoring, adaptation to change and new trends for efficient risk management. Risks always exist, and the difference between having managed them in advance or not is between making improvised decisions or deciding quickly using criteria agreed upon in advance.
