Article
11 minute read 29 June 2023

Driving change through innovation risk management

Innovation risk management can help organizations not only manage the risk inherent in innovation, but also identify entirely new opportunities to improve mission performance

Jesse Goldhammer

Jesse Goldhammer

United States

Alan Holden

Alan Holden

United States

Kevin Almerini

Kevin Almerini

United States

Anthony Fratta

Anthony Fratta

United States

Opposites attract. Risk management and innovation, two seemingly disparate topics, can be strategically connected in mutually beneficial ways. We call this concept innovation risk management (IRM). This article describes how public sector innovators can improve outcomes using risk management techniques and how public sector risk professionals can manage their most important risks by innovating with purpose.

Introduction

On January 31, 2020, Dagmar Turner played her violin while undergoing brain surgery at King’s College Hospital in London.1

Diagnosed with a brain tumor in her right frontal lobe—close to the area responsible for language and some fine motor functions—Dagmar feared that the surgery would cost her the dexterity she’d developed over 40 years of violin practice. Her doctors recommended a novel approach to mitigate this risk. They mapped her brain, began the surgery, and then woke her up from her amnesia and asked Ms. Turner to play. As she played her instrument, the surgeons were able to see the parts of her brain that were activated and cut around them to remove the tumor. Dagmar emerged from the surgery with 90% of the tumor removed—including all areas that posed a suspected threat—while retaining full use of her left hand.

The doctors’ novel surgical approach highlights how innovation and risk management often go hand in hand. The problem: Remove a brain tumor that threatened her life, without destroying a 40-year-long love of violin. The risk: Removing the tumor might result in Dagmar losing her ability to play music, her greatest love in life. But not operating might result in her losing her life. The solution: Innovate the surgical process to manage and mitigate these risks by mapping and monitoring vital parts of Dagmar’s brain as they operated (ongoing risk management). This was the first time surgeons tried this technique, and they were able to remove 90% of the tumor. This is an example of IRM (figure 1).

While the two fields may seem antithetical, innovation and risk management are actually complementary disciplines. Risk management is about responding to risks (reducing or exploiting), while innovation processes may involve taking calculated risks.

Defining innovation

We define innovation as the creation of new value for customers and stakeholders. This can include doing things differently or doing different things. But the key is that innovative solutions represent something new, going beyond just problem-solving.

Bringing risk management practices to innovation efforts can help identify new opportunities for innovation, justify future investments, and mitigate the potential negative outcome associated with failures. For risk managers, innovation techniques offer a way to develop novel solutions to address risks, promote collaboration in the risk management process, and report on risk mitigation activities as part of a larger portfolio of innovative efforts. By blending the two disciplines, public sector organizations can realize a benefit that could exceed the application of either in isolation and can be used to establish mechanisms that help improve outcomes for organizations (figure 2).

In the private sector, forward-thinking leaders have merged innovation and risk management practices for some time now. Consider the example of video game maker Nintendo. Nintendo began its life as a playing card company in 1889, but successfully identified risks to its business model in the 1960s as the world entered the digital age.”2 Rather than attempt to mitigate this risk through traditional cost-cutting or operational approaches, Nintendo instead chose to capitalize on the availability of plastic and computerized video games to innovate its product and service suite. The result? Nintendo launched its first video game in 1972 and is now one of the top video game companies in the world.

In the public sector, these disciplines have traditionally been kept separate, often functioning in operational silos, and treated as opposing forces. Only recently have some public sector organizations begun to integrate innovation and risk management practices—with exciting results.

