QuestionsAnswered.net
What's Your Question?
How to Create a Strategic Plan
Looking for a way to take your company in a new and profitable direction? It starts with strategic planning. Keep reading to learn what a strategic plan is, why you need it and how you can strategically create one.
What Is a Strategic Plan?
When it comes to business and finance, strategic planning will help you allocate your resources, energy and assets. When implemented, a strategic plan will begin to move your operations in a more profitable direction. The primary goal of the plan is to ensure you and any other stakeholders are on the same page and striving to reach the same goal.
Creating a strategic plan requires a disciplined effort. Once you put the plan into action, it will influence the segment of customers that you target, how you serve those customers and the experience those customers have.
Assess the Current Infrastructure and Operations
The first step in creating a strategic plan is to carefully assess your existing infrastructure and operations. You can do this through a SWOT analysis, which is an analysis of the company’s strengths, weaknesses, opportunities and threats. The goal here is to pinpoint the resources that you use to carry out your day-to-day operations, to look at your monthly revenue patterns, to list any company challenges related to the customer experience and, most importantly, to look at your marketing methods and ways to improve the overall customer experience.
Creation of Mission Statement and Objectives
The next step is to create a mission statement. You may already have one, but it’s important to note your mission at the top of the strategic plan document you create. This ensures everyone is focused on the same goal. Your mission statement should cover why you started the company and what you intend to accomplish through the products and services that you offer.
In addition to the mission statement, make sure to outline both short- and long-term objectives. List the objectives according to their priority and designate certain managers or employees to be responsible for each one. Also, jot down the resources that will be used to achieve each objective.
Measure Performance
Now that you know what you’re trying to achieve and who is responsible for each goal, it’s time to deploy the plan and measure its progress. A weekly meeting is extremely important for all managers and stakeholders provide feedback. Your goal is to determine if the company is headed in the right direction. If not, you’ll need to revise the strategic plan accordingly.
Strategic Plans Are Ongoing
Once your strategic plan helps you achieve several objectives, it’s smart to regroup and set new objectives. As your company grows, you can set new goals to ensure the company keeps moving forward. You can share the success of your strategic plan with potential investors as a way to tap into new capital funding.
MORE FROM QUESTIONSANSWERED.NET
5 Steps to Effective Strategic Risk Management
Strategic risk management is a crucial, but often overlooked, aspect of enterprise risk management (ERM) . Traditionally, ERM has focused on financial and operational risk. However, the fact is that strategic risk is far more consequential .
Harnessing the Power of Technology in ERM Download white paper
What is strategic risk?
Simply put, strategic risks are risks that a company takes that could potentially result in a major loss.
A company that has superior and unmatched manufacturing processes will still fail if their consumers no longer want their products. This was the lesson that was learned by even the most efficient buggy whip makers once Henry Ford introduced his Model T in 1908. Cellphone handset manufacturers faced a similar crisis when the Apple® iPhone® arrived on the scene.
Identifying strategic risks enables organizations to develop an effective strategic risk management strategy to effectively combat the root cause and mitigate risk due to competition, market or industry changes, and other external risks such as changes in customer demand.
What is strategic risk management?
Strategic risk management is the process of identifying, quantifying, and mitigating any risk that affects or is inherent in a company’s business strategy, strategic objectives, and strategy execution. Types of strategic risks may include:
Shifts in consumer demand and preferences
Legal and regulatory change
Competitive pressure
Merger integration
Technological changes
Senior management turnover
Stakeholder pressure
As industry expert James Lam says, strategic risk is the big stuff, and prioritizing strategic risk management means sweating the big stuff first. In other words, an effective strategic risk management framework will prioritize understanding the risks that your business faces to take the necessary steps to protect your assets and your business.
Strategic risk is a bell curve
Like any risk, strategic risk falls along a classic bell curve, with results along the x-axis and likelihood along the y-axis. The expected result of a given risk strategy would represent the peak of this curve. Most strategic risk planning considers only this peak while ignoring the slopes to either side.
But imagine two strategic risk initiatives, each with a similar expected result. One falls along a narrow, steep curve, indicating a low risk of failure and little upside opportunity. The other is represented by a wider bell, with greater chances of both under- and over-performance. Which to choose? The answer depends on an individual company’s appetite for risk.
Strategic risk management: shifting the curve
Now imagine a third curve with that same expected result. This one rises steeply from the left but slopes more gently downward on the right. Here, downside risk has been minimized, and upside opportunity increased. That is the goal of strategic risk management: to shape the curve in a way that favors success.
How do you measure and manage strategic risk?
As the saying goes, you can't manage what you can't measure.
In order for us to understand how to manage strategic risk, we must first take a look at how to measure it. A key tenet of enterprise risk management (ERM) is measuring risk with the same yardsticks used to measure results. In this way, companies can calculate how much inherent risk their initiatives contain, monitoring risks to inform key business decisions.
Strategic risk can measured with two key metrics:
Economic capital is the amount of equity required to cover unexpected losses based on a predetermined solvency standard. This standard is usually derived from the company's target debt rating. Economic capital is a common currency with which any risk can be quantified. Importantly, it applies the same methodology and assumptions used in determining enterprise value, making it ideal for strategic risk.
Risk-adjusted return on capital (RAROC) is the anticipated after-tax return on an initiative divided by its economic capital. If RAROC exceeds the company's cost of capital, the initiative is viable and will add value. If RAROC is less than the cost of capital, it will destroy value.
Five steps for Effective Risk Mitigation Strategies
Managing strategic risk involves five steps which must be integrated within the strategic planning and execution process in order to be effective:
Define business strategy and objectives. There are several frameworks that companies commonly use to plan out strategy, from simple SWOT analysis to the more nuanced and holistic balanced scorecard. The one thing that these frameworks have in common, however, is their failure to address internal and external risk. It is crucial, then, that companies take additional steps to integrate risk management at the planning stage by using a risk management framework, which is a template and guideline used by companies to identify, eliminate and minimize risks.
Establish key performance indicators (KPIs) to measure results. The best KPIs offer hints as to the levers the company can pull to improve them. Thus, overall sales makes a poor KPI, while sales per customer lets the company drill down for answers.
Identify risks that can drive variability in performance. An effective risk strategy will identify the unknowns, such as future customer demand, that will determine results.
Establish key risk indicators (KRIs) and tolerance levels for critical risks. Whereas KPIs measure historical performance, KRIs are forward-looking leading indicators intended to anticipate potential roadblocks. Tolerance levels serve as triggers for action.
Provide integrated risk reporting and monitoring. Finally, companies must monitor results and KRIs on a continuous basis in order to mitigate risks or grasp unexpected opportunities as they arise.
Strategic risk represents the greatest dangers—and opportunities—your company faces. By taking steps to mitigate risk at the enterprise level, companies can shape their future success while minimizing downside exposure.
To learn more, download Strategic Risk Management: The Next Frontier for ERM .
Apple and iPhone are trademarks of Apple Inc., registered in the U.S. and other countries.
Editor's note: This blog post was originally published February 14, 2017, and has been updated.
ERM technology enablement is the solution
Read an analysis of features to evaluate when choosing an ERM solution.
SVP, Investor Relations and Corporate Development
As senior vice president of corporate development and investor relations, Mike Rost is a key contributor to the organization's growth with a focus on corporate development initiatives, emerging business areas, and developing relationships with investors and key stakeholders. Since joining Workiva in 2015, he has served in various leadership roles helping to drive the organization's growth, including the scaling of Workiva’s marketing and partner & alliance functions.
With more than 25 years of experience assisting organizations to optimize business processes, Mike has an extensive background in finance, accounting, enterprise performance management and Governance, Risk and Compliance (GRC) technology. Prior to Workiva, Mike served as vice president of marketing at Metricstream and vice president of strategic marketing at Thomson Reuters. Prior to that, he spent more than a decade in product management and marketing positions for SaaS companies and held finance positions at Pillsbury and Rollerblade, Inc.
Mike has been active in industry associations, including the Open Compliance and Ethics Group (OCEG) and the Institute of Internal Auditors (IIA). He was also a founding member of XBRL International (eXtensible Business Reporting Language), the global not for profit consortium for open international standards for digital business reporting. He has also been a frequent speaker at industry conferences on subjects such as finance transformation, data and reporting, and risk and compliance technology. He received his Bachelor of Science in Economics and his MBA from the University of Minnesota.
You May Also Like
How KBR Makes Informed, Transparent Risk-Based Business Decisions
With hundreds of active projects and multiple business units, KBR was looking for a solution to replace paper processes and empower leaders. Learn why they chose Workiva’s flexible GRC platform.
Workiva Amplify ‘22 Recap: Betting Big on Tomorrow
Accounting for war: the impacts of ukraine, grabbing risk by its horns | best practices for sox, audit, risk, and compliance, tips for laying your corporate governance foundation, online registration is currently unavailable..
Please email [email protected] to register for this event.
Our forms are currently down.
Please contact us at [email protected]
- Gartner client? Log in for personalized search results.
< View additional Gartner strategic planning resources
Develop a Risk Strategic Plan You Can Use
Put your risk management strategic plan on one page with this template.
Effective risk management strategic planning connects your enterprise strategy to specific initiatives for your function. Done well, your risk management strategy should provide a clear roadmap to deliver on your business goals.
Use this proven one-page risk management strategy template to:
- Build a successful risk strategic plan
- Communicate your risk strategy with precision and clarity
- Secure buy-in from business partners
- Execute your strategic objectives on time and within budget
Download Your Risk Strategic Plan Template
Build a better risk management strategy for your business..
By clicking the "Continue" button, you are agreeing to the Gartner Terms of Use and Privacy Policy.
Contact Information
All fields are required.
Step 2 of 3
Company Information
Step 3 of 3
By clicking the "Submit" button, you are agreeing to the Gartner Terms of Use and Privacy Policy.
By clicking the "Download Resource" button, you are agreeing to the Gartner Terms of Use and Privacy Policy.
About Gartner Risk Strategic Plan Template
Gartner Risk Strategic Planning Template helps risk leaders define the roadmap for executing the key actions required to meet risk strategic goals in alignment to the enterprise business model and goals. Additionally it helps you create and communicate a clear action plan that states where the risk function currently is, where it needs to be, how to get there and how you will measure progress.
Webinar: 7 Key Trends That Will Impact Your Strategic Planning
Inflection points and wild cards continually threaten to shake up industries. However, future-fit organizations survive disruption by actively sensing and responding to changes. This complimentary webinar will help risk executives scope key macro and environmental trends that could impact their organization’s business models and risk management strategies.
Product Tour Book a Demo
Sign up for free
Try for free
- Become a Partner
Strategy Execution
Strategic Risk Management: A Complete Overview (With Examples)
by Cascade Team, on Apr 16, 2022
Table of Contents
What is strategic risk?
Strategic risk is the probability of the organization’s strategy failing. It is an estimation of the future success of the chosen strategy. Since strategy is a set of clear decisions, strategic risk reflects the aggregate of the risks of those decisions.
At its core, strategic risks affect an organization's overall strategy. It can sometimes be difficult to spot and manage.
This means that particularly at an executive level, leaders and teams need to be able to look for strategic risk and, instead of categorizing them as things to hedge or mitigate, develop the acumen to ask the appropriate questions:
- Are we going to resist this, avoid it or maybe push it away?
- Or do we embrace it, use it as an indicator for the market and take it as an opportunity for a strategic change
Why strategic risk management is important
Organizations that fail to do proper risk management face significant threats. At times, they face existential threats. Kodak was a pioneer in the photography space (they actually filed a patent for one of the first digital cameras), but they lost the digital camera race. Blockbuster made $6 billion in revenue at its peak, but there is only one store left in the world!
MySpace was once one of the dominant social networks until Facebook came along. You could argue that these companies failed to innovate. Maybe, but they also failed to evaluate the threat properly and the risk involved in not dealing with it.
Every great company takes risks.
