By Christopher Stitt, EMBA, CPP, CEM, F.ISRM
In the risk and resilience domain, the concept of VUCA has been around for decades. VUCA stands for volatile, uncertain, complex, and ambiguous. It is often used to describe factors that contribute to the risk environment or factors that complicate decision-making. For instance, volatile markets with significant swings in value make it more difficult to appropriately price trades. Uncertainty in weather forecasts makes preparing for hurricane landfall more difficult. Complexity in management systems or supply chains can lead to cascading failures on one hand, or unrecognized duplication of effort on the other. Ambiguity is the land of gray areas, paradoxes, and contradictions, such as in the case of new laws passed that are likely to impact business, but the final rules have not yet been worked out.
The components of VUCA were first assembled in the seminal book Leaders, The Strategies for Taking Charge by economists Warren Bennis and Burt Nanus in which they described factors that complicate the business environment. They argued, in part, that overcoming these factors required a leadership ability that was separate and distinct from management capabilities (Bennis & Nanus, 1985). Interestingly, while Bennis and Nanus used the individual terms at various points in their book, they did not assemble them in the acronym that is widely used today. The VUCA acronym appears to have been coined by the Army War College in 1987, based on the work of Bennis and Nanus (U.S. Army Heritage and Education Center, 2022).
Today, as the examples above show, this concept can apply to any risk domain from business, to war-fighting and international relations, to emergency and crisis management, and even into everyday personal decisions. Moreover, some situations and circumstances exhibit more than one attribute. For example, ambiguity often contributes to uncertainty, or complexity may be added in an attempt to control volatility. In truly chaotic environments, you may encounter all four facets interacting with each other.
Digitization
So this brings us to the new question: digitization. There is an argument that digitization is itself turning into a new factor that should be incorporated alongside VUCA, thereby relabeling the acronym as VUCAD. But is this useful, or necessary?
In some ways, the concept of digitization can be captured by the other factors in the acronym. Authoritative data sources, or the lack thereof, help resolve or contribute to ambiguity. Data management systems can themselves suffer from complexity. The speed at which information can be obtained and verified either contributes to or resolves uncertainty. The proliferation of data sources of undetermined veracity increases volatility (look at meme stocks for example). So, data and digitization are already affected by the original factors in the acronym.
How does it add complexity?
But what if digitization itself has become a new factor that cannot simply be affected by the others, but can itself be layered on to amplify them? What are some examples of this? The concept of “open-source intelligence” is a great one. Rather than being able to rely on vetted reporting from reliable sources, open-source intelligence often tries to piece together information from streams of crowd-sourced social media. But the sheer number and quality of sources of information make it difficult to determine the truth of the situation as many people simply parrot what they have heard from others (even if inaccurate) and or attempt to make themselves more important to the situation by falsely inserting themselves or their opinions. Worse still are the concepts of deliberate misinformation, disinformation, and mal-information.
Another area in which digitization adds to the complexity of systems is the “internet of things” or IoT. The proliferation of sensors, remote activation devices, and surveillance devices into so many areas of business and our lives can help streamline activities. But as the Internet Society reports, “Many of today’s IoT devices are rushed to market with little consideration for basic security and privacy protections: ‘Insecurity by design.’” (Interrnet Society, 2024). This “insecurity by design” can then add to each of the VUCA factors in various ways: is the data you are receiving accurate, has someone tampered with the system or data, is someone using the system for their own ends (such as a botnet attack), can someone disrupt the system (such as in the case of the Florida water treatment plant attack in 2021, or the endless parade of ransomware attacks).
Finally, the proliferation of artificial intelligence. While AI has been shown to have amazing benefits, it certainly also has risks that need to be managed. Some AI systems have been shown to have racist and chauvinistic tendencies, based on the material used to train them (Raikes, 2023). Most AI systems are intentionally limited in scope and access to information. This is often done for privacy or proprietary reasons. But this also means that the system may give incomplete or inaccurate responses. For all the wonders of AI and its utility reliance on it produces its own risks.
Conclusion
And that brings us to the final question: can digitization stand on its own as a risk factor? All of the other factors can stand alone as factors that contribute to risk. I argue, based on the examples above, the answer is yes. Digitization, in all of its many forms and the degree to which we now rely on it does in fact qualify as a risk factor on its own. Consider the basic premise of the three pillars of information security: confidentiality, integrity, and availability. If all three are in place, there are no issues. But interrupt just one, and risk to the overall enterprise increases. With the rapid pace of digitization and paperless processes, the shift from in-person meetings to remote digital gathering (accelerated by the COVID Pandemic) and the reliance on our access to the internet (heck, even as I was writing this, my neighborhood suffered a multi-hour internet outage), it is clear that digitization itself is a risk factor that must be recognized and accounted for.
The world of continues to evolve, along with the risks involved. It is time to understand that this new risk of our own making, digitization, exists and is as just as impactful as the pre-existing VUCA model. It is time for VUCAD.
