Understanding the cost/benefit trade off for Digital Transformation

The COVID pandemic has accelerated the pace of a Digital adoption in ways that few of us thought realistic in 2019. Organisations in both public and private sectors have had to enable remote working at the drop of a hat, customers are becoming more comfortable with accessing services online, and innovations to enable these changes and make the best of the new landscape are evolving fast.

Most organisations, however, are also aware of the potential risk of undertaking a digital transformation. Going digital means greater exposure to potential business, cyber, and privacy risks, and related to one of these risks is the latest Government report from the ONS* showing that businesses experiencing a Cyber breach rose from 32% in 2019 to a staggering 46% in 2020.

It’s undoubtedly worrying – but should not stop you in your tracks. Quite the contrary; by understanding where potential risks are and what degree of risk versus benefit your organisation can take, you enter the next phase of your Digital Transformation with your eyes wide open. It’s called Digital Risk Appetite.

Can we not just state we have zero risk appetite?

We would strongly advise that for any organisation conducting business online, it’s unrealistic to even attempt to set a zero risk appetite. The very idea is misleading and could reduce your alertness to cyber threat. Plus, there’s always an inherent exposure in digitalisation, so the idea is to balance the level of risk your organisation is comfortable with versus the benefits of that increased online access for customers, partners and employees.

“The biggest risk is not taking any risk… In a world that’s changing really quickly, the only strategy that is guaranteed to fail is not taking risks.”– Mark Zuckerberg

The question is, how do you trade off the benefits of digital transformation with the risks you’re willing to take as an organisation?

Digital risk management starts at the top

Agreeing what level of risk an organisation is comfortable with will come down to the values and objectives within each individual organisation, and that means the leadership must be principally involved.

“Embedding an informed Digital Risk strategy has to start with the Board” says Steven O’Sullivan, Head of Digital at SA Group. “The Board have to understand that digital risk is business risk, and the Board must agree what this means, as risk is often considered in many different ways”.

Defining a Risk Appetite Statement

Steven recommends creating agreed and defined statements and metrics that articulate the views of the Board and senior management about the scope and level of digital risk the organisation is willing to accept. These may be expressed as a narrative and/or financial, operational or tolerance based control metrics.

Once you’ve defined and articulated these, you have the foundation to set and communicate strategic boundaries for cyber risk-taking across your organisation.

The model below can be used to cross-check your metrics and ensure they are realistic, strategic and measurable:

Mitigating the risk

The secondary benefit of comprehensively debating and agreeing a Digital Risk appetite is that this process necessarily involves spotlighting where those risks lie. In turn this enables you to create a plan to mitigate the risks.

A thorough Digital Assessment process will help identify any business, cyber security and privacy risks, as well as the identification of any valuable Digital Transformation opportunities. If you’re not sure where to start, SA Group’s one-off Digital Health Check can identify your main risk areas and suggest a roadmap to reduce their impact. Using this valuable information, our digital experts can advise as to where current and future transformation opportunities exist within your business.


Don’t allow the risks of digitalisation deter you from its massive long term potential!

A well designed digital risk appetite – including a risk appetite statement and relevant metrics – serves as a very useful tool for prioritising your digital and cyber security investment, making sound risk management decisions, and creating awareness for digital risk across the institution. And to fully embed digital risk appetite within your organisation it’s important to be able to link real tangible actions to risk threshold breaches.

By involving the senior leadership in decision-making you’ll enable debate and agreement from the top around risk appetite vs the tangible organisational benefits of Digital Transformation going forward.


About the author

Steven O’Sullivan is Head of Digital and Cyber at SA Group with over 20 years’ experience helping organisations address their most pressing and pervasive cyber risk challenges. He has managed Global Security Operations Centres for BT Global, and spent over 10 years as a lecturer in Cyber, telecommunications, internetworking , electronics and management studies.

Steven continues to lecture and present on Smart and Digital, his areas of expertise include Cyber risk management, Cyber frameworks, Cyber threat intelligence, Smart City Cyber Security, Digital Risk and Transformation, IoT security, Cyber Resilience, Training, Security Operations Centres (SOC) and Privacy and Data Protection, and Business Management. He has experience across many industries sectors, including Financial Services, Telecoms, Energy, Healthcare, industrial products and services, manufacturing, and retail.