Smartphones, eReaders, car-sharing services, even natural cleaning products — so much of what we as consumers now take for granted was a brave step, once upon a time. But Apple, Amazon, Zipcar and Method didn’t launch their category-defining products overnight.
These organizations safeguarded their success with a strong risk management strategy. They knew what success would look like, which factors could cause them to fail, what failure could cost them, and how they would respond to obstacles in their path.
Managing strategic risk is an essential activity for all businesses, whether you’re launching an innovative solution to market or just trying to stay ahead of the competition.
Understanding the dangers (however small) and their potential impact (however minor) empowers leaders at different levels to make smart, well-informed decisions.
That’s easier said than done.
Risk management is a dynamic process - it shifts focus as internal and external influences change. It also requires joined-up thinking and communication across an organization.
If you’re tasked with strategic planning and execution within your business, it can seem like an insurmountable task. Yet, armed with the right information, you can help ensure that your organization achieves its goals.
The two kinds of strategic risk factors
Internal strategic risk factors.
Every business has strategic objectives and established routines.
Strategic risk relates to the dangers companies face in trying to accomplish their strategic objectives. Even though your plan might seem viable and on track for success, analyzing the strategic risks involved can help organizations identify obstacles (or opportunities) — and address them before it’s too late.
Strategic risks relate to a business’s internal choices, such as product development routines, advertising, communication tools, sales processes, investments in cutting-edge technologies, and more. These all directly impact function, performance, and overall results.
External strategic risk factors
Some strategic risks originate outside the company.
These could apply to the current or projected environment into which products will be released.
It’s often easier to understand strategic risk through real-world examples. For instance, a new type of smartphone might be in high demand today, but economic changes could lead to a drop in commercial interest, leaving the business in a totally different position than it might have expected.
Or a competitor may release a groundbreaking product or innovative service that fills the gap first, creating significant risk to the success of a strategy.
And let’s not forget that technology’s swift evolution could cause a new product to become obsolete within a few months — I’m sure that the manufacturers of wired headphones felt their stomachs drop when they saw Apple had cut the headphone jack.
These types of risks pose a real danger to companies. Investing in a business model with little chance of achieving the envisioned success can lead to severe financial strain, loss of revenue, and damage to reputation.
And none of these are easy to recover from.
What is strategic risk management?
Strategic risk management is the process of recognizing risks, identifying their causes and effects, and taking the relevant actions to mitigate them. Risks arise from inside and outside factors such as manufacturing failures, economic changes, shifts in consumer tastes, etc.
Strategic risk can disrupt a business’s ability to accomplish its goals, break out in the market or even survive. Effective, efficient management puts the power in leaders’ hands to avoid potential obstacles to success and maximize their performance.
One of the first things you need to do to better manage risks is learn to identify them.
Strategic risk assessment - How to identify strategic risks
Recognizing and taking action on strategic risks is vital to mitigate costly problems.
In your strategic risk management toolkit, you’ll need two essentials:
- An in-depth understanding of where your organization stands. This includes your target audience, market sector, competitors, and the environment in which your business operates.
- A clear awareness of your organization’s core strategic goals, from conception to proposed execution.
Gathering data on both areas can take time and investment, but it’s worthwhile to achieve accurate insights into strategic risks.
The more information you have to draw upon, the more likely it is that you’ll be able to implement processes and safeguards that facilitate organizational success.
Teams have a choice of different approaches when identifying strategic risks.
Initiate “What if” discussions
Gather employees from across the business to explore ‘what-if’ scenarios .
By mind mapping risk factors collaboratively — with a mix of perspectives and experiences from different departments — Heads of Strategy, Change Managers and Business Analysts may discover risks they wouldn’t have thought of on their own.
All potential risks are worth considering, no matter how unlikely they may seem at first. That’s why participants should be encouraged to let their minds wander and suggest virtually any viable risk that occurs to them.
It’s best to have a long list that can be reduced through elimination: underestimating risks can lead to businesses being unprepared down the line.
Recommended reading: Risk Matrix: How To Use It In Strategic Planning
Gather input from all stakeholders
Speak with the whole range of stakeholders and consider their views on strategic risks.
If you consult a wide enough group, they have different perspectives on an organization from your core employees.
Collecting a wide range of perspectives creates a holistic view of risk factors which can prove hugely beneficial when trying to understand the dangers the organization faces.
Their broad awareness of how the company operates can raise unexpected possibilities that need to be factored in.
Strategic risk examples
The specific strategic risks relevant to your business will largely depend on your sector, product range, consumer base, and many other factors. That being said, there are some broad types of strategic risk, each of which should be on your radar.
Regulatory risks
Let’s demonstrate the importance of regulatory risks with an example.
Imagine an organization working on a new product or planning a fresh service set to transform the market. Perhaps it spots a gap in the industry and finds a way to fill it, yet needs years to bring it to fruition.
However, in this time, regulations change and the product or service suddenly becomes unacceptable. The company can’t deliver the result of its hard work to the target audience, risking a substantial loss of revenue.
Fortunately, the organization had prepared for unexpected regulatory change. Now, elements of the completed project can be incorporated into another or adapted to offer a slightly different solution.
The lesson here?
It’s vital for companies to stay updated on all regulations relevant to their market and be aware of upcoming changes as early as possible.
Competitor risks
Most industries are fiercely competitive.
Companies can lose ground if their market rivals release a similar product at a similar or lower cost. Pricing may even be irrelevant if the product is suitably superior. Competitor analysis can help mitigate this strategic risk: businesses should never operate in a vacuum.
Economic risks
Economic risks are harder to predict, but they pose a real danger to even the most well-realized strategy.
For example, economic changes can lead a business’s target audience to lose much of its disposable income or scale back on perceived luxuries.
Customer research is imperative to stay aware of what target audiences desire, their spending habits, lifestyles, financial situations, and more.
Managing strategic risk vs operational risk
Companies face various kinds of risks.
Strategic risks and operational risks are two distinct kinds. While strategic risks originate from both internal and external forces, operational risks stem solely from the internal processes within a business. And they stand to disrupt workflow.
However, the biggest difference between them is the level of the decisions they reflect.
Strategic risks reflect the risk of the decisions at a higher level, where the overall strategic plan is considered. The operational risks reflect the risk of the decisions in a lower level, the operational level, where the execution of the strategic plan is outlined.
Simply put, strategic risk is about what you do, and operational risk is how you do it.
Operational risks examples
Operational risks are critical to consider and must be dealt with as soon as possible. They directly impact a business’s work and can tie in with strategic risks, as the resources, processes, or staff available may be unable to achieve the established goals.
One example of operational risk is outdated machinery. They can cause a slowdown in production, delay completion, and ultimately damage employee morale. In this case, the operational risk might stem from what appears to be a non-critical problem but has the potential to drag productivity down to rock bottom. So the decision of whether to upgrade the machinery should be considered.
Another example of operational risk is a company’s current payroll system. Let’s say they outsource to a small team with a weak reputation purely because it’s a cheaper alternative to working with a more reliable payroll solution . But this option could create a higher risk of late payments, processing errors, or other issues with the potential to frustrate the company’s most valuable asset: its employees.
Risk management strategies
Discuss opportunities and risks separately.
This is something that needs to happen before the risk identification process. Mixing in the same conversation potential opportunities and their risks handicaps the opportunity conversation.
You want your people to free their minds, brainstorm ideas, and locate all possible growth and incremental opportunities. Don’t allow that process to shrink and miss out on great opportunities. Discuss risks in a different meeting on a different day.
Distribute resources at the operational level
Once you have decided on your company’s strategy, you’ll have to align every department and person with it.
Allocate your resources in a way that serves your overall strategy to succeed. That means starving certain departments or regions to feed the ones that contribute the most to your strategic objectives.
Mitigating strategic risks is often nothing more than focusing on a great execution of your strategic plan.
Align your incentive structure
Focus on execution takes another form besides resource redistribution.
You have to visit and align with your strategic objectives the incentive structure of your top and middle management. This is a crucial step to executing your strategy because it eradicates internal conflicts.
If your leadership team is rewarded according to an older strategic plan, don’t expect them to take care of your new plan’s risks. They simply won’t have the incentive to do so.
Strategy risk management examples
Let’s examine two specific real-life examples of strategic risk. One that happened a little while ago, and one that is still happening now.
Complacency vs Disruption
Before Netflix, HBO Go, Amazon Prime, Disney + and all the other streaming platforms, people used to go to Blockbuster.
In its prime, Blockbuster had over 9,000 locations around the world and became synonymous with movie rental. It had a huge slice of the market share and looked pretty peachy until the late nineties. Until in 1997, when a little company called Netflix came knocking.
At the time, Netflix didn't stream. It simply delivered rentals in the mail for a set fee each month. There were no late fees (which was one of the biggest gripes from Blockbuster customers), and movie delivery was very convenient.
Netflix was a pretty obvious strategic risk to Blockbuster, which needed to manage it somehow. This could also be seen as a clear opportunity for Blockbuster since they were in a position to buy Netflix but refused to do so.
Yes, Blockbuster passed on the $50 Million deal of Netflix and sealed its fate in the process.
Regulatory complexity
This story is still in development, so who knows how it will end.
Uber is known as the company that shook the cab industry around the world, but things are still changing. Uber is a tech company and understands that change happens and risk evolves faster than ever before.
This is why they began investing in self-driving technology early on. At first glance, this seems counter-intuitive since moving in this direction could really upset the thousands of Uber drivers out there, but Uber gets it.
They know that if they do nothing, someone else will sweep in, and soon enough, turn Uber into another Blockbuster story.
Uber is a great example of strategic risk management since they not only have to manage things like implementing self-driving cars, but they have also had to navigate through complex regulatory risks in multiple countries.
They have also faced issues around customer safety, assaults, and constant battles with all kinds of protests and regulatory issues.
How to measure strategic risk
So now you know the strategic risks your organization faces, you need a quantifiable figure to measure them. We suggest two specific tools:
Economic Capital
This relates to the amount of equity a business needs to cover any unplanned losses, according to a standard of solvency (based on the organization’s ideal debt rating).
This metric allows businesses to quantify all types of risks related to launching new products, acquiring enterprises, expanding into different territories, or internal transformation. Then, it can take the necessary actions to mitigate against it.
RAROC: Risk Adjusted Return On Capital
This applies to the expected after-tax return on a scheme once divided by the economic capital.
Companies can leverage this metric to determine if a strategy is viable and offers value, helping to guide leaders’ decision-making process. Any initiative with a RAROC below the capital amount offers no value and should be scrapped (sorry!).
Decision trees
Businesses on all scales can utilize both metrics to measure strategic risk, but the stakes will be different for a small enterprise than for a global corporation. The former may never recover from a bad investment, while the latter has a higher chance of weathering the storm.
As a result, companies may use a decision tree to map the possible outcomes of a decision. This enables teams to determine which choices yield which results and prepare for all eventualities. Specific turning points can be identified and handled appropriately.
Strategic risk management strategies
Now you have all the information, you need to capture it in one place: the strategic risk management framework. This is where you bring together all the resources (employees, technologies, capital, etc.) required to mitigate losses caused by internal or external forces.
Exactly how your framework is structured is your choice, but the following is a great strategic risk management template:
- Understand where you are right now . You could use a SWOT (Strengths, Weaknesses, Opportunities, and Threats) analysis, for example. Here you need to know where your organization is, your vulnerabilities, and what threats you face in the market.
- Define your strategy and its goals . This is where you clearly outline the strategy for your organization. Use this battle-tested strategic planning template to build or revisit your strategy.
- Next, key performance indicators (KPIs) should be selected . These can be used to measure success, monitor changes, and explore improvement opportunities over time.
- The next step is to identify those risks which can affect productivity and performance in the future. These factors may not be as apparent as others. For example, consumers’ changing tastes can be hard to predict but still have the potential to knock plans off the rails.
- You can use a Risk Assessment Matrix that will help you score potential risks based on the probability and the impact on the business.
