Mar 27, 2019 | 2 min read

Conversation with David Bauer

Podcast #52: Assessing Digital Strategy Risk

David Bauer has a long career managing risk - as a CTO, Chief Risk Officer, Chief Information Security Officer and COO for Morgan Stanley, Merrill Lynch and other institutions. In our conversation he discusses assessing and managing risk to digital transformation strategies, going beyond the topic of cybersecurity covered in our earlier podcast. He shares the complexities involved with ensuring that digital processes are mapped appropriately, how to evaluate the user experience on apps, highlighting failures and successes. He also outlines the strategic risk assessment framework he has developed, offering insights into different criteria – both quantitative and qualitative. Lastly, he provides useful advice for companies embarking on their digital transformation strategies.  



We'll notify you weekly about new podcast episodes, upcoming guests, and news. You can subscribe to the podcast and if you'd like to be considered to appear on the podcast contact us.


View Transcript

Good day everyone, and welcome to another Momenta Podcast. This is Ed Maguire, Insights Partner at Momenta Partners, and today we have a second-time guest, its David Bauer who is a managing partner at Sandhill East, he was one of our first podcast guests. He’s got a history as a Chief Security Officer, Chief Risk Officer, deep in technology and business risk, and an all-round entrepreneurial mind, as well as a deep technological expert. In this conversation we’re going to explore a bit of a different angle, Dave and I met up around Christmas time and were chatting about the risks to digital transformation, and he mentioned he’d done quite a bit of work around doing strategy risk assessments, and we’ll get into that in a little bit. 

I want to explore this angle and the nature of managing risk, because this is certainly something that he’s addressed all through his career. Dave, it’s great to have you with us again. 

Thanks Ed, it’s good to be back again and looking forward to chatting today about the application of risk, risk assessment to digital strategy. People often will equate that to maybe security or technology, but risk assessing, can be applied to practically anything. I’ve been doing a lot of work recently on applying the concepts of risk to digital strategy. 

Yeah, first let’s start with a bit of a level set in context, could you share some of your background in managing risk, and a bit of a perspective that you have working primarily cyber security, but also in some complex institutions. 

In my 30-plus year career, I’ve been Chief Operations Security Officer, Chief Privacy Officer, Chief Technology Officer, Chief Operating Officer for a number of different types of organizations, and every one of those has a concept of delivering business capability, business value, a need to protect the company to make sure they’re not at risk of not achieving their business goals. So, the fundamental tenants of risk assessment are… 

  • what are the areas that I’m interested in?  
  • What are my strategic objectives?  
  • What are my risks associated with failure to achieve them?  
  • How important is that to me?  
  • What should I do to mitigate those items of risk, so that I have some success in meeting my business goals? 

In some areas the risk elements are well-known, so in security in business controls there are a plethora of international standards and industry best practices, that it’s easy to build a risk management program around. But digital strategy, digital transformation, that’s fertile ground, so last year we were talking to some companies who wanted an assessment of their digital strategy, their digital transformation. So, I created a digital strategy risk assessment framework as a way to evaluate a company’s digital strategy, and pointing out whether they are at risk of failing in their digital strategy because of poor approach, poor focus, poor execution or not understanding and addressing all the kinds of elements they would need to do, to make sure their digital strategy was comprehensive enough, and on a good execution path to be able to be implemented. 

What are some of the dimensions that come into play when you’re looking at what areas of risk need to be evaluated? This is a very general question, but when you’re looking at an existing business, like a financial business and you have for instance back office, clearing, and regulatory responsibilities that are pretty well defined, it would seem that would be a bit more of a straightforward process, versus the challenges of trying to understand what could happen, and what unknown unknows there are out there that you also need to manage for! 

So, just some interesting observations, and I’ll get into the components. Every company has a digital strategy, and the question is whether or not it’s going to be successful, I think sometimes people might falsely measure the success of their program; like we have so many users using our application or using our website to conduct business with us. What we fail to realize, that’s the only way that they can interact, so sure, numbers are interesting, but it doesn’t really mean that there’s a good digital strategy behind it. 

