Digital Operating Model

A new day, a new book. So I have been writing with an expert team about the Digital Operating Model.

If you were routed from my post ‘Boardroom Priorities‘ then the book will prime your conversations for 4 of the 5 top ranked topics on the minds of senior executives.

The book was commissioned by Microsoft and launched at Microsoft Ignite Orlando 4th November 2019 where 2000 copies were distributed.

The book is now available as a free download from and you can gain access when you click here.

Also available in book format

Digital mash-up

So I randomly find an article by McKinsey Digital while researching the use of digital in charities. That article headline is ‘How digital is changing leadership roles and responsibilities’. You can access the article when you click here.

I read on and find this passage: ‘having more digital leaders at the CxO-level doesn’t necessarily make the technology function of an organization better. Appointing a chief digital officer doesn’t necessarily make a company more effective in developing and deploying digital solutions. Even more striking, adding these new roles without an aligned operating model can actually lead to more confusion, power struggles, and a negative effect on the company’s overall IT performance.’

I pick out in bold what caught my attention. Why? This is exactly what I wrote about with my co-authors in a book titled ‘Thinking of Building a Microsoft Cloud Operating Model? Ask the Smart Questions.

Curious to know why you need an operating model then click here and all will be revealed.

Cat image has nothing to do with this blog but I have noticed cat images get a good following. Prove me right!

Turning ideas into cash

Every entrepreneurs challenge is to turn an idea into cash. The failure rate is high and particularly in tech as there is a great deal of competition. Oh well, that is not gonna stop you, right?

My work with European Union Horizon2020 CloudWatch2 project provided me insight to the characteristics of R&I funded projects and the difficulty exiting product development into commercial realisation.

Moment of clarity

In a rare moment of clarity I pieced together an idea to combine Technology Readiness Levels (TRL) that are commonly used to track progress of a R&I project read at with something I called Market Readiness Levels (MRL) (for which there is no Wikipedia reference).


The resulting conjoining of TRL and MRL created a methodology known as MTRL to control the technology and commercial outcomes of a R&I project. This was used successfully with a number of CloudWatch2 projects.

More information at

There was value in my invention and I decided to gift MTRL to Oxford University Innovations for use in academia (a major source of innovation funded by public and private money). If you would like to know more please email me

Update: The above URL is no longer active.

GDPR – lessons

My role as Co-Founder of Digi-Board includes responsibility for our compliance with #GDPR.  I trained at Henley Business School under Prof. Ardi Kolah and learned that a focus on compliance alone is the wrong way to put in place ‘privacy by design’.

Digi-Board is a customer of GoCardless to process online payments and I republish below an article (June 2019) sharing practical real world experience of GDPR from the Data Privacy Officer of GoCardless.  A great read for senior management and data privacy professionals.


How do you comply with every prescriptive element of GDPR, and meet the principles of the regulation, in a way that minimises unnecessary distraction from your core business? In short: how do you create ‘privacy by design’?

Few companies hire enough people with ‘privacy’ in their job titles to meet all the requirements of GDPR. It follows then that if privacy sits on top of normal business processes, it won’t scale.

With that in mind, here are five things we’ve learned over the last year about embedding privacy in the business.

1. Speak the language of the business

We didn’t get this right the first time around. To build our GDPR-compliant register of processing activities, we used questionnaires sent out from an off-the-shelf tool.

We asked all our data processing teams a lot of questions – all the wrong ones, as it turns out. “Can you identify a lawful basis of processing for this activity?” “How are you meeting the principle of purpose limitation for this activity?”

We knew we had gotten it wrong when we looked at our GDPR-compliant register and saw dozens of different variations on the term “not sure”!

In v2.0, we took a different tack. We asked the business only the questions we knew they could answer, like – what are you trying to do with the data, what data do you need to do it, what systems help you accomplish it. As a result, our updated register is clear, actionable and easy to keep up-to-date.

2. Be where the business is

We can’t have a privacy expert in every meeting – there aren’t enough of us, and even if we could be everywhere all the time, it would just slow things down.

But that means almost every GoCardless employee will at some point have to make decisions that have a privacy impact . . . like scoping a new product, choosing a new supplier, or training a new data model.

