The Dark Art of Strategic Risk
Strategic Risk is the risk which is managed the most inconsistently across the risk management industry. There is no standard definition and no standard way of managing it.
How do you manage strategic risk? The same way as you manage your other business risks? Or not at all?
Let’s dive into how we can manage strategic risk and debunk the theory that it is a dark art.
Types of Risk
First, we will start with a controversial opening line - There are only three types of risks:
Strategic
Operational ( or Non-Financial)
Financial
If you’re asking where is Compliance Risk, or Financial Crime risk well they are forms of Operational risks. Often they are simply elevated to the same level as Operational Risks for better ownership and management - rightly so.
If I still haven’t convinced you then think about Cyber Risk. Often this sits on par with Operational Risk in an organisation due to the importance and specialist skills to manage it - rightly so. But everyone in the industry acknowledges Cyber Risk is actually an Operational Risk.
What is Strategic Risk?
Strategic risk is the effect of uncertainty on strategic objectives. How did we deduce this? Well, we just have to look at ISO31000’s definition - the effect of uncertainty on objectives. Now let’s combine this definition with the three risk types above:
The effect of uncertainty on strategic objectives.
The effect of uncertainty on operational objectives.
The effect of uncertainty on financial objectives.
This simple way of considering it helps us understand the difference between operational and strategic risks which are often confused.
Key Sources of Strategic Risk
Here are just some of the key sources arises when an organisation’s strategy is inadequate or improperly implemented. This type of risk can result from:
Market Changes: Rapid shifts in market dynamics can render strategies obsolete.
Competitor Actions: Unexpected moves by competitors can disrupt plans.
Technological Advances: New technologies can outpace existing strategies.
Legislative Changes: New laws or regulations can impact strategic plans.
Why Strategic Risk Matters
Managing strategic risk is crucial for long-term success. Without proper management, businesses can falter, losing their competitive edge and market share.
Actionable Steps to Manage Strategic Risk
1. Strategic objectives
Identify the strategic objectives and measure the effect of uncertainty on these. Make sure you measure risk velocity for strategic risks. Link your strategic risks to your strategic objectives.
2. Assign Ownership
Ownership drives accountability. Having “one throat to choke” enables Executive Management and Boards to go to the accountable person to seek answers quickly.
3. Don’t manage strategic risks like operational risks
The old equation inherent risk + controls = residual risk, does not apply in this case.
4. Think broader than controls
Understand the what, where, how and when.
What - Horizon scan and measurement of the uncertainty i.e. potential impact and likelihood (pro tip: go range not single figure)
Where - Identify where in the business the impact is felt i.e. which departments
How - What are your current actions, processes, teams, resources, responses for this risk. And what levers could you deploy if the strategic risk starts to present itself and realise i.e. new pricing strategy, strategic alliance marketing campaign.
When - Design pre-determined points in time or triggered by an event when you will deploy the above levers. What are your early warning systems here?
5. Monitor, review and report
Tie into your existing governance framework and ensure you monitor strategic risks not just on an annual basis but on an as needed basis. Crucially if you have strategic risks with a high risk velocity and poor early warning indicators you should be reviewing this more frequently than every 12 months.
Mistakes to avoid
1. Ignoring External Factors
Focusing too narrowly on internal capabilities without considering external influences can lead to strategic failures. Always factor in market and regulatory changes.
2. Overconfidence in Current Strategies
Assuming past success guarantees future performance can be risky. Continuously reassess and update your strategies.
3. Lack of Contingency Planning
Failing to plan for potential disruptions can leave a company unprepared. Always have backup plans to mitigate risks.
4. Not aligning to strategic objectives
If you do not align risks to objectives then what is the point of managing these risks. Risk management’s purpose is to support the decision and remove the uncertainty from them achieving their objectives.
Conclusion
I couldn’t get a more generic concluding statement but I will still use it.
Strategic risk is an inherent part of business. Understanding its sources and implementing robust risk management practices can safeguard your organisation’s future.
Closing Thoughts
My key takeaways are strategic risks are those which impact your strategic objectives. If it impacts your operational objectives it is an operational risk. Make sure you have strategic objectives set because you need to link your risk with these objectives. Be careful not to think of mitigants only as controls. You must be broader. With this you should be able to now attempt the not-so dark art of strategic risk.
Now, what would you do differently and what help do you need to get there?