The kind of elements that I think about in a digital strategy are, was the system that is supporting the digital strategy, the technology and the data, designed as a platform for digital commerce? Amazon does this really well, they have a platform, it’s a marketplace that other companies can plug into, the application program interface the API’s are present so data can come and go. There are many companies, particularly legacy or older companies that have a significant challenge for having a system as a platform for digital commerce. You can often tell when this happens, you can tell because you try to do something in the application and there’s no capability for it. Sometimes that might be because it wasn’t a well thought out application, which is an issue in itself, but other times it’s because there’s no interface that allows the application to pull the data it needs, so there’s no interface that some partner can plug into and supply a data or services that the company really needs, in order to fully make that digital experience good for the user. 

In one company, the inventory accounts were not available in real-time for the ordering application, because they’d never thought about it in that way, so the inventory numbers when you went to go buy something you could buy it, but later-on you would get a message, ‘We don’t have any of those’, so that’s a really poor digital experience, when you go to buy something, you get your acknowledgment, then a little while later you get some message that says, ‘We’re out of stock on that’, you’re like, ‘But you said you had 10, I ordered two’. So, systems need to be designed if it’s to be thought about as a platform for digital commerce, with the right kind of APIs to connect to the kinds of data and third parties. I think people have worries here about channel conflict. Well, if I create an API so that people can buy my product through my application, and then maybe through another interface like say through Amazon, Walmart, Target, or United Airlines application, because it’s some kind of travel goods, I’d now allow others to be in interface to my product. Well, that’s exactly what the world is in digital commerce, it’s the whole world is full of channel conflicts. What you have to do is build your platform so many more other companies and their digital strategies connect in via the widest possible distribution. 

That’s just one element. There’s another which is building a great app, just because you have the one app that everybody has to use it, it doesn’t mean it’s good and well-designed, and a 3 x 5-inch screen is not a lot of real-estate to build a good app. We all have our own personal experiences of applications which are easy to navigate, and you can find what you’re looking for, and the data is there. United is a good example, they’ve done a really good job in their latest application; I travel a lot, so I’m going to use a lot of examples from the travel applications. So, when you launch the United application, it sort of knows whether you’re traveling that day or not, and if you are it gives you all the information, you don’t have to go down any menus; ‘You’re traveling from Jacksonville to Chicago today, your flight number is 1234, here’s the gate, it’s on time. Click here for your boarding pass’. And when you make your connection, it knows its connection time and gives you the next leg of your trip.  

So, that is using a really good bunch of concepts around a good digital strategy, and understands you, context, and has data about where you are, what time of day it is, what should be happening next, and provides you with all the information you need at the time that you need it, so that you have the best experience, and that’s terrific. 

But then they’ve broken things too, here’s a good example of a bad example; on SouthWest you can check-in if you have a pet reservation, but you can’t reserve a pet online, you have to call. The call is, you call SouthWest, you talk to the agent, you say you want to book a pet on the flight, and they say, ‘Okay’, that’s an example there’s got to be a missing API in the system that the app can’t get to, to book a pet; but you can check-in once you’ve done that. On United you can reserve your pet, but you can’t check-in, you have to go to the check-in counter, and so it’s very interesting, these are small examples, but their nuances around a strategy where you want to fully digitize your customer experience, and then you can’t because it either wasn’t thought of, the APIs don’t exist, they can’t figure out the exception conditions or whatever, but then begins to stack up the kinds of faults in the digital strategy that make it less appealing to the end users. 

How do you start to assess risks to a digital strategy? It would seem to be not simple, but pretty straightforward to do a technological evaluation to ensure that you’re choosing the right components, the right infrastructure etc., and ensure that the code is bug-free; but when you move up into business logic and then downstream into the customer experience, are there methodologies or approaches that you found help bring order out of so many moving parts? 

Well, we have. When we do a digital strategy risk assessment, we look at this being different capability categories, and assess the risk of the organization's success at execution against those 15 categories. Some are technology-oriented as you would expect, when I talked about how the system is designed, or security controls, or whether all the services are available through the application, but there’s a large number that are not strictly technology related, or just about the information technology but the information of the design and capability. So, for example, how well does the digital strategy make use of customer preferences and habits, to drive the experience? Is it thoughtful and does it remember and understand what the customer is trying to do, and then use that? People might call that AI and whether or not you think its AI the whole point is, is it using that kind of information thoughtfully with some design that’s backed-up by data in order to drive that experience? 