- KRIs (key risk indicators) should be identified to gauge your business's tolerance to obstacles . Be sure to look ahead at issues that may lurk around the corner, and determine the right time to put mitigating actions into effect.
- The final step is to continually monitor KPIs, KRIs, and their internal processes to chart progress . Are problems being resolved fast enough? Are target customers’ needs being addressed? Are all essential programs and processes in place? The aim is to stay on track and adapt to ensure you achieve your objectives.
A long-term strategic risk management strategy
Managing strategic risk is an ongoing process.
It enables organizations to minimize their danger of experiencing severe losses and, ultimately, failure. It doesn’t guarantee every project will be a success (far from it!), but it will provide all the necessary tools to make better decisions in the long run.
Remember to take your time, even if there’s market pressure to act fast. Trying to rush this process could lead to missed threats or opportunities in your risk analysis. Stay on top of your strategic risk management well into the future, that’s the key to organizational success.
Cascade has integrated risk values that automatically calculate your strategic plan’s risks. Take a tour of our platform or book a demo with one of our strategist experts to help you develop your strategy.
Get more insights into all things strategy
Related posts to get you reading, an overview of strategy expectations.
We've all been there. Our organization had a strategy, and it seemed pretty good - like it was the right way to...
An Overview of Organizational Accountability
It's no secret, companies with high levels of organizational accountability produce far superior...
An Overview of Business Case Thinking
Making the strategic plan implementable is crucial for any organization that's serious about the success of its...
Join thousands of teams turning their visions into reality.
Say goodbye to strategy spreadsheets and hello to fast results with the new Cascade experience. $0 forever.
Free forever. No credit card required. Free forever. No credit card required.
- Strategy Execution Software
- Product Tour
- Strategy Dashboards
- Knowledge Base
- Cascade Courses
- Strategy eBooks
- Strategy Toolkits
- Strategy Courses
- Strategy Blog
- KPI Cheat Sheets
Customer Stories
- Financial Services
- Retail & Hospitality
- All Case Studies
Get Involved
- Book a Product Demo
- About Cascade
- Press & Media
© Copyright 2021 Responsis Pty Ltd. All rights reserved.
- Privacy Policy
- Terms & Conditions
9 Strategic Risk Examples and How to Successfully Tackle Them
What is meant by strategic risk? Strategic risk examples encompass many different risks ' and depending on the nature of your business, you may face any or all of them. Understanding the types of strategic risk you face is fundamental to your ability to tackle them as part of your broader governance, risk and compliance (GRC) strategy.
Whether you are a chief risk officer and strategic risk falls firmly within your orbit, or whether as CFO, CEO or general counsel, you take more holistic responsibility for your organization's risk strategy. Understanding and mitigating risk at a strategic level will be a priority.
In today's hyper-connected world, the risk evolves faster than businesses can devise strategies to tackle it. Being familiar with different strategic risk examples can help you get ahead of the curve, helping you identify the types of strategic risk your organization faces and the tactics you can put in place to respond.
Understanding the Different Types of Strategic Risk
'Strategic risk' is a term that's often bandied about. But what does the phrase mean in practice? What types of risk are defined as 'strategic?' How do you identify strategic risks? What are the examples of strategic risks you might face in your organization? What are the types of strategic risk you should prioritize in your risk mitigation strategy?
Strategic risk is a category of risk; alongside operational, financial, regulatory and other business risks, it forms part of the umbrella of risks your organization faces.
When we look at strategic risk examples, they are generally defined as those that threaten a business's ability to set and implement its chosen strategy.
They may be external; events like the Covid-19 pandemic are the perfect example here.
They may be 'self-inflicted,' brought about via an organization's own strategy and decision-making. An example of this would be the accelerating digital transformation of businesses, which has delivered many positives but has also exposed new types of risk.
Exploring Strategic Risk Examples
Regulatory and legislative drivers relating to governance, risk and compliance strategies more generally are also prompting businesses to focus on strategic risk. At the same time, a spotlight has been thrown on strategic risk via growing awareness of the close ties between risk, compliance and business value .
This evolution of risk has led organizations to try and bring some structure to their mitigation strategies by categorizing and prioritizing the risks they face. Let's look at some of the examples of strategic risks you might face.
Some sources distill strategic risks into five types, sometimes called the 'five sources of strategic risk.' However, these aren't always consistent, however, look up several different sources, and you will find a variety of risks listed among the 'five types.'
Our list of strategic risk examples below therefore includes more than five.
What Are the 9 Examples of Strategic Risk?
Among the types of strategic risk you should have on your radar are:
- Competitive risk. The risk is that you fall behind your competitors as they innovate and improve their offerings faster than you.
- Change risk. The digital transformation risk we cited above is a prime example of this ' the inherent risks of introducing any change program.
- Disrupt your business
- Create new responsibilities
- Demand new technologies (and therefore linking back to change risk)
- Distract your business leaders from their operations as their time is abstracted to put in place new governance processes and control measures
- Reputational risk . The risk that your corporate standing is threatened. The potential causes of this are legion, from regulatory compliance breaches to shareholder activism or poor performance in public ratings, such as those used to measure ESG performance .
- Political risk. The potential for political change, or the political landscape overall, to disrupt your business. For example, through volatility in a country within your supply chain .
- Governance risk. The risk brought about by poor governance, risk and compliance processes within your organization.
- Financial risk. Risks relating to the financial health of the organization. This differs from...
- Economic risk. This refers to the broader economic landscape and its potential to affect the success of your business strategy.
- Operational risk. The risk is that your operations and business processes are not up to standard.
Many of these examples of strategic risk are inter-connected. For instance, if you face operational risks around the efficacy and rigor of your processes, this is likely to expose you to financial or regulatory risk. Similarly, if you fail to tackle governance risks, you may well encounter reputational risk.
The intertwined nature of the types of strategic risk emphasizes how important it is to take an integrated approach to address them.
How to Tackle the Different Types of Strategic Risk
Amongst all these strategic risk examples, there are positives. The linkages that cause one risk to increase the chances of another can also work to your advantage. Take a coordinated, integrated stance on one aspect of strategic risk, and your performance in others should also improve. As companies refine their approaches to risk mitigation, they become better able to recognize these connections. As a result, they can approach risk strategically, capitalizing on synergies for a more robust result.
Below we also set out some specific tips that can help you tackle the different strategic risk examples:
- Competitive risk. Remaining competitive means understanding your competition; data is key here, and technology can be your friend in enabling you to provide your board with the competitive intelligence they need .
- Change risk. Here, good governance is the secret. Put governance at the heart of your change programs and reduce the risks they bring while enhancing their benefits.
- Regulatory risk. Keeping on top of the latest developments in the fast-moving regulatory landscape is vital here ' you can't meet expectations if you're not aware of them. Ensure you keep abreast of the news and trends in risk and compliance .
- Reputational risk. Bolster your GRC processes , and you have a better chance of swerving the risks that can derail your brand.
- Political risk. There is less you can do here, although ensuring you build sustainable supply chains rooted in countries where political volatility is less of a threat can help make your operations more resilient.
- Governance risk. As with change risk, robust governance processes and controls are essential to reducing risk here.
- Financial risk. While some financial risks come from external factors, improving your ability to measure, monitor and respond to the business risks you face, if done successfully, should minimize the financial threats that fall within your wheelhouse.
- Economic risk. Sustainable supply chains can help here, reducing the threat from economic instability in countries you source from. And, again, keeping pace with external events that can affect your risk profile is vital.
- Operational risk. One of the areas you have the most control over, introducing agility , rigor and structure to your operations can significantly reduce your risk across all areas of your organization.
Understand and Respond to All Types of Strategic Risk
Hopefully, this article has given you a deeper understanding of the types of strategic risk you face, some examples of strategic risk that bring this to life. It has also provided insights into how you can tackle different strategic risks.
Remaining on the front foot in terms of upcoming legislation, economic trends and governance best practice can really make the difference ' amplifying your ability to be proactive in the face of changing risks.
Diligent's regular GRC Newsletter summarizes the latest insights, exploring strategic risk examples and mitigation strategies in-depth and, as a result, enabling organizations to develop successful enterprise governance risk and compliance programs. You can sign up to receive the newsletter here .
The Rising Tide of ESG – Navigating the Road Ahead
The Board's Role in Leading and Enabling GRC
Board and Executive Collaboration: Components of a Secure Platform for the Evolving Workplace
- Thought Leadership
Strategic risk: a quick guide
Strategic risk refers to the internal and external events that may make it difficult, or even impossible, for an organisation to achieve their objectives and strategic goals. These risks can have severe consequences that impact organisations in the long term.
Given the significance of this type of risk, we have put together this quick guide to help you get up to speed with all things strategic risk, including strategic risk examples, definitions, and an overview of strategic risk management.
Let’s start by diving a little deeper into what exactly strategic risk is.
What is strategic risk?
Strategic risk is a category of risk in the same way that risks such as operational risk, financial risk, reputational risk and regulatory risk are. Sometimes, strategic and operational risk can be confused with each other, but we will get to the differences later. First, let’s look at some strategic risk definitions.
Roberts, Wallace and McClure (2003) describe strategic risk as relating to ‘ risk at the corporate level’ which ‘ affects the development and implementation of an organisation’s strategy. ’
Similarly, the Economist Intelligence Unit (2010) explain that ‘ Strategic risks are those that pose a threat to a company’s ability to set and execute its overall strategy .’
Deloitte (2013) expand on this strategic risk definition, stating that these risks can also be ‘ created by an organisation’s business strategy and strategic objectives ’. In other words, as well as impacting how likely an organisation is to achieve its strategy, strategic risks also arise from strategic decisions themselves.
Furthermore, Louisot and Ketcham (2014) state that strategic risks are ‘ associated with adopting or not adopting the correct strategy for an organisation in the first place or, once adopting, not adapting the chosen strategy in response to competition or other forces ’. This, and the definition from Deloitte, align with Roberts, Wallace and McClure’s statement that ‘ one example of strategic risk is the risk that the strategic decision is wrong. ’
So, what can we learn from these strategic risk definitions?
In essence, strategic risk refers to the events or decisions that could potentially stop an organisation from achieving its goals. It also refers to the danger of an organisation’s strategic choices being incorrect, or not responding effectively to changing environments.
As you may suspect, your organisation will therefore need to be aware of the possible circumstances that could put an obstacle between your organisation and its objectives. You also need to be ready to adapt and respond quickly to any changes.
What is the difference between strategic risk and operational risk?
Both strategic and operational risk can have serious consequences for organisations if they materialise. After the 2008 financial crisis, many organisations wanted those working in risk management to look beyond operational risks and focus on strategic risks due to a lack of effective foresight. However, as operational risk refers to the more immediate and tangible risks your organisation could face, disregarding this completely would be a mistake.
Here are the key differences:
Be prepared to handle risk
Discover how to choose the right solution to help your organisation improve its risk management activities.
Strategic risk examples
Examples of events or circumstances that could derail an organisation’s strategic goals include:
- Strategic decisions that are unclear or poorly made
- Changes in senior management and leadership
- The introduction of new products or services
- Mergers and acquisitions which prove unsuccessful
- Market or industry changes, such as a shift in the needs or expectations of customers
- Problems with suppliers and other stakeholders
- Financial challenges
- Failure to adapt to a changing environment or keep up with competitors
- Company reputation damage
And that list is not exhaustive. Almost any strategic decision the board makes can run the risk of not working out, and there are a range of activities – operational and otherwise – that have the potential to stop your organisation from achieving its aims. That’s why having an effective strategic risk management process is so imperative.
What is strategic risk management?
Strategic risk management is a term that can cause some confusion. Does it relate to risk management that is strategic in nature? Or does it refer to the actual management of strategic risk? The truth is, it can mean both. For the purposes of this guide, we will look at how you can manage strategic risk.
The good news is that you can follow the same 5-step process of identifying, assessing, treating, monitoring, and reporting that you would when handling other types of risk.