I have seen even very well-designed privacy programmes fail when they just aren’t adopted by the business.

When people are asked to step out of their day-to-day role, they’ll tend to take the path of least resistance. It’s not because they don’t want to do the right thing! But even if they understand what we need them to do (and see point 1), the process we’ve created might just make it hard for them to do it.

Privacy processes can’t stand alone, they need to be part of business as usual. Our head of data puts it nicely: we need to make it really easy for people to do the right thing and really hard for them to do the wrong thing. Which leads to…

3. Automate as much as possible

As the privacy field matures, we’re starting to see tools offering out of the box automation and compliance.

The problem with many of these is that they offer a standalone experience: a tool for managing data processing agreements that doesn’t sit within a broader supplier contracting function; a tool for tracking data subject access requests that can’t be used by Support, a data protection impact assessment that isn’t part of the product development lifecycle.

Privacy processes that don’t fit within a broader business context will take people out of their day-to-day. Then, if they’re done at all, they aren’t done well.

We’ve found it more effective to start with the business – what does their day-to-day look like? What documents do they create, what tools do they use, what are their decision-making points?

Those are opportunities to ask the right questions at the right time, and to be able to escalate to the privacy team where necessary.

For example, when our data teams build a new feature, they’re prompted from within the process itself to identify a business purpose from our (now clean and up-to-date) GDPR register. If a business purpose isn’t present, the model can’t be built. And if there isn’t a suitable purpose listed in the register, then it’s an indication that something new is happening that needs privacy review.

The process also gives us an audit trail that we can test to make sure the right decisions are being made.

4. But beware of silver bullets

Automating privacy processes can end up working against you. Some companies make programmes scalable using checklists. But this approach can backfire.

Layers of bureaucracy badly applied disempower employees, keep them from being accountable for privacy impacts, and lead to unexpected risks (“this wasn’t on the checklist, so it must not be a problem”).

We’ve been careful to keep our processes simple, and focused heavily on training and guidance for our teams.

For example, we’ve launched training for our product managers and functional leads, giving them the resources to think about building privacy into our products from start to finish.

One resource has been a particularly useful part of our product scoping documents and privacy impact assessments: A tailored taxonomy of privacy risks that helps guide thoughtful conversations about minimising unintended or unlawful consequences from the use of personal data.

5. Listen to what your programmes tell you

GDPR allows data subjects to exercise their rights with the data controller. The two rights requests we see most often are subject access requests and subject deletion requests.

Early on, we made a decision that subject rights requests don’t go straight to our privacy team. They are handled first by our customer support agents using their own tools (Zendesk macros and our Support Hub), before they go to our rights request software to track to completion.

This has been very successful for two reasons: First, these requests don’t happen in isolation. Sending the requests to Support first brings them to the people who are best trained to identify and resolve the underlying problem (supported of course by training and resources from the privacy team).

Second, our Support team has an enormous amount of experience with metrics and KPIs. Using their tools allows us to keep close track of SARs as well as other complaints, questions and incidents.

How quickly and efficiently we can handle an access or deletion request tells us a lot about the health of our privacy programme, and tracking these metrics is one of our key risk indicators.

We track other risk indicators too, like marketing unsubscribe rates, supplier risk ratings and time to respond to data-related legal tickets. These tell us a lot about where the gaps are and allow us to optimise.

That feedback allows us to make constant incremental improvements to the programme, and also helps us meet the principle of Accountability, the heart of GDPR.

Credit to GoCardless.

It’s a digital world – so what?

If you have bootstrapped a business, as I have more than once, then you will know that you just have to embrace #digital technology.  At a micro scale that is easy with plentiful applications and services a click away in the #cloud.

When you are a big business with a legacy of technology accumulated over many decades and with people and processes linked to the evolution of that legacy it is much harder to adapt.

Couple of thoughts on this.

Spotted this article from heavy hitters McKinsey and a worthwhile read.

Of course there is always a gulf between the theory and practice and that is why I co-wrote a book Thinking of..Building a Digital Operating Model …. Ask the Smart Questions that digs deep in assisting the business and technology teams to collaborate on ‘making it happen’ as McKinsey describe.

