All blogs

Digital transformation, AI and risk: What every risk professional must know according to BCG partner Nick Smaling

Ivo Geersen
Ivo Geersen
November 26, 2025
5
min read

In this RiskTalk episode, BCG partner Nick Smaling explains why only thirty percent of digital transformations succeed and why people, culture and organisational agility matter more than technology. He discusses the growing strategic role of risk management, the impact of AI on professional skill sets and how risk teams can guide secure and effective transformation. The episode offers practical steps for risk professionals to strengthen their influence, use AI effectively and support resilient change across the organisation.

Digital transformation is high on the agenda of almost every organisation, yet research by Boston Consulting Group shows that only thirty percent of initiatives actually achieve their intended goals. In this episode of RiskTalk, Jelle Groenendaal from 3rdRisk and host Rudy Nicola speak with Nick Smaling, Managing Director and Partner at BCG in Amsterdam, about why so many transformations still fail, what drives success, and the crucial role risk plays in the process.

Nick guides large organisations through digital transformation, IT strategy and innovation. He sees close up how companies struggle with questions about AI, cloud, cybersecurity, change readiness and the speed at which they need to adapt. According to Nick, organisations tend to overestimate the importance of technology and underestimate the importance of people, culture and behaviour. As he puts it: “At BCG we always say 10, 20, 70. Ten percent is about algorithms and data, twenty percent about technology and seventy percent about how you bring people along.”

In a time where organisations operate in complex chains, face stricter regulation and depend more heavily on third parties, that mindset is more important than ever.

From long-term planning to organisational agility

Nick argues that classical strategic planning is less effective than it used to be. Where organisations previously relied on three to five year plans built on stable market patterns, today’s reality is far more dynamic. He explains: “As an organisation you must have a change capability. You need to be able to adapt quickly and respond fast to the market.”

He cites the example of Lovable, a platform that attracted a million users within a few weeks. Developments like these create immense pressure for organisations with heavy governance structures, complex processes or significant legacy.

For risk professionals this means that risk assessment becomes broader. You are no longer only evaluating whether something is secure, but also whether the organisation is agile enough to change securely.

Why seventy percent of transformations fail

BCG has been studying digital transformation for years through an international survey. The result has barely changed: only thirty percent of organisations achieve their intended business outcomes. Nick puts it bluntly: “What frustrates me is that when I started in this industry, the number was also about thirty percent. You start to wonder what we have learned.”

Successful organisations tend to have several elements consistently in place: visible leadership from the management team, active involvement of middle management, short working cycles, a modular technology landscape and a programme structure that steers firmly on value, risk and progress.

For any risk team these are early warning signals. You are often the first to see where disruptions may arise, where the pace is too high, or where technology dependencies increase exposure.

People determine success

Nick stresses that transformation is fundamentally a people challenge. Many employees worry about the impact of AI and digitalisation on their jobs. From the figures he uses, only sixteen percent of employees believe their organisation handles change well. He calls that “incredibly low.”

He sees that many organisations guide change only superficially. Teams receive sessions or inspiration days, but decisions are not based on data. As Nick says: “Change is too often treated as a fluffy discipline, whereas change management can actually be a data-driven field.”

Empathy is essential. Many professionals have spent years in the same domain and now see tools emerging that automate parts of their work. Nick says: “People have worked with passion in a discipline, and suddenly there is a tool that can do it better. That is a worrying development and you must recognise that.”

AI and the new skill set for professionals

AI plays a significant role in the conversation. Nick uses ChatGPT and Gemini daily and sees how AI can take on repetitive work so that professionals can focus on interpretation. He says: “I do not believe AI will remove jobs at all. I do believe you need new skills to remain relevant.”

AI applications directly influence third-party risk and cybersecurity, for example by summarising documents, identifying patterns in large volumes of reports, or structuring information that is currently reviewed manually.

As Jelle says in the podcast: “Nobody enjoys reading assurance reports. If AI can scan where the key findings sit, that saves an enormous amount of time.”

Expert judgment must always remain central. Professionals must continue to assess whether AI uses the right assumptions and be able to intervene when outcomes are incorrect.

Risk as a strategic partner

According to Nick, risk is no longer a supporting function at the sidelines. Due to digitalisation, outsourcing and heavy supplier dependencies, risk management has become a strategic topic. He says: “It is now a subject discussed in the boardroom, particularly with outsourcing to India.”

His advice is clear: strengthen your position. He observes a sense of underestimation within some risk teams. “Sometimes in risk we still have a bit of the Calimero effect. Yet you have an incredibly important role in guiding digital transformation. Position yourself as a partner, as someone’s best ally. That is where the best discussions happen.”

By joining early, offering alternatives and showing the impact of decisions, you strengthen both your position and that of the organisation.

What you can start doing tomorrow

• Actively involve employees in changes and map their concerns and knowledge levels
• Continuously measure how groups respond to changes and adjust accordingly
• Build your technology and data infrastructure so successful pilots can scale
• Use AI for repetitive and time-consuming tasks and apply the saved time for deeper analysis
• Position yourself as a strategic partner instead of a controller who only steps in at the end
• Look across the full chain and use data to identify where dependencies and risks increase

Digital transformation requires far more than technology. It demands organisational agility, people-centred leadership and strong risk management. By using AI wisely, guiding change in a data-driven way and positioning yourself as a strategic partner, you increase the success rate of any transformation and strengthen the organisation’s overall resilience.

View or listen to the full episode with Nick here.

Looking for an easy way to manage third-party risks?

Get a quick introduction to our third-party risk platform and make informed decisions today.

View our platform demo
Ivo Geersen
Lead developer

Want to read more?

Read more helpful content on third-party risk management and compliance.

KPMG Amstelveen office building exterior with logo on the rooftop, photographed at sunset against a clear sky
Company

From policy to practice: Why KPMG chose 3rdRisk for third-party risk management

Third-party risk management is moving rapidly up the agenda for many organisations. This blog explores how KPMG and 3rdRisk work together to help teams move from policy on paper to practical, scalable third-party risk management, combining KPMG’s advisory expertise with 3rdRisk’s purpose-built TPRM platform to address evolving regulations such as DORA and NIS2.
Misha van Leeuwaarde
Misha van Leeuwaarde
November 25, 2025
10
min read
RiskTalk 

From questionnaires to real risk management: why supply chain risks are underestimated

In this RiskTalk episode, Esther Schagen van Luit discusses why organisations continue to underestimate supply chain risks and rely too heavily on questionnaires and certifications. She highlights the need for genuine risk-based thinking under NIS2, warns against narrow views on digital sovereignty, and stresses the importance of internal data governance in the age of GenAI. Esther also reflects on diversity in cybersecurity and shares practical career advice on focus and prioritisation.
Misha van Leeuwaarde
Misha van Leeuwaarde
November 18, 2025
5
min read
Three men recording a business podcast conversation with microphones around a table in the 3rdRisk office studio
RiskTalk 

Climate risks cost the Netherlands €280 million a year – and that was a quiet year

Climate change already costs the Netherlands €280 million a year in insured losses alone — and that was a quiet year. In this RiskTalk episode, VU Professor Wouter Botzen explains why companies underestimate climate risks, how small preventive steps can reduce damages by up to 40%, and what risk professionals can do to strengthen business resilience across their own operations and supply chains.
Misha van Leeuwaarde
Misha van Leeuwaarde
November 4, 2025
10
min read
Dave van Gulik
Trust Alliance

“3rdRisk is our go-to platform for third-party risk and compliance management. Why? Because it’s based on the latest standards in our field, highly flexible, intuitive, and pleasant to work with.”

View our demo
Read customer stories