Your strategic risk management framework may therefore look something like this:
1. Identify the strategic risks your organisation could come up against
2. Conduct a strategic risk assessment to determine the likelihood of risks occurring, and the impact they might have
3. Choose a strategy for dealing with each risk
4. Monitor each risk over time to keep on top of any changes
5. Report at each stage of the strategic risk management process
When it comes to managing strategic risk, make sure you pay close attention to organisational strategy and objectives, have a broad oversight of the strategic risks you could face, and be proactive by adapting to changes and responding effectively.
Improve your strategic risk management framework with technology
Having a proper risk management process in place helps ensure your organisation is prepared to handle strategic risk. With risk management software, you can maximise these efforts. After all, the benefits of technology include time-saving automation, and improved quality and efficiency of risk decisions. Technology can also help you stay on track of a constantly changing risk landscape, which is imperative for managing strategic risk.
What’s more, the right software can help you put your strategic risk management framework into focus, so you can be sure that your organisation is doing the most that it can to achieve its strategy and manage any risks that arise along the way.
Find out how to choose the right risk management technology for you, to help your organisation better manage strategic risk.
Ensure effective risk management
With our powerful risk solutions, you can shield your organisation against potential threats, safeguard your reputation through seamless risk management processes and remain adaptable to ever-changing industry regulations.
Abbie Glossop
As Digital Content Executive at Ideagen, Abbie is responsible for writing engaging and educational content for Ideagen’s digital channels. With a background in writing and social media, Abbie is committed to understanding the needs of our customers and providing insightful and valuable content that helps them to achieve their objectives.
- Get started
Strategic Risk Management: 5 Tips for Success
Successful businesses have to both do the right things and do things right to stay ahead. In terms of action, this means having operations in line and also defining a strategy that works. However, many companies lose out on market opportunities because they ignore strategic risks. While operational risks also post a threat, strategic risks tend to be overlooked more often, yet they can cause more significant impact. This is why strategic risk management is so important.
Here, we will define strategic risk, understand strategic risk management and share five tips for success for its implementation.
1. What is Strategic Risk?
2. What are Strategic Risk Examples
3. How to Overcome Different Types of Strategic Risk?
4. Strategic Risk vs Operational Risk
5. What is Strategic Risk Management?
6. Strategic Risk Assessment Process
7. Integrating Strategic Risk Management
8. 5 Tips for Success: Measuring and Managing Risk
9. How Automation Helps
10. Types of Risk
11. A CFO’s Approach to Strategic Risk Management
12. The Bottom Line
What is Strategic Risk?
In its most simplistic of definitions, strategic risk is the risk associated with failed business decisions. It refers to decisions or events that can get in the way of an organisation reaching its goals.
Strategic risk represents one type of risk that businesses face, along with risks like operational, financial, and regulatory, to name a few. In many instances, strategic risks and the other kinds of risk will impact one another as they are interconnected.
Strategic risk can take place due to competition, market events, changing regulations, compliance, and more. We’ll soon touch on what this could look like in your business.
These types of risks affect overall business strategy, but sometimes they are necessary to reap the rewards. For example, a bank takes on strategic risk by offering credit, but it’s an inherent risk that is directly related to its business goals. Since strategic risk is all centered around “doing the right things,” it may be harder to identify than operational risks, which come down to “doing things right.”
Strategic risks occur when businesses fail to meet the market’s needs. To achieve business goals, companies face dangers and downfalls. Every internal choice comes with the potential of making the wrong choice. To complicate things further, strategic risk isn’t only based on subjective decisions. It can also be caused by externally because of market demand and the environment in which products get released.
What are Strategic Risk Examples
By breaking down strategic risk examples, we can better understand how to overcome them. Here’s a look at what they can be categorised as:
- Competitive risk: This refers to the risk that your competition will gain more market share than you and you will fall behind them in innovation.
- Regulatory risk: The degree to which you must adhere to regulations varies by industry. In highly regulated industries like finance or transportation, this type of strategic risk will clearly be more of a concern. This is because new regulations can affect your business processes, call upon the need for new roles to be created, demand new technologies, and shift your business leaders’ time and focus to having to deal with the regulations.
- Political risk: Changes in the political landscape can affect business’ operations, trade agreements, and more. Additionally, the politics affect security and the supply chain, so politics can pose a risk to businesses.
- Governance risk: Any risk associated with lack of governance or compliance. Again, the degree to which this risk affects your business will depend on your business line. When it comes to data and finances, governance risk is higher (which calls upon the need for more internal controls).
- Economic risk: The overall macroeconomic conditions affect how your business takes place and the success of your business strategy.
- Operational risk: This refers to the day-to-day ways that you execute in business and the risk that processes are not up-to-date. With outdated processes, you may be costing the business more or less productive than you’d otherwise be with process improvement.
- Change risk: Implementing changes within your organisation can create risk in itself if there’s resistance or struggles to adopt the change. Keep in mind that you can practice change management to overcome such risk.
How to Overcome Different Types of Strategic Risk?
The connection between the types of strategic risk can serve to your advantage. It requires a holistic and high-level view of your business, goals, and strategy to decide how to mitigate the strategic risks you may face.
With that said, here are suggestions for overcoming such risks:
- Understand your competition and conduct market research
- Utilise data to your advantage for business intelligence and forecasting
- Remain aware of regulatory changes and adopt technologies and processes that are agile
- Select suppliers and vendors in politically stable countries
- Continuously monitor your business and its practices to protect against financial risks
- Leverage change management such that change is welcomed and understood by everyone involved
No matter what type of strategic risks your business faces, financial automation software can serve multiple purposes. You can rely on having data in a centralised and secure location. You will be able to measure the success of your processes and optimise efficiency. You can conduct data analysis to make use of historical data to predict future events and be prepared.
Strategic Risk vs Operational Risk
To better understand strategic risk, it helps to define what operational risk is to see the differences.
Operational Risk: Operational risks comes from how a business does something, or in other words, their operations. Risks can arise from a breakdown in processes, people or systems. These risks stem from how a business performs day-to-day activities.
Now that we better understand what strategic risk is and isn’t, how do business leaders plan around strategic risk? They implement strategic risk management.
What is Strategic Risk Management?
Once you recognise and acknowledge that strategic risk is inherent in the business, it pays to manage it.
Strategic risk management is the process of identifying risks, analysing their potential effects and taking necessary action to mitigate them. These internal and external risks pose a threat to the business’ strategy and objectives. For example, if a finance company is going to sign a big new client, there is an inherent risk that the company won’t be able to scale quickly to provide the full service with the client needs and what if the client leaves after a short time. However, the finance company is aware of this risk and can plan by hiring part-time staff or keep existing staff and free up their time by driving more efficiencies such as through automation tools to mitigate such risk.
As a focal point under enterprise risk management (ERM), strategic risk management focuses on the types of risks that will affect stakeholder value. As such, executive-level leadership must allocate their time to help manage and face this risk.
Some examples of strategic risk include:
- Technological changes
- Senior management turnover
- Merger integration
- Stakeholder pressure
- Competitive pressure
- Consumer demand shifts
- Consumer preferences changes
- Regulatory changes
It’s critical to assess the impact of strategic risks to prioritise the strategy to manage them. The main two crucial metrics by which to evaluate strategic risks are:
- Economic Capital: This is the amount of equity needed to cover unexpected losses. It’s derived from the company’s target debt rating.
- Risk-Adjusted Return On Capital (RAROC): RAROC helps to understand the return on investment with the risk involved. It determines the return level relative to the risk taken. The calculation is: revenue - expenses - expected loss + income from capital / capital
Strategic Risk Assessment Process
Putting strategic risk management in action involves several steps. It begins by assessing the types of strategic risk that can affect your organisation.
- Understanding organisational strategy: To measure the potential consequences of strategic risk, you must first thoroughly understand the organisation’s strategy and objectives. In this way, you can then prioritise potential risks.
- Gather data of strategic risk: By interviewing executives and stakeholders, you can gather data on how people in the organisation view strategic risk. Data gathering may be conducted with both internal and external personnel who would be affected by the risk. The use of automation tools and risk management software is highly effective in collecting data and helping to assess the risks that could affect your organisation. It also enables business more clarity across the business, map out processes, and set real-time alerts reducing bottlenecks, reducing data errors, removing critical man dependency and increasing compliance.
- Prepare strategic risk profile: With the information from step 1 and 2, you can create a strategic risk profile for the organisation. It can be displayed in a list or even a heat map to outline what the top strategic risks are and how severely they rank in terms of potential detrimental impacts.
- Validate the profile: Before creating a strategic risk management action plan, be sure that key executives and directors agree on the risk profile.
- Develop an action plan: Developing an action plan is the primary goal of this whole process. In this step, you will outline how the organisation plans to face, mitigate, ignore or overcome strategic risks. It also involves defining methods by which strategic risks will be managed.
- Communicate and implement the plan: Once you have the strategic risk management plan, then you must share the message across the organisation. Defining your organisation’s risk culture is what allows employees and team members to act in accordance.
Integrating Strategic Risk Management
Since strategic risk is tied to an organisation’s strategies, strategic risk management must become incorporated with the organisation’s core processes.
To embed strategic risk management into the organisation’s inner workings, you can follow these six steps to integrate risk management with strategic planning:
1. Develop the strategy: Define your mission and vision, as well as the ways by which you will assess risks.
2. Communication: Be sure to communicate with stakeholders and the internal team as to why strategic risk management is aligned with everyone’s interests. You can agree to regular updates and discussions about progress or gaps in the process.
3. Align the organisation: Review existing processes and procedures to ensure that risk management is incorporated and addressed. If anything is out-of-date or lacking information, provide updates.
4. Plan operations: Train everyone to understand how they can implement best practices to avoid or monitor strategic risks.
5. Monitor: Be sure to keep an eye on how processes are running and how business goals are being affected. Analysing data and monitoring KPIs is crucial to ensure that you are “doing the right things” to achieve business goals. One of the easiest ways to monitor KPIs in real-time is to utilise an automation tool because you can continuously track KPIs via dashboards.
6. Test and adapt: After implementation, keep an eye on the system. Perform quality-reviews and don’t be afraid to make changes if needed.
5 Tips for Success: Measuring and Managing Risk
Here are the top 5 tips for measuring and managing strategic risk in any business.
1. Define business goals: Many companies fail to integrate risk or acknowledge risk when defining their business goals. In this stage, it is crucial to outline the types of risks that can threaten your organisation. You can accomplish this in a simple exercise like using SWOT analysis.
2. Establish KPIs: Key performance indicators (KPIs) are a way to measure your success and downfalls. Decide what you want to measure and monitor, like sales per customer, for example. You can leverage automation solutions to provide you with dashboards of live updates of these numbers so you can assess if your processes are working in your favour.
3. Identify Risks: Risks are unknown situations that can affect variability in your KPIs and performance. Create a list of such risks so that when your business is concerned, you can quickly understand what’s happening to resolve the situation .
4. Define risk tolerance levels: KRIs, or key risk indicators, anticipate risks in advance. If you set your risk tolerance levels, then you can count on an automated tool to alert you in advance or manage the situation automatically once the threshold is met.
5. Provide reporting and monitoring: To stay abreast of how your organisation is doing, you want to continue to monitor risks and manage situations as they arise.
How Automation Helps
You can leverage automation tools to help assess and monitor strategic risks. Once you’ve devised your strategic risk management policy, you can note thresholds and criteria into your automation tool. This way, you can rely on the tool to provide you with updates if something is going wrong. By using quantitative analysis, you can be sure to track your business’ performance and see that it is headed in the right direction to accomplish business goals.
You can also use analysis to test business decisions and their potential effects before implementing them. Data analytics can provide you with the necessary information to make the right decisions, or in other words, do the right things for your business. Automation tools give a variety of benefits, including:
- Removal of low-level manual tasks
- Frees time for your team to focus on their high-value tasks
- Reduces human errors to improve the accuracy of information and reporting
- Improves compliance by providing audit trails and reports
- Provides real-time reporting for real-time insights and analysis
- Maps out processes to improve standardisation and consistency
- Offers trend analysis and data analytics for better decision-making and more precise insights
- Can be set up to provide real-time alerts and notifications
Types of Risk
We’ve already briefly touched on the differences between organisational and strategic risks. There are different types of risks that a business faces. Here’s a look at some types of risk so you can better understand how to approach them.
