Driving change through innovation risk management

While the two fields may seem antithetical, innovation and risk management are actually complementary disciplines. Risk management is about responding to risks (reducing or exploiting), while innovation processes may involve taking calculated risks.

Bringing risk management practices to innovation efforts can help identify new opportunities for innovation, justify future investments, and mitigate the potential negative outcome associated with failures. For risk managers, innovation techniques offer a way to develop novel solutions to address risks, promote collaboration in the risk management process, and report on risk mitigation activities as part of a larger portfolio of innovative efforts. By blending the two disciplines, public sector organizations can realize a benefit that could exceed the application of either in isolation and can be used to establish mechanisms that help improve outcomes for organizations (figure 2).

In the private sector, forward-thinking leaders have merged innovation and risk management practices for some time now. Consider the example of video game maker Nintendo. Nintendo began its life as a playing card company in 1889, but successfully identified risks to its business model in the 1960s as the world entered the digital age.”² Rather than attempt to mitigate this risk through traditional cost-cutting or operational approaches, Nintendo instead chose to capitalize on the availability of plastic and computerized video games to innovate its product and service suite. The result? Nintendo launched its first video game in 1972 and is now one of the top video game companies in the world.

In the public sector, these disciplines have traditionally been kept separate, often functioning in operational silos, and treated as opposing forces. Only recently have some public sector organizations begun to integrate innovation and risk management practices—with exciting results.

For example, in response to the executive order on improving customer experience in the federal government, the Office of Management and Budget has begun supporting various agencies in mapping the customer journeys for critical life events, including the birth of a child, surviving a disaster, facing a financial shock, and approaching retirement.³ The goal of this initiative is to help agencies “work together—within agencies, across agencies, even across levels of government—driven by customer (human-centered design (HCD)) research (both quantitative and qualitative), rather than within bureaucratic silos, to solve problems.” This approach is rooted in innovation (HCD) but is also an example of managing risk as it seeks to uncover the root cause issues (risks) preventing citizens from accessing services at some of the largest federal agencies and work collaboratively across government to identify and implement solutions.⁴

Part 1: Innovating through risk management

The expectations for innovation roles in government and commercial industry alike are increasingly high. “Innovators” are expected to deliver increasingly complex products, services, and experiences that can compete with market leaders, while failure can often be misconstrued as a result of lackluster effort, insufficient foresight, or poor risk management. On the government side, agencies are expected to offer services that are comparable—whether in efficiency or time to market—to private companies, whether it’s the IRS distributing stimulus payments or federal and state officials coordinating on infrastructure development. These expectations can be further complicated in government settings by the fact that public sector innovation “failure” could be less tolerated by taxpayers and Congressional stakeholders than in a commercial environment.

To help mitigate the risks associated with failure, leading public sector innovators are becoming increasingly deliberate about defining their “risk appetite”—the level of risk they are willing to take on in pursuit of value across their portfolio of innovation work—as part of their broader innovation strategy and metrics definition.⁶ To help reduce the risk of innovation failure, IRM techniques can help innovators understand how much more risk they are actually taking on in pursuit of objectives and how to confirm if they are taking on too much. This, in turn, can help innovators determine specific risk-mitigation techniques they can deploy to minimize the likelihood of risks manifesting and resulting in negative outcomes through the definition and analysis of key risk indicators (KRIs).

The example of Pecan Street Inc. helps illustrate how public and private enterprises can work together to mitigate risks to innovation. In 2019, Pecan Street, through funding from a Department of Energy grant, set out to test how solar power could reduce the use of traditional fossil fuels in generating electricity.⁷ Pecan Street’s goal was to help reduce blackouts associated with power grid failures due to adverse weather events. Their hope was that by creating a “microgrid” or an island of solar-powered houses within a larger area, city planners could be better positioned to restore power and manage demand. The experiment is expected to take some time to complete but is an example of recognizing a risk (increasing blackouts caused by major weather events such as hurricanes or extreme temperatures) and attempting to innovate within a threshold for that risk—that is, knowing they cannot reduce the blackouts to zero, but working to use solar panel microgrids to help reduce the issue and make recovery easier.⁸

The Department of Energy’s Innovative Energy Loan Guarantee Program seeks to de-risk innovations as a step toward greater funding possibilities from the private market. According to John MacWilliams, the first chief risk officer at DOE, “The whole point was to take big risks the market would not take,”⁹ and in doing so, identify the risks to early-stage innovations, solve for them, and prove their viability to the wider private market. MacWilliams felt that “early-stage innovation in most industries would not have been possible without government support in a variety of ways”¹⁰ and we believe the process that we’ve described above could build on these examples of successful government innovation programs and may make it easier for others in government to pursue risk-informed innovations.

Part 2: Addressing risk through innovation

While they are not always accepted as such, risks can also represent opportunities for innovation. It is these risks/opportunities that can provide risk managers a chance of creating an innovative response. Traditional risk management can be reactive; it applies stop-gap solutions to larger cross-cutting issues due to its siloed nature. Process-focused risk activities can also decrease a program’s strategic visibility. In Dagmar Turner’s situation, traditional risk management approach might have recommended a limited procedure to remove a smaller amount of the tumor, possibly risking future complications. By taking the full picture into account (i.e., the patient’s fears and desired outcomes, as well as best practice surgical techniques) that doctors were able to come up with a solution that satisfied all participants and produced the desired outcome.

