Risk assessment is a core component of successful digital transformation

Photo by Samuel Zeller on Unsplash

Concepts such as big data, Industry 4.0, blockchains, and IoT are being thrown around by tech evangelists, consultants, and mass-media, making many companies feel like they are faced with a binary choice: go digital or go extinct. While it is certainly true the digital revolution has brought about plenty of opportunities and tech-enabled success stories, the last decade has also seen spectacular tech failures from both new and established companies. In fact, a majority of the costliest corporate innovation failures in history involve some innovative technology.

Juicero raised $120M promising a WiFi connected, subscription-based juicer. When customers figured out that hand-squeezing the proprietary juice packs produced the same result as the 700$ machine, the company shut-down within a year.

It is, therefore, crucial to have a strong understanding of the risks involved throughout the (re)development of your digital offerings: start with SWOT at the idea level, continue with sensitivity and business risk assessment at the design stage, and perform periodic assessments of operational risk throughout implementation and operation.

There are plenty of tools and techniques for performing SWOT analyses and for penetration/vulnerability testing, as well as a large number of checklists, guidelines and standards for developing secure software and systems. I discuss some of them in another blog post. In this post, however, I focus on the often-overlooked business risk analysis which should ideally be performed as soon as the value network is known.

Modern e-services are provided by a network of collaborating businesses

Today’s economy consists mainly of e-services – up to 80% in developed countries. Moreover, a majority of these services can be seen as e-services, i.e. services provisioned or delivered via the Internet. A characteristic of modern e-services is that they are often offered by a constellation of enterprises. Amazon, Netflix, and Google depend on a large network of providers, creators, and consumers to generate revenue.

However, collaborators and even customers don’t always behave as expected or agreed upon, and fraudsters aim at unfair exploitation, legally or illegally. Profitability assessments of e-services should, therefore, look beyond revenue streams and consider threats to the financial sustainability of the service offering. More importantly, any such analysis should consider the business network in which the e-service is embedded.

The business network consists of suppliers, service providers, consumers, prosumers, partners, collaborators, and third parties. Tools such as the Business Model Canvas are useful as a first step in identifying some of the actors in this network and thinking about your value proposition to your customers. However, it’s important to recognize that e-business is by nature distributed and inter-connected, therefore always embedded in a network of other profit-and-loss responsible actors, each of which with different capabilities, needs, and value propositions. To engage in the digital transformation, one should take a network-centric approach.

Quantitative, value-driven risk analysis of e-services

Before making the service available to the customers, cost and revenue structures need to be fleshed out. One established way of obtaining an initial indication of economic sustainability is value modeling. Value models take a purely financial perspective by depicting the transfers of economic value that take place among the actors involved in the provision and consumption of e-services. Because they abstract away from technical and even procedural considerations, value models allow obtaining a good understanding of relevant actors and commercial transactions. This allows economic assessment of a business network without being distracted by the complexity of coordination procedures or IT architectures, especially in its early stages1)Weigand, Hans. “The e3value ontology for value networks: Current state and future directions.” Journal of Information Systems 30.2, 2016, pages 113-133.. Our value modeling technique of choice is e3value because it is based on a well-defined ontology understandable to both technical and non-technical stakeholders because it takes a constructive approach to value modeling, and because of it is available as free and open-source software.

Value models usually assume that all economic transactions specified in the business model will occur as specified and that all actors behave as promised. This is a reasonable assumption in the early phases of business development since at that point in time, the focus should be on who offers what to whom (the so-called value proposition) only. However, once the service is deployed, actors may not behave as promised, or they may even attempt to commit fraud. Sensitivity and risk assessment is needed to assess the financial sustainability and resilience against violation of these idealizing assumption.

Ideal and sub-ideal models

Because value modeling tools are geared towards performing net value flow calculations based on cost structures and market assumptions, an important first step in assessing the sustainability of a value model is simply deriving a set of “sub-ideal” models. These models should give a rough indication of the impact (in terms of financial loss) and the likelihood (in terms of potential gain for dishonest partners or fraudsters) of “worst-case scenarios”. This tutorial explains how to create such sub-ideal scenarios using e3tool.

Sensitivity analysis

In order to streamline the sensitivity analysis of value models, e3tool is able to generate charts showing how the net value flow of each actor or entity depends on market assumptions such as the occurrence rate of consumers needs and the size of market segments.

Screenshot of a sensitivity analysis chart generated by e3tool.

Sensitivity analyses can be performed on sub-ideal models too, thereby showing how a particular fraud scenario scales up and how the profitability of the service is affected by the (relative) number of fraudsters.

Sensitivity analysis is useful to compare the financials sustainability of variations of a service, to highlight the impact of fraud, to compare different fraud scenarios or to obtain an estimate of the Return on Investment of fraud mitigation mechanisms.

Fraud generation

For any given e-service and its corresponding e3value model, there are many possible sub-ideal scenarios. To aid in the exploration of this search space, e3tool offers an automated fraud generation module. The analysis works by applying combinations of known fraud heuristics to the e3value model and sorting the resulting models based on their effects. The fraud heuristics are:

  • Collusion of two or more actors, who act as if they were financially independent, but which are in fact pooling their budgets, revenues, and costs;
  • Non-occurrence of value transfer;
  • Occurrence of a hidden transfer of value objects that are unexpected or otherwise hidden from the rest of the value network.

The approach asks the user to distinguish between trusted and untrusted actors. Trusted actors never engage in any of the above heuristics. Furthermore, only scenarios which are result in unexpected gains for an untrusted actor (or group thereof) or which cause unexpected losses for one or more trusted actors are shown. Finally, the list can be ordered based on the most damaging scenarios for trusted actors or based on the most lucrative scenarios for untrusted ones. Each generated model comes with a graphical preview, as well as with a table comparing its financial results to those of the original model used as input.

 Read more about business risk assessment using e3value in our recent article, published by the American Accounting Association.

References   [ + ]

1. Weigand, Hans. “The e3value ontology for value networks: Current state and future directions.” Journal of Information Systems 30.2, 2016, pages 113-133.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.