For example, in response to the executive order on improving customer experience in the federal government, the Office of Management and Budget has begun supporting various agencies in mapping the customer journeys for critical life events, including the birth of a child, surviving a disaster, facing a financial shock, and approaching retirement.3 The goal of this initiative is to help agencies “work together—within agencies, across agencies, even across levels of government—driven by customer (human-centered design (HCD)) research (both quantitative and qualitative), rather than within bureaucratic silos, to solve problems.” This approach is rooted in innovation (HCD) but is also an example of managing risk as it seeks to uncover the root cause issues (risks) preventing citizens from accessing services at some of the largest federal agencies and work collaboratively across government to identify and implement solutions.4

Part 1: Innovating through risk management

The expectations for innovation roles in government and commercial industry alike are increasingly high. “Innovators” are expected to deliver increasingly complex products, services, and experiences that can compete with market leaders, while failure can often be misconstrued as a result of lackluster effort, insufficient foresight, or poor risk management. On the government side, agencies are expected to offer services that are comparable—whether in efficiency or time to market—to private companies, whether it’s the IRS distributing stimulus payments or federal and state officials coordinating on infrastructure development. These expectations can be further complicated in government settings by the fact that public sector innovation “failure” could be less tolerated by taxpayers and Congressional stakeholders than in a commercial environment.

Defining risk

In this article, we consider the definition of risk as “an uncertain event or condition that, if [it] occurs, has an effect on at least one project objective … [r]isk can be considered as both threat (negative impacts) and opportunity (positive impact)” and could come from internal or external sources.5

To help mitigate the risks associated with failure, leading public sector innovators are becoming increasingly deliberate about defining their “risk appetite”—the level of risk they are willing to take on in pursuit of value across their portfolio of innovation work—as part of their broader innovation strategy and metrics definition.6 To help reduce the risk of innovation failure, IRM techniques can help innovators understand how much more risk they are actually taking on in pursuit of objectives and how to confirm if they are taking on too much. This, in turn, can help innovators determine specific risk-mitigation techniques they can deploy to minimize the likelihood of risks manifesting and resulting in negative outcomes through the definition and analysis of key risk indicators (KRIs).

The example of Pecan Street Inc. helps illustrate how public and private enterprises can work together to mitigate risks to innovation. In 2019, Pecan Street, through funding from a Department of Energy grant, set out to test how solar power could reduce the use of traditional fossil fuels in generating electricity.7 Pecan Street’s goal was to help reduce blackouts associated with power grid failures due to adverse weather events. Their hope was that by creating a “microgrid” or an island of solar-powered houses within a larger area, city planners could be better positioned to restore power and manage demand. The experiment is expected to take some time to complete but is an example of recognizing a risk (increasing blackouts caused by major weather events such as hurricanes or extreme temperatures) and attempting to innovate within a threshold for that risk—that is, knowing they cannot reduce the blackouts to zero, but working to use solar panel microgrids to help reduce the issue and make recovery easier.8

The Department of Energy’s Innovative Energy Loan Guarantee Program seeks to de-risk innovations as a step toward greater funding possibilities from the private market. According to John MacWilliams, the first chief risk officer at DOE, “The whole point was to take big risks the market would not take,”9 and in doing so, identify the risks to early-stage innovations, solve for them, and prove their viability to the wider private market. MacWilliams felt that “early-stage innovation in most industries would not have been possible without government support in a variety of ways”10 and we believe the process that we’ve described above could build on these examples of successful government innovation programs and may make it easier for others in government to pursue risk-informed innovations.

Part 2: Addressing risk through innovation

While they are not always accepted as such, risks can also represent opportunities for innovation. It is these risks/opportunities that can provide risk managers a chance of creating an innovative response. Traditional risk management can be reactive; it applies stop-gap solutions to larger cross-cutting issues due to its siloed nature. Process-focused risk activities can also decrease a program’s strategic visibility. In Dagmar Turner’s situation, traditional risk management approach might have recommended a limited procedure to remove a smaller amount of the tumor, possibly risking future complications. By taking the full picture into account (i.e., the patient’s fears and desired outcomes, as well as best practice surgical techniques) that doctors were able to come up with a solution that satisfied all participants and produced the desired outcome.