Category 1: Preventable risks
Preventable risks occur internally. They are breakdowns in processes that can otherwise be controlled. For the most part, avoidable risks are operational risks. One way to minimise operational risks is to set up business processes and use automation tools to run them. In this way alone, you can minimise various risks from a human error to eliminating bottlenecks.
Category 2: Strategy risks
To receive returns from business practices, organisations assume strategic risks. Strategic risks are not always undesirable; they are inherent as a part of running a business. Strategy risks cannot be controlled on a rules-basis method, like operational risks can. Instead, you need to devise the risk management system to reduce risk or manage them when they happen.
Category 3: External risks
Factors beyond a business’ control cause external risks. This includes natural and political disasters. External threats cannot be avoided, but they can be mitigated by creating action plans for if and when they occur.
A CFO’s Approach to Strategic Risk Management
A CFO plays an integral role in approaching strategic risk management. Strategic risks affect business plans, so it’s up to a CFO to help identity, assess and mitigate such risks. If you’re a CFO, you can get involved by:
- Stress testing: How will risks affect the business plan? Once you have this answer, you can incorporate stress testing as a part of the financial planning phase.
- Risk analytics: Before moving forward on any plan or investment, a CFO should conduct due diligence and use data automation software to carry out risk analytics to assess potential financial outcomes of any decision. With risk analytics, you can use historical data to help predict the future through predictive analytics.
- Risk preferences: To usher in rewards, the risk is necessary. However, it’s up to executive leadership to decide how much risk is worth taking on to move forward.
The Bottom Line
With strategic risks, businesses face both their most significant upsides and downfalls. To position your organisation to manage strategic risks adequately, it’s necessary to implement strategic risk management. An automation tool can help you better manage risks of every kind, including strategic risks.
Share This Post
Related posts, our top guides, popular posts, free up time and reduce errors, intelligent reconciliation solution, intelligent rebate management solution, latest blog posts.
Regulatory Compliance Risk Management: Key Risks & Solutions
Regulatory compliance risk management is crucial for businesses in every industry. See how these strategies and automation software can help
What is Compliance and Risk Management: Key Differences
Compliance and risk management are key to ensure the proper functioning of your business. Here’s how to protect your business with ease.
Strategic Risk Examples & How to Tackle Them
Take a look at these strategic risk examples to get a better understanding of how to achieve organisational goals, and how technology helps.
- Assessment Management
- Compliance Audits
- Enterprise Risk Management
- Fraud Risk Management
- IT Risk Management
- Operational Audits
- Operational Risk Management
- Security Compliance Management
- SOX Compliance
- SOX Readiness
- Vendor Risk Management
- Business Services
- Education, Government, and Non-Profit
- Energy, Materials, and Utilities
- Financial Services
- Manufacturing
- Media and Telecom
- Real Estate and Construction
- Travel and Transportation
- Technology & Security
- Resource Library
- AuditBoard TV
- Events & Webinars
- On-Demand Webinars
10 Types of Risk Management Strategies to Follow in 2021
Having a strong approach to risk management is more important now than ever in today’s dynamic risk environment. Following these ten types of risk management strategies can better prepare your business for a volatile risk landscape.
McKinsey found that when banks shut branches and corporate offices, it altered how customers interact with them, forcing changes to long-held risk management practices in order to monitor existing risks and guard against new ones.
Regardless of industry, how quickly and effectively risks can be identified and managed will determine how well companies and institutions will recover and rebuild — and this requires rethinking risk management strategies. As organizations increase their focus on identifying, mitigating, and monitoring risks in response to an ever more volatile risk environment, you may have questions about who is responsible for developing a risk management strategy and what are the different risk management strategies? Here’s everything that you need to know to better address today’s top risk areas .
What Is a Risk Management Strategy?
A risk management strategy is a structured approach to addressing risks, and can be used in companies of all sizes and across any industry. Risk management is best understood not as a series of steps, but as a cyclical process in which new and ongoing risks are continually identified, assessed, managed, and monitored. This provides a way to update and review assessments as new developments occur and then to take steps to protect the organization, people, and assets.
Identifying Risks
Risk identification can result from passively stumbling across vulnerabilities or through implemented tools and control processes that raise red flags when there are potential identified risks. Being more proactive rather than reactive is always the best approach to reducing risk points.
Assessing Risks
Once potential risks have been identified, each risk should be assessed to determine the likelihood of it becoming a concern, its level of severity, and the probable impact — this helps audit teams prioritize each risk. Whether your audit team is conducting a risk assessment for Sarbanes Oxley (SOX) or focusing on other types of risks, your assessments should be systematic, documented, and, depending on your business, reviewed at least annually. How often risk assessments are completed will differ, depending on the size and complexity of each business.
Responding to Risks
After assessing risks, the next part of the process involves developing and implementing treatments and controls, enabling the organization to address risks appropriately and effectively deal with each risk in a timely manner.
Monitoring Risks
Risk monitoring is the ongoing process of managing risk by tracking risk management execution, and continuing to identify and manage new risks. Monitoring risks enables prompt action if the likelihood, severity or, potential impact of a risk exceeds acceptable levels.
Why Is Having a Risk Management Strategy Important?
Project and operational risks are not uncommon to most businesses, but having risk management processes and strategies are essential in identifying your company’s strengths, weaknesses, opportunities, and threats (SWOT) — also known as conducting a SWOT analysis. There are many other benefits to effectively managing risks .
1. Operational Effectiveness and Business Continuity
No matter how well prepared your business is, operational risks can surface at any time — and from sources that you may not have been aware of in the past. Risks can take the form of a new cybersecurity threat, a supplier or service provider that’s no longer able to service your company, or an equipment failure. With all the moving parts both in a company and outside of it that have an impact, having an established risk management process and a strategy in place that allows you to ensure internal controls to prevent fraud are in place — or to deal with other types of risk as they arise.
2. Protection of Your Company’s Assets
Whether it’s physical equipment, supplies, or information, protecting your company’s assets is imperative. A recent report by IBM shows that over 8.5 billion records were compromised in data breaches between April 2019 and 2020 — with the average cost of a mega-sized data breach being $3.86 million US. In the one-year period ending April 2020, 80 percent of thefts were customer-related personally identifiable information (PII). This makes establishing a solid and actionable risk management strategy imperative from a business insurance perspective.
3. Customer Satisfaction and Loyalty
Your company’s logo, brand, digital presence, and reputation is also an asset — and your customers take comfort in seeing and interacting with them daily. When your business has a well-thought-out and developed risk management plan and acts on it, your customers can maintain a sense of security and confidence about your reputation and brand. Your risk strategies and processes help you protect your brand and reputation by safeguarding these assets. It also ensures that customers can maintain faith in your ability to be there and deliver the products and services to which you’ve committed. The result is a higher degree of customer satisfaction and loyalty.
4. Realizing Benefits and Achieving Goals
A significant part of finishing projects on time and achieving the intended goals relies on how effectively risks are managed. Risk management identification, assessment, and management practices expose vulnerabilities faster — and allow your company to remove projects and activities that simply don’t produce a return on investment. This increases the chance of achieving your expected project portfolio and wider business performance and reaping the anticipated benefits.
5. Increased Profitability
The bottom line for most businesses is remaining profitable. Often when something like a breach occurs, there is a substantial financial impact — and it usually involves tedious hours working with legal and insurance teams to conduct lengthy investigations. Managing market, credit, operational, reputational, and other risks is vital to keeping your company’s bottom line healthy.
What Are 4 Examples of Common Risk Responses?
Managing risks can involve applying different risk responses to deal with varying types of risk. Not every risk will warrant the same response. You’ve likely heard the adage, “Avoidance is not a strategy.” Well, believe it or not, when it comes to risk management strategies, avoidance is a common risk response — along with reducing, accepting, and transferring. Here’s what you need to know about each risk response and when they might work best.
1. Avoiding Risk
Avoidance is an option that works to remove the chance of a risk becoming a reality or posing a threat altogether. If a product isn’t working well but doesn’t present any potential risk to the health or safety of employees or the company then avoiding the risk may be the best option. One example may be avoiding the use of a piece of faulty equipment — but only if it isn’t needed and it doesn’t impact performance, productivity, or safety. Avoidance shouldn’t necessarily be used with frequency or for longer-term threats. Eventually, this response should be re-evaluated to find other sustainable risk responses that address underlying issues.
2. Accepting Risks
Sometimes avoidance isn’t an appropriate response, and acceptance may be the better practice. When a risk is unlikely to occur or if the impact is minimal, then accepting the risk might be the best response. Timing also plays a role — it could be that a risk doesn’t pose any imminent concern, or it won’t impact your company’s strategic outlook. One example might be a change to vendor pricing or delivery down the road. It’s important to keep re-evaluating these types of risks periodically: their impact on your company and its projects could change.
3. Mitigating Risks
Mitigating risks is the most commonly discussed risk response — however, it isn’t always practical or possible. It may be the best option if a risk poses a real threat or problem, and avoidance or acceptance won’t suffice. If a risk creates a negative impact and one that could be costly to your company, employees, vendors, or customers, then that risk should be mitigated. This means identifying the risk, assessing all possible solutions, devising a plan, taking action, and monitoring the results.
4. Transferring Risks
There will be times when challenges or issues arise and you or your team may not be able to avoid, accept, or mitigate them. One example may be a lack of expertise or training required to address the risks. In this case, it may be a good idea to outsource or transfer the risk to another party — sometimes in-house, while other times it might warrant help from an external third or fourth party.
Who is Responsible for Developing a Risk Management Strategy?
Determining who will be the best person or function to identify, assess, and develop a risk management strategy won’t necessarily be the same each time — it will depend on the scope, nature, company structure, complexity, resource availability, and team capabilities. So who is responsible for developing a risk management strategy? It might be the responsibility of a risk management committee member, an audit team member, a project manager, a risk specialist, or someone else – like an external consultant. When deciding which direction to go, other things to consider include:
- The drivers and benefits behind developing a risk management strategy.
- The end-to-end process, from initiation to completion.
- Other parties who can bring additional insight and value.
- How and where to document the risk management strategy.
- Risk management software and tools that can simplify and streamline work.
- Conducting a formal review of the findings.
- Timing for presenting the findings.
What are the 10 Types of Risk Management Strategies to Follow?
It’s important to know that there are many different risk management strategies, each with its own benefits and uses. Here are ten types to follow.
Type 1: Business Experiments
This risk management strategy is useful in running ‘what-if’ scenarios to gauge different outcomes to potential threats. From IT to marketing teams, many functional groups are well versed in conducting business experiments. Financial teams also run experiments to gauge return on investments or assess other financial metrics.
Type 2: Theory Validation
Theory validation strategies are conducted using questionnaires and surveys of groups to gain feedback based on experience. If a new product or service has been developed or there are enhancements, it makes sense to get direct, timely, and relevant feedback from end users to assist with managing potential challenges and design flaws, and thus better manage risks.
Type 3: Minimum Viable Product Development
Developing complex systems that offer nice-to-have features isn’t always the best route. A good risk management strategy considers building software using core modules and features that will be relevant and useful for the bulk of their customers — this is called a Minimum Viable Product (MVP). It helps to keep projects within scope, minimizes the financial burden, and helps companies get to market faster.
Type 4: Isolating Identified Risks
Information technology teams are used to engaging with internal or external help to isolate security gaps or flawed processes that might leave room for vulnerabilities. In doing so, they become proactive in identifying security risks ahead of an event rather than waiting for a malicious and costly breach to occur.
Type 5: Building in Buffers
Whether it’s a technology or audit project, project managers recognize the need to build in a buffer. Buffers reduce risks by ensuring initiatives stay within the intended scope. Depending on the project, buffers may be financial, resource or time-based. The goal here is making sure that there are no surprises posing unforeseen risks.
