How can risk managers operationalise strategic risk management?
When coming to grips with strategic risk, it’s helpful to consider why you need to manage it in the first place.
After all, you already have a strategy – but what if it doesn’t work? Risk and strategy have a symbiotic relationship. You can’t have one without the other; one drives the other. But in today’s business environment, conditions are so fluid that nothing stays the same between one moment and the next; managing strategic risk has to be just as agile and flexible. Managing it effectively can actually mean the difference between making the organisation more valuable, or causing it to crash and burn.
Strategic risk is somewhat of a conundrum because at its core, it is about the elements in an organisation which have the ability to affect its overall strategy, which includes not just risks such as operational risks but also risks in the strategies themselves. Strategic risk management encompasses identifying internal and external risks, their causes and effects, and what can be done to mitigate them. What this ultimately accomplishes is the protection of the organisation’s value, and if successfully executed, the creation of more. Companies are on the constant lookout for new, innovative ways to achieve this, driven by the need to stay ahead of the competition.
The business environment grows more complex by the day, and risks grow in parallel. Different approaches are needed but one commodity which will always be in demand is information – reliable, current data that will support decision-making. This is driving many firms to look outside the traditional structures, to derive different perspectives from a range of stakeholders that could help them improve the way they operate, and make them more competitive. Firms are becoming increasingly sensitive to public perception, and are now more aware of the importance of maintaining “good corporate citizen” reputations.
In the constant and rapidly-evolving commercial and corporate environment, even the smallest incident may leave a lasting, detrimental effect. The search for such dangers therefore needs to be ongoing; firms need to develop the ability to recognise these dangers and the capability to mitigate them. The first step is to develop an in-depth understanding of the organisation, and an assessment of its resources and capabilities. This will help identify where shortfalls lie, and what risks may arise from these that could develop into major challenges in the future. Firms should steel themselves for an honest assessment, and not be too preoccupied with making themselves look good.
They should also have a clear understanding of what their organisations’ strategic goals are. Doing due diligence in this area is time-consuming but necessary if strategic risk management is to be applied in a structured, orderly, efficient manner. Consider as many risks as possible; imagine as many worst-case scenarios as possible; and get feedback from as many stakeholders as possible. Then consider that, besides identifying the potholes to avoid, these efforts to put strategic risk management in place could also identify opportunities which could prove lucrative to the organisation. Every strategy carries risk but the flipside of risk is opportunity.
As the business progresses, its strategic risks will change, sometimes requiring a different management approach. Although strategies are bespoke, crafted exclusively for their respective organisations, firms should cast around for best practices, analyse solutions that have worked before and incorporate these into their plans. The focus should not be on strategies that failed but the experience that came out of it – the “Lesson Learned.” Strategic risk management is not a simple, straightforward matter. It requires the ability to deep-dive, discern and be detailed. It is not a one-off exercise that can be written up, then filed away. In an uncertain and disrupted world, operationalising it may be the best way of keeping the business moving forward.