Herman Kahn, a military strategist at RAND Corporation during the Cold War, developed and made famous the concept of scenario planning. He used fact-based stories to show a range of probable military outcomes in order to develop contingency plans.11 Similarly, risk managers can create narratives using enterprise risks measured with qualitative and quantitative data. These risk parameters can help leaders to understand the consequences of inaction. Often, the prospect of losing an appreciated status quo can be a strong motivator for action. Instead of asking “what’s working well now,” a risk lens asks, “what if.” When helping an agency or company decide whether to innovate toward an opportunity or in response to immediate pain points, risk managers possess a unique ability to explain the results of both action and inaction (figure 3).

In some cases, risk management can help quantify the uncertainty, and associated risk, presented by innovation through the use of KRIs, resource constraints, and priorities. Traditional key performance indicators (KPIs) do not often measure the broader ecosystem of risks an innovation might impact or what external risks might impact the innovation. Instead, the risk professional may ask what connections can be drawn between projects in the innovation portfolio and organizational pain points. They can focus data gathering on questions like, “Has the solution achieved a strategic goal or objective that’s aligned to the risk profile of the portfolio or even the broader organization?” Using risk management tools such as KRIs as forward-looking signals can increase confidence in decision-making.

By connecting the innovation to the proper channels within the enterprise, risk management can build trust, increase buy-in, and accelerate the overall production of the innovation.

For example, the Veteran’s Affairs Administrations (VA) is one of the largest hospital systems in the world. They constantly balance risk with innovative new technology to better serve their patients while protecting confidential health data. To help manage this balance, the VA recently launched the Cyber Innovation Program (CIP), which aims to find innovative capabilities to mitigate the risk associated with deploying emerging technologies, such as AI. CIP helps address strategic priorities for VA’s technology teams that required a faster, more agile process and could leverage the latest approaches being developed in the private sector. To do this, they engage the external ecosystem of private sector cybersecurity innovations, conduct environmental scans for emerging threats and opportunities (e.g., risks), scout for innovative solutions, and help introduce and accelerate change for VA. Part of this effort also includes “piloting a system for assessing the development of the federal artificial intelligence workforce” to help identify AI talent and ensure a strong base for future AI efforts at the VA.12 This is an example of a federal program seeking to address risk and seeking opportunities in an innovative way while setting themselves up for future success.

Getting started by innovating together: A case for government and commercial collaboration

An agency that expects to adopt IRM practices should ideally have an established risk management function or an enterprise risk management program, as well as an established focal point for innovation (innovation groups, research & development function, etc.) in its organization. While neither of these needs to be a fully mature program in order to use IRM, at a minimum, an agency should already have an established process for identifying and addressing risks as well as a clear innovation strategy. Both can be critical to adopting robust IRM practices, as a common understanding of risk management and innovation across the agency may be necessary to successfully integrate these efforts. However, the absence of either program should not preclude either risk managers from creating innovative solutions or innovation managers from implementing risk management practices. One way that public sector organizations can begin this journey is by exploring collaborations with commercial organizations that help connect innovation with risk management. Some agencies, as shown in the CIP example above, are already doing this.

Risk sensing (using AI-powered technologies to scan the digital environment and pick up risk signals) is an area where government and venture capital organizations have engaged third parties to help detect and monitor technologies and skill sets at the cutting edge. An IRM framework envisions an even more powerful combination where early and active collaboration between government and private organizations can provide regulatory clarity and accelerate innovation.

Simultaneously, these technologies have brought to light multiple regulatory challenges such as the Federal Aviation Administration’s guidelines on autonomous aerial systems (drones),13 medical ethics surrounding private patient data,14 and recent General Data Protection Regulation (GDPR) regulations on the “right to be forgotten.”15 In late 2019, the National Institute of Standards and Technology was directed to develop a framework for how the United States federal government should approach the development of AI.16 These cases demonstrate a need for proactive government IRM to create the right “sandboxes” in which private companies and public agencies can experiment.