Type 6: Data Analysis
Data gathering and analysis are key elements in assessing and managing various risks. For instance, qualitative risk analysis can help identify potential project risks. Conducting a thorough qualitative risk analysis helps to isolate and prioritize risks, and to develop strategies to address, monitor, and re-evaluate them.
Type 7: Risk-Reward Analysis
Conducting an analysis of risks versus rewards is a risk strategy that helps companies and project teams unearth the benefits and drawbacks of an initiative before investing resources, time, or money. It’s not only about the risks and rewards of investing funds to take on opportunities — it’s also about providing insight into the cost of lost opportunities.
Type 8: Lessons Learned
With every initiative or project that your company does or doesn’t complete, there will inevitably be lessons that can be learned. These lessons are a valuable tool that can significantly reduce risks in future projects or undertakings — but lessons are only useful if teams take the time to document them, discuss them, and develop an action plan for improvement based on what’s been learned.
Type 9: Contingency Planning
Things seldom go as planned, and while having a plan is great, it’s seldom enough. Companies need to plan to have multiple plans or options based on various scenarios. Contingency planning is all about anticipating that things will go wrong and planning alternate solutions for the type of risks that may surface and foil your original plan.
Type 10: Leveraging Best Practices
There’s a reason best practices are mentioned under risk management strategies. Best practices are usually tried and tested ways of doing things — and while they may differ from industry to industry and project to project, best practices ensure companies don’t have to recreate the wheel. Ultimately this reduces risks.
Effectively managing risk has always been critical for success in any company and industry — but never more so than today. Being able to identify and properly assess risks reduces missteps and saves money, time, and valuable resources. It also clarifies decision-makers and their teams and helps leaders recognize opportunities and the actions they need to take. An important part of your risk strategy should also involve managing your company’s risks by using integrated risk management software that facilitates collaboration and visibility into risk to increase the effectiveness of your risk management programs. Get started with RiskOversight today!
Related Articles
Ready to Get Started?
- Contributors
Strategic Risk Management: A Primer for Directors
Matteo Tonello is managing director of corporate leadership at the Conference Board. This post is based on an issue of the Conference Board’s Director Notes series by Mark L. Frigo and Richard J. Anderson, director and professor of strategic risk management, respectively, at DePaul University. This Director Note was based on a book authored by Dr. Frigo and Mr. Anderson, available here .
As noted by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), “In the aftermath of the financial crisis, executives and their boards realize that ad hoc risk management is no longer tolerable and that current processes may be inadequate in today’s rapidly evolving business world.” [1] However, especially for nonfinancial companies that may be relatively new to these topics, enhancing risk management can be a somewhat daunting task.
This article focuses on two key aspects of the relationship between risk and strategy: (1) understanding the organization’s strategic risks and the related risk management processes, and (2) understanding how risk is considered and embedded in the organization’s strategy setting and performance measurement processes. These two areas not only deserve the attention of boards, but also fit closely with one of the primary responsibilities of the board — risk oversight.
The Advent of Strategic Risk Management
Enterprise risk management (“ERM”) and risk management in general can encompass a wide range of risks that face any organization. Some risks may reflect exposures that, although harmful, will not threaten the overall health of an organization or its ability to ultimately meet its business objectives. For example, a temporary data center outage can result in a short-term problem or customer dissatisfaction, but once recovered, the organization can quickly be back on track. Other more significant risk events can be catastrophic, resulting in losses that can not only impair an organization’s ability to meet its objectives, but may also threaten the organization’s survival. The recent credit crisis is an example of this type of risk. These more significant risk exposures have given rise to a focus on “strategic risks” and “strategic risk management.” “Strategic risks” are those risks that are most consequential to the organization’s ability to execute its strategies and achieve its business objectives. These are the risk exposures that can ultimately affect shareholder value or the viability of the organization. “Strategic risk management” then can be defined as “the process of identifying, assessing and managing the risk in the organization’s business strategy—including taking swift action when risk is actually realized.” Strategic risk management is focused on those most consequential and significant risks to shareholder value, an area that merits the time and attention of executive management and the board of directors.
Standard & Poor’s included the following attributes for strategic risk management in its 2008 announcement that it would apply enterprise risk analysis to corporate ratings:
Management’s view of the most consequential risks the firm faces, their likelihood, and potential effect; The frequency and nature of updating the identification of these top risks; The influence of risk sensitivity on liability management and financial decisions, and The role of risk management in strategic decision making. [2]
Clearly the potential impact of strategic risks is significant enough to deserve the attention of the board and its directors.
Strategic Risk Management and the Role of the Board
At the board level, strategic risk management is a necessary core competency. [3] In Ram Charan’s book, Owning Up: The 14 Questions Every Board Member Needs to Ask, one of the questions posed is “Are we addressing the risks that could send our company over the cliff?” [4] According to Charan, boards need to focus on the risk that is inherent in the strategy and strategy execution:
Risk is an integral part of every company’s strategy; when boards review strategy, they have to be forceful in asking the CEO what risks are inherent in the strategy. They need to explore ‘what ifs’ with management in order to stress-test against external conditions such as recession or currency exchange movements. [5]
Regarding risk culture, Charan provides the following insight: “Boards must also watch for a toxic culture that enables ethical lapses throughout the organization. Companies set rules—but the culture determines how employees follow them.” [6] We believe that corporate culture plays a significant role in how well strategic risk is managed and must be considered as part of a strategic risk assessment.
Understanding an Organization’s Strategic Risks and Related Risk Management Processes
A necessary first step for boards to understand their strategic risks and how management is managing and monitoring those risks is a strategic risk assessment. A strategic risk assessment is a systematic and continual process for assessing the most significant risks facing an enterprise. [7] It is anchored and driven directly by the organization’s core strategies. As noted in a 2011 COSO report, “Linkage of top risks to core strategies helps pinpoint the most relevant information that might serve as an effective leading indicator of an emerging risk.” [8]
Conducting an initial assessment can be a valuable activity and should involve both senior management and the board of directors. Management should take the lead in conducting the assessment, but the assessment process should include input from the board members and, as it is completed, a thorough review and discussion between management and the board. These dialogues and discussions may be the most beneficial activities of the assessment and afford an opportunity for management and the directors to come to a consensus view of the risks facing the company, as well any related risk management activities.
The strategic risk assessment process is designed to be tailored to an organization’s specific needs and culture. To be most useful, a risk management process and the resultant reporting must reflect and support an enterprise’s culture so the process can be embedded and owned by management. Ultimately, if the strategic risk assessment process is not embedded and owned by management as an integral part of the business processes, the risk management process will rapidly lose its impact and will not add to or deliver on its expected role.
The Strategic Risk Assessment Process
There are seven basic steps for conducting a strategic risk assessment:
1 Achieve a deep understanding of the strategy of the organization The initial step in the assessment process is to gain a deep understanding of the key business strategies and objectives of the organization. Some organizations have welldeveloped strategic plans and objectives, while others may be much more informal in their articulation and documentation of strategy. In either case, the assessment must develop an overview of the organization’s key strategies and business objectives. This step is critical, because without these key data to focus around, an assessment could result in a long laundry list of potential risks with no way to really prioritize them. This step also establishes a foundation for integrating risk management with the business strategy. In conducting this step, a strategy framework could be useful to provide structure to the activity.a
2 Gather views and data on strategic risks The next step is to gather information and views on the organization’s strategic risks. This can be accomplished through interviews of key executives and directors, surveys, and the analysis of information (e.g., financial reports and investor presentations). This data gathering should also include both internal and external auditors and other personnel who would have views on risks, such as compliance or safety personnel. Information gathered in Step 1 may be helpful to frame discussions or surveys and relate them back to core strategies. This is also an opportunity to ask what these key individuals view as potential emerging risks that should also be considered.
3 Prepare a preliminary strategic risk profile Combine and analyze the data gathered in the first two steps to develop an initial profile of the organization’s strategic risks. The level of detail and type of presentation should be tailored to the culture of the organization. For some organizations, simple lists are adequate, while others may want more detail as part of the profile. At a minimum, the profile should clearly communicate a concise list of the top risks and their potential severity or ranking. Colorcoded reports or “heat-maps” may be useful to ensure clarity of communication of this critical information.
4 Validate and finalize the strategic risk profile The initial strategic risk profile must be validated, refined, and finalized. Depending on how the data gathering was accomplished, this step could involve validation with all or a portion of the key executives and directors. It is critical, however, to gain sufficient validation to prevent major disagreements on the final risk profile.
5 Develop a strategic risk management action plan This step should be undertaken in tandem with Step 4. While significant effort can go into an initial risk assessment and strategic risk profile, the real product of this effort should be an action plan to enhance risk monitoring or management actions related to the strategic risks identified. The ultimate value of this process is helping and enhancing the organization’s ability to manage and monitor its top risks.
6 Communicate the strategic risk profile and strategic risk management action plan Building or enhancing the organization’s risk culture is a communications effort with two primary focuses. The first focus is the communication of the organization’s top risks and the strategic risk management action plan to help build an understanding of the risks and how they are being managed. This helps focus personnel on what those key risks are and potentially how significant they might be. A second focus is the communication of management’s expectations regarding risk to help reinforce the message that the understanding and management of risk is a core competency and expected role of people across the organization. The risk culture is an integral part of the overall corporate culture. The assessment of the corporate culture and risk culture is an initial step in building and nurturing a high performance, high integrity corporate culture.
7 Implement the strategic risk management action plan As noted above, the real value resulting from the risk assessment process comes from the implementation of an action plan for managing and monitoring risk. These steps define a basic, high-level process and allow for a significant amount of tailoring and customization to reflect the maturity and capabilities of the organization. As shown by Figure 1, strategic risk assessment is an ongoing process, not just a one-time event. Reflecting the dynamic nature of risk, these seven steps constitute a circular or closed-loop process that should be ongoing and continual within the organization.
Integrating Strategic Risk Management in Strategy Setting and Performance Measurement Processes
The second step for an organization is to integrate strategic risk management into its existing strategy setting and performance measurement processes. As discussed above, there is a clear link between the organization’s strategies and its related strategic risks. Just as strategic risk management is an ongoing process, so is the need to establish an ongoing linkage with the organization’s core processes to set and measure its strategies and performance. This would include integrating risk management into strategic planning and performance measurement systems. Again, the maturity and culture of the organization should dictate how this performed. For some organizations, this may be accomplished through relatively simple processes, such as adding a page or section to their annual business planning process for the business to discuss the risks it sees in achieving its business plan and how it will monitor those risks. For organizations with more developed performance measurement processes, the Kaplan- Norton Strategy Execution Model described in The Execution Premium may be useful. [9] This model describes six stages for strategy execution and provides a useful framework for visualizing where strategic risk management can be embedded into these processes.
Stage 1: Develop the strategy This stage includes developing the mission, values, and vision; strategic analysis; and strategy formulation. At this stage, a strategic risk assessment could be included using the Return Driven Strategy framework to articulate and clarify the strategy and the Strategic Risk Management framework to identify the organization’s strategic risks.
Stage 2: Translate the strategy This stage includes developing strategy maps, strategic themes, objectives, measures, targets, initiatives, and the strategic plan in the form of strategy maps, balanced scorecards, and strategic expenditures. Here, the strategic risk management framework would be used to develop risk-based objectives and performance measures for balanced scorecards and strategy maps, and for analyzing risks related to strategic expenditures. [10] At this stage, boards may also want to consider developing a risk scorecard that includes key metrics.
Stage 3: Align the organization This stage includes aligning business units, support units, employees, and boards of directors. The Strategic Risk Management Alignment Guide and Strategic Framework for GRC (Governance, Risk and Compliance) would be useful for aligning risk and control units toward more effective and efficient risk management and governance, and for linking this alignment with the strategy of the organization. [11]
Stage 4: Plan operations This stage includes developing the operating plan, key process improvements, sales planning, resource capacity planning, and budgeting. In this stage, the strategic risk management action plan can be reflected in the operating plan and dashboards, including risk dashboards. One organization we worked with developed a “resources follow risk” philosophy to make certain that resources were appropriately and efficiently allocated. This philosophy focused on ensuring that resources used in risk management are justified economically based on the relative amount of risk and cost-benefit analysis.
