Strategic risk is the risk associated with failed business strategy. Strategic risk management, therefore, is the process of identifying, quantifying and mitigating any risk that is likely to cause an organisation’s strategy to fail. However, while strategic risks may affect overall business performance, they are sometimes necessary to identify opportunities which may potentially benefit the firm. A simple example is a bank loan; the bank offers credit but takes on the risk of the borrower defaulting as this is part of the strategy related to its business goals. Risk is an accepted part of doing business; strategic risk manifests when the business falls short of meeting market needs.
Some examples of strategic risk are changes in consumer preferences (which often lead to a change in demand for goods or services), changes in technology or regulations, in senior management or policy, or in stakeholder expectations. Strategic risk is considered one of the focal points under Enterprise Risk Management (ERM), and is considered one of the types of risks most likely to affect stakeholder value. As such, it requires the time and attention of the board and senior management, and begins with an assessment of the types of risk that can affect the organisation. Firstly, the organisation’s strategy and objectives need to be thoroughly understood so that potential risks may be prioritised.
Data needs to be collected and analysed. This can be done through reviews of documentation that already exist in the firm, and through interviews with key personnel who may be directly affected by the identified risks. It may be helpful to also gather the strategic risk perceptions of the organisation’s employees, as part of the efforts to ‘get everyone on the same page’ and working in the right direction. Understanding the perspective of as many people as possible may produce more clarity on the business, identify possible bottlenecks and reduce errors. Information gleaned from these due diligence processes can be used to develop the firm’s strategic risk profile.
Once the profile is validated by the board and management, the top strategic risks may be determined, and other risks may be ranked accordingly so that everyone knows where the organisation’s priorities lie. An action plan may then be developed which outlines how the firm will identify, manage and mitigate these risks. The organisation may even choose to ignore some risks because these may be too costly or time-consuming to track and manage. When the strategic management plan has been developed, it should be communicated throughout the organisation as part of establishing a risk culture which is appropriate for it.
Everyone in the organisation should be able to recognise that although strategic risk exists in the organisation, it is to their advantage to manage it properly so that the firm’s objectives are achieved. They should see the necessity of integrating managing risks strategically with the core processes of the organisation. The process of integrating risk management into the strategic planning process should include developing the appropriate strategy; communicating its importance to stakeholders; aligning existing processes and procedures to ensure that issues are addressed; training staff to apply best practices, be always alert, and constantly monitor and review actions in order to update and improve.
Undertaking these strategic risk management-related tasks provide a clear picture of the organisation, even if they are onerous and time-consuming. Detailed tasks like these are capable of identifying shortfalls, potholes and areas that need work, and may even bring to light hitherto unnoticed dangers which could spiral into real threats to the organisation. Having a list of risks to the business helps the board and management to quickly understand what is happening, and take remedial action to address the situation. This list may also function as a checklist of the organisation’s health, as constant monitoring helps everyone stay alert to internal and external developments.
Additionally, automation tools may be included in the strategic risk management policy and framework, for real-time assessment and monitoring. Tools like these provide updates and alerts, enabling better tracking of business performance, and maintaining proper direction as the business moves towards achieving its goals. Properly applied, automation also reduces human error and repetitive tasks, allowing for better deployment of human resources. It also leaves an audit trail for comprehensive documentation, and can improve standardisation and consistency which will support decision-making.
While strategic risks are part of running a business, they are not always undesirable. They may sometimes point to lucrative opportunities for the organisation to pursue. Part of identifying whether or not such opportunities are worthwhile, may be indicated by the careful documentation and analysis of the information collected in the course of understanding the objectives of the business and its major challenges, when setting strategy. It becomes apparent that strategic risk needs to be integrated into all aspects of the business because it may not be obvious from the outset where the challenges or opportunities lie.
The more information the organisation has, the better it will be positioned to implement processes and safeguards to facilitate progression towards its goals. Having definite strategic risk management approaches/steps in place also improves stakeholder confidence in the organisation. Because strategic risks also reflect the risk of decisions being made at a higher level, strategic risk management is indicative of a board and management that is very much in control, in a professional and positive manner. Strategic risks affect an organisation’s overall strategy at its core, and managing strategic risk is an ongoing process that requires agility, proactiveness and adaptability to change, for maximum efficacy.