There’s another piece which is across business and brand integration which we’ve all had experience, particularly around mergers and acquisitions where your digital experience in one part of the brand, or one part of the product, but then there’s another part where you want to interact with that brand and the digital experience doesn’t transcend to that brand, and then it’s confusing to hear, ‘Well why can I order this thing, but not that thing, even though I know it’s the same company?’ Or, the social media response which is a big part of the digital strategy is the integration with social media, and it took a lot of companies a long time to figure this out, and I think most don’t do it very well. So, if people are making comments about your company on social media, is your organization able to collect them, digest them, respond appropriately?  

I’ve seen somewhere the customer has a legitimate complaint, the response is, ‘Thank you for your comment’, that’s like the Facebook response, well that’s like getting a form letter, ‘Dear Valued Customer, thank your note to us. We’ll do our best to look into it’, but actually it doesn’t acknowledge anything, there’s no context, there’s nothing that says that the company has looked into what you said based on the data that they have and done something that might help the situation. So, yeah there’s technology that can support, and there’s companies that can help you with social media monitoring and response, but unless you’ve got a strategy to do it, and a strategy that looks to have a positive method of responding and dealing with social media commentary about your organization, you haven’t really addressed the risk of social media with response to your company. That’s an example. 

And I know there’s a lot of data that can come off social media, but what might be some of the approaches you would use to assess whether the social medias strategy is being implemented correctly, or isn’t flawed in the first place? 

So, first strategy. Strategy looks at things like 

  • Are we monitoring social media?  
  • Are we dealing with complaints as well as praise?  
  • Do we have a good rate of response, and respond in a timely basis?  
  • Do we have data that collects about it? 

The measurements, interestingly some old-school style cost center metrics can be useful there;  

  • Response rate.  
  • How many did we respond to?  
  • How quickly did we respond? 

And then some quality metrics. 

  • How do we feel about the quality of a response? 
  • What was the after response to it? 
  • Can we come up with a way to have a personal connection? 

So, can I take that complaint, turn it into a chat session with someone who can be empathetic; maybe they can’t resolve every complaint, but be empathetic and not generic to that issue, and then return with some positive acknowledgement about how it was handled. 

I do see on some airlines now where they had an issue, and they send you a follow-up which says, ‘We know we had this issue, tell us how well we did in handling that problem’. So, that’s a great way to do that, and whether or not they figure out they have a problem and reach out, or monitor it on social media, but then get the feedback on how well they handled the problem. That’s using data which is a big part of the digital strategy, to recognize that a problem occurred in the first place; so you don’t get a note that says, ‘Hey, how was your trip?’ you get a note that says, ‘We know you had a problem on your trip, tell us how we handled it’. That’s a really good digital strategy because they’re using the concepts of data, context, metrics, and the digital tooling, in order to be very precise about the way they’re going to collect feedback. That’s a good example. 

As you look at the other capability categories that you analyze, a couple of them are very closely related to data management, metrics, and of course system architecture, but do you find some best practices that you look for when a company is implementing a transformation strategy, that has to do fundamentally with how they manage, organize and analyze the data? 

There are some best practices and are interesting in a couple of different areas. So, one is in the culture in the organization; it’s very hard to have digital transformation when your main communication is emailing PowerPoints to each other. That’s an area that we’ve seen, they haven’t transformed their communications, their working culture to a digital organization. So, then they find it very difficult for them to then extend that out in the digital transformation they’re trying to make with the interactions with their customers, if they’re still working in old-fashioned or non-digital centric methods. 

Second best practice around data and the centrality of data. One of the big benefits (and we’ll get to privacy in just a second, because it can be a problem as well) whether or not there are centrality of data, and that doesn’t mean all the data is centralized in one big database; what it means is that all the applications and services that need to use data to inform decisioning, can get access to the data that’s clean, normalized, and useful in real-time, so that the applications can make good decisions, and that’s very difficult in legacy companies because as you know they’ve got data all over the place, and so chief data architects, chief data officers, can become extremely important to the overall digital strategy. 