Stage 5: Monitor and learn This stage includes strategy and operational reviews. “Strategic risk reviews” would be part of the ongoing strategic risk assessment, which reinforces the necessary continual, closed-loop approach for effective strategy risk assessment and strategy execution.
Stage 6: Test and adapt This stage includes profitability analysis and emerging strategies. Emerging risks can be considered part of the ongoing strategic risk assessment in this stage. The strategic risk assessment can complement and leverage the strategy execution processes in an organization toward improving risk management and governance.
For more information about integrating risk management in the strategy execution model and a discussion of risk scorecards, see “Risk Management and Strategy Execution Systems.” [12]
Final Thoughts: Moving Forward with Strategic Risk Management
Management teams and boards must challenge themselves and their organizations to move up the strategic risk management learning curve. Developing strategic risk management processes and capabilities can provide a strong foundation for improving risk management and governance. Boards may want to consider engaging independent advisors to advise and educate themselves on these matters. For organizations that are early in this process, the seven keys to success for improving ERM as described in a 2011 COSO Thought Leadership Paper may be useful, and are applicable in strategic risk management:
- 1. Support from the top is a necessity
- 2. Build ERM using incremental steps
- 3. Focus initially on a small number of top risks
- 4. Leverage existing resources
- 5. Build on existing risk management activities
- 6. Embed ERM into the business fabric of the organization
- 7. Provide ongoing ERM updates and continuing education for directors and senior management [13]
However the board decides to proceed, their leadership, direction, and overall oversight will be critical to the success of a strategic risk management process.
[1] “Effective Enterprise Risk Oversight: The Role of the Board of Directors,” COSO 2009, p. 1. (go back)
[2] “Enterprise Risk Management, Standard & Poor’s to Apply Enterprise Risk Analysis to Corporate Ratings” Standard & Poor’s press release, May 7, 2008 (www.standardandpoors.com). (go back)
[3] Mark L. Frigo, “Strategic Risk Management: The New Core Competency,” Balanced Scorecard Report, 11, no. 1, January–February 2009. (go back)
[4] Ram Charan, Owning Up: The 14 Questions Every Board Member Needs to Ask (San Francisco: John Wiley & Sons 2009). (go back)
[5] Charan, Owning Up: The 14 Questions Every Board Member Needs to Ask, p. 23. (go back)
[6] Charan, Owning Up: The 14 Questions Every Board Member Needs to Ask, p. 28. (go back)
[7] Mark L. Frigo and Richard J. Anderson, “Strategic Risk Assessment: A First Step for Improving Risk Management and Governance,” Strategic Finance, December 2009. (go back)
[8] Mark S. Breasley, Bruce C. Branson and Bonnie V. Hancock, “Developing Key Risk Indicators to Strengthen Enterprise Risk Management,” COSO, 2011 p.2. (go back)
[9] Robert S. Kaplan and David P. Norton, The Execution Premium (Cambridge, MA: Harvard Business Press, 2008). (go back)
[10] Mark L. Frigo and Richard J. Anderson, “Strategic Risk Management: A Primer for Directors and Management Teams,” 2012. (go back)
[11] Mark L. Frigo and Richard J. Anderson, “A Strategic Framework for Governance, Risk and Compliance,” Strategic Finance, February 2010. (go back)
[12] Robert S. Kaplan, “Risk Management and Strategy Execution Systems,” Balanced Scorecard Report, Vol. 11, No. 6, November-December 2009. (go back)
[13] Mark L Frigo and Richard J. Anderson, “Embracing Enterprise Risk Management: Practical Approaches for Getting Started,” COSO, 2011. (go back)
ERM and SRM should consider integrating with the Competitive Intelligence process. This will guarantee proficiency in Collection and Strategy development and Integration.
Integration of CI into this process will increase to identify risks in advance. I have written about it three years ago.
One Trackback
[…] full article via Strategic Risk Management: A Primer for Directors — The Harvard Law School Forum on Corporate Gove…. Share OptionsPrintEmailMoreFacebookLinkedInStumbleUponTwitterPinterestRedditDiggTumblrLike […]
Supported By:
Subscribe or Follow
Program on corporate governance advisory board.
- William Ackman
- Peter Atkins
- Kerry E. Berchem
- Richard Brand
- Daniel Burch
- Creighton Condon
- Arthur B. Crozier
- Renata J. Ferrari
- John Finley
- Carolyn Frantz
- Bruce H. Goldfarb
- Joseph Hall
- Jason M. Halper
- David Millstone
- Theodore Mirvis
- Maria Moats
- Erika Moore
- Morton Pierce
- Philip Richter
- Paul K. Rowe
- Marc Trevino
- Steven J. Williams
- Daniel Wolf
HLS Faculty & Senior Fellows
- Lucian Bebchuk
- Robert Clark
- John Coates
- Stephen M. Davis
- Allen Ferrell
- Jesse Fried
- Oliver Hart
- Howell Jackson
- Kobi Kastiel
- Reinier Kraakman
- Mark Ramseyer
- Robert Sitkoff
- Holger Spamann
- Leo E. Strine, Jr.
- Guhan Subramanian
RISK-ACADEMY Blog
Controversial thoughts about modern day risk management in non-financial companies, training and consulting services.
4 steps to integrate risk management into strategic planning
Let me first start by saying integrating risk management into strategic planning is NOT doing a strategic risk assessment or even having a risk conversation at the strategy setting meeting, it is so much more. You will also find it difficult to relate if the objectives have not been defined or documented in your company or if the objectives are not measurable.
Kevin W Knight, during his first visit to Russia a few years ago, said ‘ risk management is a journey… not a destination’. Risk practitioners are free to start their integration journey at any process or point in time, however, I believe that evaluating strategic [email protected] can be considered a good starting point. The reason why I think this is a good starting point is because it is relatively simple to implement, yet has an immediate and a significant impact on senior management decision making.
STEP 1 – STRATEGIC OBJECTIVES DECOMPOSITION
Any kind of risk analysis should start by taking a high-level objective and breaking it down into more tactical, operational key performance indicators (KPIs) and targets. When breaking down any objectives it is important to follow the McKinsey MECE principle (ME – Mutually Exclusive, CE – Collectively Exhaustive) to avoid unnecessary duplication and overlapping. Most of the time strategic objectives are already broken down into more tactical KPIs and targets by the strategy department or HR, so this saves the risk manager a lot of time.
This is a critical step to make sure risk managers understand the business logic behind each objective and helps make risk analysis more focused.
Important note, while it should be management’s responsibility to identify and assess risks, the business reality in your company may be that sometimes the risk manager should take the responsibility for performing risk assessment on strategic objectives and take the lead.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
EXAMPLE: RISK MANAGEMENT IMPLEMENTATION
STEP 2 – IDENTIFYING FACTORS, ASSOCIATED WITH UNCERTAINTY
Once the strategic objectives have been broken down into more tactical, manageable pieces, risk managers need to use the strategy document, financial model, business plan or the budgeting model to determine key assumptions made by the management.
Most assumptions are associated with some form of uncertainty and hence require risk analysis. Risk analysis helps to put unrealistic management assumptions under the spotlight. Common criteria for selecting management assumptions for further risk analysis include:
- The assumption is associated with high uncertainty.
- The assumption impact is properly reflected in the financial model (for example, it makes no sense to assess foreign exchange risk if in the financial model all foreign currency costs are fixed in local currency and a change in currency insignificantly affects the calculation).
- The organisation has reliable statistics or experts to determine the possible range of values and the possible distribution of values.
- There are reliable external sources of information to determine the possible range of values and the possible distribution of values.
For example, a large investment company may have the following risky assumptions: the expected rate of return for different types of investment, an asset sale timeframe, timing and the cost of external financing, rate of expected co-investment, exchange rates and so on.
Concurrently, risk managers should perform a classic risk assessment to determine whether all significant risks were captured in the management assumptions analysis. The risk assessment should include a review of existing management and financial reports, industry research, auditors’ reports, insurance and third party inspections, as well as interviews with key employees.
By the end of this step risk managers should have a list of management assumptions . For every management assumption identified, risk managers should work with the process owners, internal auditors and utilise internal and external information sources to determine the ranges of possible values and their likely distribution shape .
EXAMPLE: RISK MANAGEMENT IMPLEMENTATION (CONTINUED)
STEP 3 – PERFORMING RISK ANALYSIS
The next step includes performing a scenario analysis or the Monte-Carlo simulation to assess the effect of uncertainty on the company’s strategic objectives. Risk modeling may be performed in a dedicated risk model or within the existing financial or budget model. There is a variety of different software options that can be used for risk modeling. All examples in this guide were performed using the Palisade @Risk software package , which extends the basic functionality of MS Excel or MS Project to perform powerful, visual, yet simple risk modeling.
When modeling risks it is critical to consider the correlations between different assumptions. One of the useful tools for an in-depth risk analysis and identification of interdependencies is a bow-tie diagram. Bow-tie diagrams can be done manually or using the Palisade Big Picture software . Such analysis helps to determine the causes and consequences of each risk, improves the modeling of them as well as identifying the correlations between different management assumptions and events.
The outcome of risk analysis helps to determine the risk-adjusted probability of achieving strategic objectives and the key risks that may negatively or positively affect the achievement of these strategic objectives. The result is [email protected]
STEP 4 – TURNING RISK ANALYSIS INTO ACTIONS
Risk managers should discuss the outcomes of risk analysis with the executive team to see whether the results are reasonable, realistic and actionable. If indeed the results of risk analysis are significant, then the management with the help from the risk manager may need to:
- Revise the assumptions used in the strategy.
- Consider sharing some of the risk with third parties by using hedging, outsourcing or insurance mechanisms.
- Consider reducing risk by adopting alternative approaches for achieving the same objective or implementing appropriate risk control measures.
- Accept risk and develop a business continuity / disaster recovery plan to minimise the impact of risks should they eventuate.
- Or, perhaps, change the strategy altogether (the most likely option in our case)
Based on the risk analysis outcomes it may be required for the management to review or update the entire strategy or just elements of it. This is one of the reasons why it is highly recommended to perform risk analysis before the strategy is finalised.
At a later stage, the risk manager should work with the internal audit to determine whether the risks identified during the risk analysis are in fact controlled and the agreed risk mitigations are implemented.
WATCH THE FREE WEBINAR TO FIND OUT MORE: https://www.youtube.com/watch?v=Ne0k-YW9ffA
Please comment, share and like.
– – – – – – – – – – – – – – – – – – – – –
RISK-ACADEMY offers decision making and risk management training and consulting services. Our corporate risk management training programs are specifically designed to promote risk-based decision making and integrating risk management into business processes. Risk managers all over the world call us in to help sell idea of integrating risk analysis into decision making and using quantitative risk analysis techniques. Check out most popular course for decision makers https://riskacademy.blog/product/risk-based-decision-making-executives/ or our dedicated programs to help risk managers learn the foundations of quant risk analysis https://riskacademy.blog/product/risk-managers-training/ . We can also help audit risk management effectiveness or develop a roadmap for risk management integration into decision making https://riskacademy.blog/product/g31000-risk-management-maturity-assessment/
Check out other decision making books
RISK-ACADEMY offers online courses
Informed Risk Taking
Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!
ISO31000 Integrating Risk Management
Alex Sidorenko , known for his risk management blog http://www.riskacademy.blog , has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.
Advanced Risk Governance
This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.