This example does not idealize a singular focus on the reduction of regulation. Rather, it is a broad approach where government and private industry build risk management into innovative designs. This is contrary to traditional “build it first, fix it later” approaches where individuals or even whole populations can be adversely affected. Combining risk management with innovation facilitates proactive identification of opportunities and can help achieve buy-in to execute on innovative responses or solutions to risks and opportunities.

Conclusion

An IRM framework is increasingly important to consider for those looking to implement change in the public sector. As governmental agencies and private companies grapple with a changing landscape and the pressing questions around how to operate in a radically changed environment, understanding how risk and innovation interact can be critical. Deloitte’s IRM framework can help organizations develop a strategy and execute it while building the necessary capabilities to create long term success.

Implementing an IRM framework can help create the groundwork for institutional-change efforts that embrace risk and seek to build on the opportunities it presents. While effective change can come from anywhere in an organization, having an effective framework in place can help encourage top-down or bottom-up innovation. Fostering this level of trust in an organization can be difficult but providing a tested means for evaluating and addressing risks can help leadership feel confident that innovation can be managed effectively to produce informed, impactful outcomes.

  1. Reuters, “Violinist plays as surgeons operate to remove brain tumour,” ABCNews, February 19, 2020.

    View in Article
  2. Amy Webb, The Signals are Talking: Why Today’s Fringe is Tomorrow’s Mainstream (New York: PublicAffairs, 2016).

    View in Article
  3. Office of Management and Budget – The White House, “Fact Sheet: Biden-Harris Administration launches nine life experience projects to streamline service delivery for the American people,” press release, March 3, 2023.

    View in Article
  4. Performance.gov, “Customer experience projects,” accessed June 16, 2023.

    View in Article
  5. Adebola Osundahunsi, “Effective project risk management using the concept of risk velocity, agility, and resiliency,” presented at PMI® Research and Education Conference, Limerick, Munster, Ireland, July 18, 2012.

    View in Article
  6. For example, see these risk appetite statements: UK Government Finance Function, Risk appetite guidance note, August 2021; United States Agency for International Development, U.S. Agency for International Development Risk appetite statement – June 2018, June 2018.

    View in Article
  7. John Fialka, “E&E News: Blackouts are on the risk. So Austin is making a ‘microgrid’,” Pecan Street, October 3, 2019.

    View in Article
  8. Ibid.

    View in Article
  9. Michael Lewis, The Fifth Risk (New York: W.W. Norton & Company, 2018), p.64–65.

    View in Article
  10. Ibid.

    View in Article
  11. Rafael Ramirez, “Scenario planning,” Oxford Futures Library, April 21, 2014.

    View in Article
  12. Dave Nyczepir, “VA Piloting system to find and manage AI talent,” Fedscoop, August 23, 2021. 

    View in Article
  13. Federal Aviation Administration, “Timeline of drone integration,” accessed June 16, 2023.

    View in Article
  14. Institute of Medicine (US) Committee on Health Research and the Privacy of Health Information, Beyond the HIPAA privacy rule: Enhancing privacy, improving health through research (Washington, DC: National Academies Press, 2009).

    View in Article
  15. General Data Protection Regulation (GDPR) highlights the right of an individual to erase their personal data: Information Commissioner’s Office, “Right to erasure,” accessed June 16, 2023

    View in Article
  16. National Institute of Standards and Technology, U.S. leadership in AI: A plan for federal engagement in developing technical standards and related tools, August 9, 2019.

    View in Article

Cover image by: Jaime Austin

Applied Design & Innovation: Solving complex problems that matter, through human-centered design

We are Deloitte Digital’s design and innovation practice. We harness the power of human-centered design to create transformative experiences and innovate to unlock new opportunities.

Jesse Goldhammer

Jesse Goldhammer

Managing Director

Subscribe

to receive more business insights, analysis, and perspectives from Deloitte Insights