Another key area is how they think about disintermediation risk. So, you’re talking about channel conflict, is true that in the digital world channel conflict is just a fact of life, but that doesn’t mean that the company has to be disintermediated, what it means is you need to think about ‘How do I expose data and services so I can connect up partners, other customers, and users of my platform to provide the richest experience for my customers, if I do that I won’t be disintermediated.  

I want to talk about privacy for a second, because there’s a lot of headlines right now about privacy issues. I was one of the first chief privacy officers on Wall Street, at Merrill Lynch many years ago, and I understand this space. I think what’s happening here is, companies are making very poor decisions about how they’re using non-anonymized data, or what they’re doing with non-anonymized data. The best digital experiences occur when companies have access to customer preferences and habits. But that doesn’t give them the right to take that data and use it for the kinds of things that customers have not opted into in a way that they understand, meaning not just the letter of what they’re signed up to, but the spirit. So, if I said, ‘You can use my data to help me’, that means in this application, and if you want to use it outside of this application, you need to ask me those kinds of things, so I can understand that. Companies, if they’re going to have a strategy that works well, and one that’s accepted by their customers, they have to get the privacy preferences correct.  

So Dave, what can go wrong, and what can go right, when a company doesn’t effectively implement a risk strategy for their digital transformation? 

The obvious things can go wrong, customers won’t adopt their digital strategy, they’ll gravitate towards a competitor that has more compelling offerings, better designed, has better controls over privacy, and is more seamless to their day-to-day digital life. I think people are now are beginning to understand when digital interaction with a particular organization is going well, or not going well. So, there’s a lot for companies to think about there. 

What goes right is customers use it more, and not just in the B to C sense, but even in a B to B sense, where people go, ‘I want to be present in that company’s digital ecosystem, because they have a great rate of reach to customers, they have a seamless integration because it’s easy for me to bring my product and services into that ecosystem. So getting it right is beginning to own and manage an ecosystem of competitors, partners, and customers all intertwined in a single digital strategy. 

So, if you’re talking to a company, a legacy company that’s thinking about implementing a strategy, what would be a couple of priorities that you’d advise for a company that’s just undertaking a strategy, and hasn’t thought about risk yet? 

So, every company has a strategy, and the first thing I would do is to start working through and talk to the people responsible for the strategy, then along the 15 points or 15 capabilities that we’ve outlined in our digital strategy risk assessment, begin to discuss with them, ‘Here’s the areas that we find bringing risk to the digital strategy, if they’ve not thought about it or implemented it well. So, let’s go through them and understand which ones are most important to you’, and depending on what the organization is trying to achieve not all of them are going to be the highest priority, for a variety of reasons. So then we can begin to focus on the ones that are high-priority, based on how they view their digital strategy, and how they view their customers. Sometimes through the discussion, items which they thought weren’t very important all of a sudden become important, like, ‘Ah we didn’t really think about social media monitoring’, okay, let’s go out, and lets do some analytics on Facebook traffic about you’, and go, ‘Wow, a lot of people talk about us, and we didn’t know that’, and so now it becomes more important. 

So, you build a base of capabilities which are most important to the organization, and then work through how well the company strategy protects them, or defends against the risk of poor execution, poor implementation, poor design, meaning that if they’ve done that then they have a good sound strategy, and if they haven’t then we can provide recommendations on how they can improve, and where they should prioritize. 

That’s great insight and great advice. David it’s always a pleasure talking to you because you bring a perspective, I think that a lot of time is really overlooked when people are thinking about top line, they’re thinking about execution, and where they could be successful. But truly managing from a 360o view all the risks is certainly something that a lot of people really haven’t thought through. 

Thank you, it was fun talking about this and I find it very exciting. 

Just wrapping this up, this is Ed Maguire, Insights Partner, Momenta Partners, with David Bauer, Managing Partner at Sandhill East. Again, if you have any questions or comments please reach out, we always welcome your feedback. 

Once again David, thank you again for your time. 

You’re quite welcome Ed. 



No form selected

Select an existing form you've made previously, or create a brand new one.