Please share to improve risk literacy
- Click to share on Twitter (Opens in new window)
- Click to share on Facebook (Opens in new window)
- Click to share on LinkedIn (Opens in new window)
- Click to share on Reddit (Opens in new window)
- Click to share on Tumblr (Opens in new window)
- Click to share on Pinterest (Opens in new window)
- Click to share on Pocket (Opens in new window)
- Click to share on Telegram (Opens in new window)
- Click to share on WhatsApp (Opens in new window)
- Click to share on Skype (Opens in new window)
- Click to print (Opens in new window)
- Click to email a link to a friend (Opens in new window)
Published by Alex Sidorenko
View all posts by Alex Sidorenko
16 thoughts on “ 4 steps to integrate risk management into strategic planning ”
Hi Alex,Congratulations for the very nice presentation!
- Pingback: Risk Management Could Be a Powerful Tool, But it Just isn’t (part 1) – RISK-ACADEMY Blog
- Pingback: Here is a small lesson I learned a while back – RISK-ACADEMY Blog
- Pingback: RISK-ACADEMY top blog posts in 2017 – RISK-ACADEMY Blog
- Pingback: COSO ERM 2017 – full review by Alex Sidorenko (part 1) – RISK-ACADEMY Blog
- Pingback: COSO ERM 2017 – full review by Alex Sidorenko (part 2) – RISK-ACADEMY Blog
- Pingback: 4 steps to integrate risk management into strategic planning - РИСК-АКАДЕМИЯ АНО ДПО ИСАР
- Pingback: COSO ERM 2017 – full review by Alex Sidorenko (part 1) RISK-ACADEMY Blog
- Pingback: 4 steps to integrate risk management into strategic planning - RISK OWNER by RISK-ACADEMY
- Pingback: Most influential risk management articles of 2021 RISK-ACADEMY Blog
Leave a Reply Cancel reply
This site uses Akismet to reduce spam. Learn how your comment data is processed .
Subscribe to our channel
More than 500 videos with case studies, practical examples and useful ideas about risk management
- Our Approach
- Our Programs
- Group Locations
- Member Success Stories
- Become a Member
- Vistage Events
- Vistage CEO Climb Events
- Vistage Webinars
- Research & Insights Articles
- Leadership Resource & PDF Center
- A Life of Climb: The CEO’s Journey Podcast
- Perspectives Magazine
- CEO Confidence Index
- WSJ Small Business CEO Survey
- What is Vistage?
- 7 Laws of Leadership
- The CEO’s Climb
- Coaching Qualifications
- Virtual Chair Academy
- Apply to be a Vistage Chair
Research & Insights
- Talent Management
- Customer Engagement
- Business Operations
- Personal Development
Business Growth & Strategy
Strategic planning: managing assumptions, risks and impediments
Share this:
- Click to share on LinkedIn (Opens in new window)
- Click to share on Twitter (Opens in new window)
- Click to share on Facebook (Opens in new window)
While no one likes the idea of having one foot on the brake while doing strategic planning, there are very good reasons to take the time required to be cautious. We are speaking to the undeniable link between the business assumptions we make and the risks we introduce to the organization during strategic planning. In fact, the assumptions we base strategies upon can mushroom into grave risks and show-stopper impediments down the line – appearing out of nowhere when the business attempts to execute to a seemingly well-laid plan. Twelve to eighteen months into strategy implementation is too late to go back and ask, “What were we assuming…?” Given that time will always be of the essence, what kind of strategic assumption vetting and risk management is warranted? How much is enough?
Assumptions Introduce Risk
At a minimum, the planning process must involve an evaluation of the impacts that the strategy will have on the business to determine if it will actually help accomplish the outcomes intended. That is the absolute minimum requirement.
The strategic planing process is the one key point to get in front of idle supposition and truly manage assumptions, risks and impediments. When strategy is well developed, there will be an actual plan for implementation associated with the strategy. A holistic plan defines goals that support the strategy and addresses the operational tactics that will accomplish the goals. No business possesses a crystal ball to know exactly what will happen in the economy, financial markets or competitors next bold moves. That means that business assumptions are a necessary evil.
Given that we must rely upon certain assumptions to put strategic plans together and that risk will always be present (as will natural impediments to execution of strategy), the following sections will explore each of these factors at the planning level…beginning with a definition of terms and ending with approaches to better manage process.
What is an assumption in strategic planning?
The dictionary defines an assumption as follows: “ something taken for granted; a supposition ”.
Assumptions form the basis of strategies, and those underlying assumptions must all be fully vetted. Testing strategic assumptions requires allowing those involved with planning to back away from the “givens” and challenge them to ensure the team is not assuming the rosiest of scenarios on which to base strategy.
Considering that the synonyms for the word “assumption” includes words like “hypothesis”, “conjecture”, “guess”, “postulate” and “theory” the concept takes on a more weighty meaning in the strategic planning process. Yes, assumptions are beliefs we take for granted, but they can be no better than guesses in many cases.
Assumptions are not always justifiable. Defending an assumption may be difficult, as facts are not always available to support the belief. That does not mean that they are incorrect, but it does underscore the challenge assumptions present in planning. In fact, assumptions are particularly difficult to even identify because they are usually unconscious beliefs.
An assumption about assumptions:
One can safely assume that if an assumption is sound, the inferences and conclusions associated with the assumption will also be sound. Unfortunately, the reverse is also safe to assume.
What is a risk in strategic planning?
As a noun, risk means something that may cause injury or harm or the chance of loss or the perils to the subject matter. As a transitive verb, risk means to “expose to hazard or danger” or “to incur the risk or danger of”.
In strategic planning, the definitions applying to both the noun and the transitive verb usage are relevant. A risk might be an event or condition that might occur in the future. Likewise, we may risk financial losses if we bet on an assumption that is incorrect.
An unmitigated risk can become an impediment, so risks must be evaluated in terms of the likelihood they will occur and the impact they will have if they do occur. If the impact/likelihood of a risk is high “enough”, we should identify a mitigation path – as an unmitigated risk can become an impediment later on.
All risk can never be removed from a strategic plan, therefore business planning teams must approach risk management from a Cost / Benefit perspective. Business risk mitigation in planning can cost speed, but if risks are addressed early the organization can avoid future impediments.
What is an impediment in strategic planning?
An impediment is something that makes movement or progress difficult. It differs from being a risk in that risks are future-based and an impediment is something that is occurring now.
During the strategic planning process, impediments might be grouped into macro or micro categories. Macro impediments might include: poor culture, business process inefficiencies, lack of job descriptions, no performance metrics and many other general types of issues. Micro impediments might include: core competency gaps, having people in the wrong roles, lack of sufficient tools to support business functions and technology / infrastructure issues.
Knowing business impediments and factoring them into the planning process adds realism to the strategy being developed and the operational tactics needed to implement it.
How should risks, assumptions and impediments be identified?
Identification of assumptions.
Strategic planning is a team sport, so working in teams is a great way to approach the identification of assumptions. In small groups, conduct a “round robin” to identify the assumptions within each strategic theme of the plan. Review the assumptions compiled by each team and discuss. This same approach can be used to identify impediments and risks.
The following are questions that assist to identify assumptions:
- Is there anything being taken for granted?
- Are there beliefs that we are ignoring that we shouldn’t?
- What beliefs are leading us to this conclusion?
- What is… (this project, strategy, explanation) assuming?
- Why are we assuming…?
Identification of Risks
Risks are about events that, when triggered, cause problems. Hence, risk identification can start with the source of problems, or with the problem itself. Remember, risk sources may be internal or external to the organization. Examples of risk sources are: external stakeholders, employees, finance, political and even weather.
Risks are related to the identified threats from SWOT analysis, so that is another valuable reference during the identification process. For example: the threat of losing money, the threat of a major planned product launch being delayed or the threat of a labor strike disrupting critical manufacturing operations. The threats may exist with various entities, most importantly with shareholders, customers and legislative bodies such as the government.
When either source or problem is known, the events that a source may trigger or the events that can lead to a problem can be investigated. For example: banks withdrawing funding support for expansion; confidential information may be stolen by employees; weather delaying construction projects, etc.
Additionally, other methods of risk identification may be applied, dependent upon culture, industry practice and compliance. For instance, objectives-based risk identification can focus on any potential threats to achieving strategic objectives. Any event that may endanger achieving an objective partly or completely can be identified as risk. Scenario-based risk identification – In scenario analysis different scenarios are created. The scenarios may be the alternative ways to achieve an objective, or an analysis of the interaction of forces in, for example, a market or battle. Any event that triggers an undesired scenario alternative is identified as risk. As a final example, a taxonomy-based risk identification can be utilized, where the taxonomy is a breakdown of possible risk sources. Based on the taxonomy and knowledge of best practices, a questionnaire can be compiled and the answers to the questions used to reveal risks.
How should risks, assumptions and impediments be dealt with?
Dealing with identified assumptions essentially becomes a task of translating the assumption to a risk. Once all risks have been identified, they must then be assessed as to their potential severity of impact (generally a negative impact, such as damage or loss) and to the probability of occurrence.
The assessment of risk is critical to make the best educated decisions in order to mitigate known risks properly. Once risks have been identified and assessed, the strategies to manage them typically include transferring the risk to another party, avoiding the risk, reducing the negative effect or probability of the risk, or even accepting some or all of the potential or actual consequences of a particular risk.
Taking the time and caution to identify, asses and deal with the risks and other factors will always be a worthy investment, even when time is of the essence. The vetting of these factors will pay off in smooth implementation of the strategic plan down the line. Your plan can proceed, free of the potholes and other roadblocks that, with a little planning, might well have derailed the best-laid plans.
Related articles:
Grow from a position of strength (Video)
Four innovation strategies to take your company from complacent to competitive
Category: Business Growth & Strategy
Tags: risk management , Strategic Planning
Since 2006, Joe Evans has been President & CEO of Method Frameworks, one of the world's leading strategy and operational planning management consultancies. The firm provides services for a diverse field of clients, ranging …
Leave a Reply Cancel reply
Your email address will not be published. Required fields are marked *
Gain deeper insights when you join Vistage
Take advantage of peer advisory group advice, 1-to-1 executive coaching, industry networks, exclusive events and more.
Privacy Policy
Your contact and business information will be used to fulfill this request and to share other Vistage services.
See Vistage's Privacy Policy for details.
IMAGES
VIDEO
COMMENTS
There are a few simple things you can do to make planning for the future easier. Things like establishing a savings habit, making it automatic, and calculating how much you’ll need.
Do you have a pension plan or are thinking about contributing to one? If so, it’s important to understand how they work. Many people are unaware they can’t take an early withdrawal. Keep reading to learn how pension plans work.
Looking for a way to take your company in a new and profitable direction? It starts with strategic planning. Keep reading to learn what a strategic plan is, why you need it and how you can strategically create one.
Five steps for Effective Risk Mitigation Strategies · Define business strategy and objectives. · Establish key performance indicators (KPIs) to measure results.
Gartner Risk Strategic Planning Template helps risk leaders define the roadmap for executing the key actions required to meet risk strategic goals in alignment
Strategic risk relates to the dangers companies face in trying to accomplish their strategic objectives. Even though your plan might seem viable
What Are the 9 Examples of Strategic Risk? · Competitive risk. The risk is that you fall behind your competitors as they innovate and improve
In essence, strategic risk refers to the events or decisions that could potentially stop an organisation from achieving its goals.
What are Strategic Risk Examples · Competitive risk: This refers to the risk that your competition will gain more market share than you and you
Type 1: Business Experiments · Type 2: Theory Validation · Type 3: Minimum Viable Product Development · Type 4: Isolating Identified Risks · Type 5:
The first focus is the communication of the organization's top risks and the strategic risk management action plan to help build an
RISK-ACADEMY Blog · STEP 1 – STRATEGIC OBJECTIVES DECOMPOSITION · STEP 2 – IDENTIFYING FACTORS, ASSOCIATED WITH UNCERTAINTY · STEP 3 – PERFORMING
For example: the threat of losing money, the threat of a major planned product launch being delayed or the threat of a labor strike disrupting
Strategic risks are those that either affect or are created by an agency's strategic plan. The ones that affect the agency's strategic plan can arise from.