Click here to access the book. You may be surprised who commissioned the book!

GDPR turns 1 year old

In 2108 I completed a course at Henley Business School under Professor Ardi Kolah to get under the bonnet of GDPR.  Brilliant course lasting 6 months with 6 tough exams to pass with 80% pass mark.  I have since conducted a GDPR review for a charity, investigated the market for outsource Data Protection Officer (DPO) services and run procurements to appoint a DPO service.

 Is it working out as intended?

Many think of GDPR as a compliance exercise whereas Henley looked at it from the point of view of business continuity that incorporates compliance.  That changes the perspective of the board and senior management team to consider the risks in a different way, e.g. what would be the impact on the business if we were forced to stop processing data by the Regulator?

GDPR is still a hot issue and should be on every board agenda and included under a governance review.  As the Data Protection Authorities (DPAs) exit the bedding-in grace period expect a harsher regulatory regime and fines to increase.

So, one year on here is a state of the nation infographic by IAPP.

There is also a report at

What did you just say?

In a random conversation exchange it was spoken: ‘A charity that has had a data breach may choose not to report it for fear of harming its reputation and losing donor support’.  I was shocked!  This thinking will only further harm the reputation of the charity sector.

If there is potential harm to those data subjects, as a result of a data breach that you as a Data Controller or Data Processor has responsibility for, then YOU MUST report it to your DPA within 72 hours of it coming to your attention.  Your reputation or financial position is no reason not to report a notifiable incident and will only result in much heavier fines when this later comes to light.

Europe lead the world in regulation that protects the rights of citizens – you need to be aware of what they are:


Cloud Operating Model

Talk to a MBA student and they will tell you about the ‘models’ they learn and how they shape organisations.

For the first time in my life as an author I have contributed to a team of authors writing about a model that is topical as cloud computing is now mainstream in organisations of all sizes.  Indeed, a business I am bootstrapping relies totally on cloud services from Microsoft, WordPress, WooCommerce, Xero and some IP delivered in the cloud that is secret.

A model for Cloud Computing

Who needs a model?

Large organisations that have complex IT and total reliance on the functioning of IT 24/7 to support their day-to-day business.

Why is that?

We answer that in the book about the phenomenon that is ‘cloud’ and how that is transforming how organisations organise their work.

The book is in two volumes, one for the business (written in business speak) teams and one for the technical teams.


What can you expect #Agile #BusinessModels #DigitalTransformation #Azure #Governance #AI #BigData #IoT #RPA #Mobility #Knowledge #SmartQuestions #RealWorld Experience #OverToYou

The authors are grateful to our reviewers:

“Building a Microsoft Cloud Operating Model is a must read for leaders looking to understand how the rules of the game have changed, and importantly how to unlock the value that comes with the right model, great technologies and engaged people.

I love the fact it’s practical and serves as a useful guide for those driving change and innovation in their business.”

Clare Barclay, Chief Operating Officer, Microsoft UK

Interested?  Click here for more information.

D Day for Digital in the boardroom

Is the new face in the boardroom a digital NED?  If it is, what is expected of them and what are their challenges given the reported low level of digital savviness in the boardroom?

It is going to be different for every organisation influenced by competitive forces and what disruption is occurring as a result of the exploitation of digital.  That word digital is hard to define precisely and it is easier to think about its impact in ways that we have experience of; how we buy and sell, how we access government services, how we book a holiday, how we bank and the list goes on.  It is getting harder to name a sector of the economy that has not been impacted by digital.

With so much digital already put to work I am curious to know what is expected of the digital NED?

On 14th November 2017 Harvey Nash and London Business School Leadership Institute launched their report on what is happening in boardrooms against what they describe as a steady state of volatility and uncertainty.

The report delivers many insights into the working agenda of the board and the stand out for me was that ‘digital skills will be the most required specialist competency for non-executives over the next five years’.