Herman Kahn, a military strategist at RAND Corporation during the Cold War, developed and made famous the concept of scenario planning. He used fact-based stories to show a range of probable military outcomes in order to develop contingency plans.¹¹ Similarly, risk managers can create narratives using enterprise risks measured with qualitative and quantitative data. These risk parameters can help leaders to understand the consequences of inaction. Often, the prospect of losing an appreciated status quo can be a strong motivator for action. Instead of asking “what’s working well now,” a risk lens asks, “what if.” When helping an agency or company decide whether to innovate toward an opportunity or in response to immediate pain points, risk managers possess a unique ability to explain the results of both action and inaction (figure 3).

In some cases, risk management can help quantify the uncertainty, and associated risk, presented by innovation through the use of KRIs, resource constraints, and priorities. Traditional key performance indicators (KPIs) do not often measure the broader ecosystem of risks an innovation might impact or what external risks might impact the innovation. Instead, the risk professional may ask what connections can be drawn between projects in the innovation portfolio and organizational pain points. They can focus data gathering on questions like, “Has the solution achieved a strategic goal or objective that’s aligned to the risk profile of the portfolio or even the broader organization?” Using risk management tools such as KRIs as forward-looking signals can increase confidence in decision-making.

By connecting the innovation to the proper channels within the enterprise, risk management can build trust, increase buy-in, and accelerate the overall production of the innovation.

For example, the Veteran’s Affairs Administrations (VA) is one of the largest hospital systems in the world. They constantly balance risk with innovative new technology to better serve their patients while protecting confidential health data. To help manage this balance, the VA recently launched the Cyber Innovation Program (CIP), which aims to find innovative capabilities to mitigate the risk associated with deploying emerging technologies, such as AI. CIP helps address strategic priorities for VA’s technology teams that required a faster, more agile process and could leverage the latest approaches being developed in the private sector. To do this, they engage the external ecosystem of private sector cybersecurity innovations, conduct environmental scans for emerging threats and opportunities (e.g., risks), scout for innovative solutions, and help introduce and accelerate change for VA. Part of this effort also includes “piloting a system for assessing the development of the federal artificial intelligence workforce” to help identify AI talent and ensure a strong base for future AI efforts at the VA.¹² This is an example of a federal program seeking to address risk and seeking opportunities in an innovative way while setting themselves up for future success.

Getting started by innovating together: A case for government and commercial collaboration

An agency that expects to adopt IRM practices should ideally have an established risk management function or an enterprise risk management program, as well as an established focal point for innovation (innovation groups, research & development function, etc.) in its organization. While neither of these needs to be a fully mature program in order to use IRM, at a minimum, an agency should already have an established process for identifying and addressing risks as well as a clear innovation strategy. Both can be critical to adopting robust IRM practices, as a common understanding of risk management and innovation across the agency may be necessary to successfully integrate these efforts. However, the absence of either program should not preclude either risk managers from creating innovative solutions or innovation managers from implementing risk management practices. One way that public sector organizations can begin this journey is by exploring collaborations with commercial organizations that help connect innovation with risk management. Some agencies, as shown in the CIP example above, are already doing this.

Risk sensing (using AI-powered technologies to scan the digital environment and pick up risk signals) is an area where government and venture capital organizations have engaged third parties to help detect and monitor technologies and skill sets at the cutting edge. An IRM framework envisions an even more powerful combination where early and active collaboration between government and private organizations can provide regulatory clarity and accelerate innovation.

Simultaneously, these technologies have brought to light multiple regulatory challenges such as the Federal Aviation Administration’s guidelines on autonomous aerial systems (drones),¹³ medical ethics surrounding private patient data,¹⁴ and recent General Data Protection Regulation (GDPR) regulations on the “right to be forgotten.”¹⁵ In late 2019, the National Institute of Standards and Technology was directed to develop a framework for how the United States federal government should approach the development of AI.¹⁶ These cases demonstrate a need for proactive government IRM to create the right “sandboxes” in which private companies and public agencies can experiment.

This example does not idealize a singular focus on the reduction of regulation. Rather, it is a broad approach where government and private industry build risk management into innovative designs. This is contrary to traditional “build it first, fix it later” approaches where individuals or even whole populations can be adversely affected. Combining risk management with innovation facilitates proactive identification of opportunities and can help achieve buy-in to execute on innovative responses or solutions to risks and opportunities.

Conclusion

An IRM framework is increasingly important to consider for those looking to implement change in the public sector. As governmental agencies and private companies grapple with a changing landscape and the pressing questions around how to operate in a radically changed environment, understanding how risk and innovation interact can be critical. Deloitte’s IRM framework can help organizations develop a strategy and execute it while building the necessary capabilities to create long term success.

Implementing an IRM framework can help create the groundwork for institutional-change efforts that embrace risk and seek to build on the opportunities it presents. While effective change can come from anywhere in an organization, having an effective framework in place can help encourage top-down or bottom-up innovation. Fostering this level of trust in an organization can be difficult but providing a tested means for evaluating and addressing risks can help leadership feel confident that innovation can be managed effectively to produce informed, impactful outcomes.