Click here to download the report

The report drives home the digital theme:

Reporting on What Makes a Good Chair?  Answer – Be Digital aware

Reporting on Facing Up to Digitisation:

  • Recognise and plan for digital vulnerabilities
  • Widen the search for digital talent
  • Acknowledge that digital risks can bring great rewards

I started looking for an example of a well known business that put digital to work and the history after its implementation.  Click here for two short two minute videos that tell an interesting story about the digital transformation of a business.  That business was subsequently acquired and its capability to serve customers enabled by its digital transformation was a key decision factor for the acquisition.

Here are the reasons the CEO of the acquiring organisation gave for the acquisition: ‘the rationale for the takeover is to help shift (acquirer) towards modern online and convenience shopping habits . Underneath what we are buying [acquired] is the ability to deliver very quickly to wherever shoppers are in the UK.  Care to guess who the acquirer and acquired were?  The videos provide the answer.

Here is the thing, the CEO did not use the word digital once, it was the impact of digital and how it served the acquirer to better serve its customers.  I guess that’s the bottom line to figure out – the impact and how that is measured.

How real is this enthusiasm for the digital NED?  I found that in a blog post by Warren Partners (a leading UK executive search firm) with their tips on landing a digital NED role and what’s on the mind of the Chair that will interview you.

Korn/Ferry Institute published a report ‘The Digital Board – Appointing Non-Executive Directors for the Internet Economy’ a comprehensive read and they answer the question I set at the beginning of this blog.

What is expected of the digital NED?

Click here to access the report.



I have written about digital transformation previously and you can follow these links to read more.

















The science of business

I have been connecting with start-ups and starting up my own ventures and wondering; what is the secret sauce that turns an idea into success?

I have written about this before and now add to that some new thinking.

My starting position is that most businesses I connect with have a dependancy on technology, either they are selling it or relying on it as the enabler for what they have to sell.

For the business that is out to develop tech and then sell it, one of the failings is too much attention on the product and not enough attention on the customer. What use is a product if you have not established who will buy it and why and how you will attract that customer audience?

And if you are relying on tech to get your product to market then you have to understand the customer experience and know how they want to search for, select and buy, rather than how you prefer to sell to them.

It’s complicated, which is why so many startup businesses fail.

From Project to Product, learnings from my work with the EU Horizon 20:20 CloudWatch2 program.

The TMARA Group, a business that I met at a Catapult event helping innovators maximise their opportunity to succeed.

Between the two there is need to know science about turning an idea into a business, because it rarely happens just like that.

Collaboration is about letting go

As I kick start another new business venture in 2017 one decision I face is – how much control do I want to have?  As I contemplate this my copy of the IoD Director magazine arrives with an article by Simon Sinek with advice.

screen-shot-2016-12-28-at-08-49-29Simon delivered one of my all-time favourite TED Talks ‘How great leaders inspire action’ with over 29M views and I have used it myself a number of times when consulting clients to stimulate the brain before getting down to business.

Collaboration and letting go

Simon’s advice is to ‘surrender sole control and collaborate to achieve real growth’. He goes on to talk about give and take and delegation to use other people’s talents. He then switches to discuss that when people are promoted they usually don’t get any training as they move into leadership roles. That is more easily addressed in a big company than a SME, even so Simon’s advice is that senior execs need to invest in their own leadership development if they are to maximise the potential of their people.

I looked for evidence to support Simon’s views and found the report of the Chartered Management Institute click here to read that.

screen-shot-2016-12-28-at-09-15-30From that report this graph (apology for quality) highlights two areas for improvement. Change is hard and the table highlights it as the top organisational activity so that senior managers are ‘on top of their game’.

The ‘out of touch’ is something that Simon commented and that raised a whole bunch of questions in my mind.

Remaining relevant

Switching direction now: The Economist report ‘Lifelong learning is becoming an economic imperative’ commented: To remain competitive, and to give low- and high-skilled workers alike the best chance of success, economies need to offer training and career-focused education throughout people’s working lives.

That got me wondering if there a link between ‘out of touch’ and ‘lifelong learning’?

Top Tips

Something unusual happened after I posted this blog. Yup, someone contacted me and made a good recommendation and I am sharing it with you.

The simple truth is that the most successful people are dedicated to constantly learning.  Click here to read the article and small steps you can take to develop a lifelong habit of learning.