The Dark Art of Strategic Risk

Strategic Risk is the risk which is managed the most inconsistently across the risk management industry. There is no standard definition and no standard way of managing it.

How do you manage strategic risk? The same way as you manage your other business risks? Or not at all?

Let’s dive into how we can manage strategic risk and debunk the theory that it is a dark art.

Types of Risk

First, we will start with a controversial opening line - There are only three types of risks:

Strategic

Operational ( or Non-Financial)

Financial

If you’re asking where is Compliance Risk, or Financial Crime risk well they are forms of Operational risks. Often they are simply elevated to the same level as Operational Risks for better ownership and management - rightly so.

If I still haven’t convinced you then think about Cyber Risk. Often this sits on par with Operational Risk in an organisation due to the importance and specialist skills to manage it - rightly so. But everyone in the industry acknowledges Cyber Risk is actually an Operational Risk.

What is Strategic Risk?

Strategic risk is the effect of uncertainty on strategic objectives. How did we deduce this? Well, we just have to look at ISO31000’s definition - the effect of uncertainty on objectives. Now let’s combine this definition with the three risk types above:

The effect of uncertainty on strategic objectives.

The effect of uncertainty on operational objectives.

The effect of uncertainty on financial objectives.

This simple way of considering it helps us understand the difference between operational and strategic risks which are often confused.

Key Sources of Strategic Risk

Here are just some of the key sources arises when an organisation’s strategy is inadequate or improperly implemented. This type of risk can result from:

Market Changes: Rapid shifts in market dynamics can render strategies obsolete.

Competitor Actions: Unexpected moves by competitors can disrupt plans.

Technological Advances: New technologies can outpace existing strategies.

Legislative Changes: New laws or regulations can impact strategic plans.

Why Strategic Risk Matters

Managing strategic risk is crucial for long-term success. Without proper management, businesses can falter, losing their competitive edge and market share.

Actionable Steps to Manage Strategic Risk

1. Strategic objectives

Identify the strategic objectives and measure the effect of uncertainty on these. Make sure you measure risk velocity for strategic risks. Link your strategic risks to your strategic objectives.

2. Assign Ownership

Ownership drives accountability. Having “one throat to choke” enables Executive Management and Boards to go to the accountable person to seek answers quickly.

3. Don’t manage strategic risks like operational risks

The old equation inherent risk + controls = residual risk, does not apply in this case.

4. Think broader than controls

Understand the what, where, how and when.

What - Horizon scan and measurement of the uncertainty i.e. potential impact and likelihood (pro tip: go range not single figure)

Where - Identify where in the business the impact is felt i.e. which departments

How - What are your current actions, processes, teams, resources, responses for this risk. And what levers could you deploy if the strategic risk starts to present itself and realise i.e. new pricing strategy, strategic alliance marketing campaign.

When - Design pre-determined points in time or triggered by an event when you will deploy the above levers. What are your early warning systems here?

5. Monitor, review and report

Tie into your existing governance framework and ensure you monitor strategic risks not just on an annual basis but on an as needed basis. Crucially if you have strategic risks with a high risk velocity and poor early warning indicators you should be reviewing this more frequently than every 12 months.

Mistakes to avoid

1. Ignoring External Factors

Focusing too narrowly on internal capabilities without considering external influences can lead to strategic failures. Always factor in market and regulatory changes.

2. Overconfidence in Current Strategies

Assuming past success guarantees future performance can be risky. Continuously reassess and update your strategies.

3. Lack of Contingency Planning

Failing to plan for potential disruptions can leave a company unprepared. Always have backup plans to mitigate risks.

4. Not aligning to strategic objectives

If you do not align risks to objectives then what is the point of managing these risks. Risk management’s purpose is to support the decision and remove the uncertainty from them achieving their objectives.

Conclusion

I couldn’t get a more generic concluding statement but I will still use it.

Strategic risk is an inherent part of business. Understanding its sources and implementing robust risk management practices can safeguard your organisation’s future.

Closing Thoughts

My key takeaways are strategic risks are those which impact your strategic objectives. If it impacts your operational objectives it is an operational risk. Make sure you have strategic objectives set because you need to link your risk with these objectives. Be careful not to think of mitigants only as controls. You must be broader. With this you should be able to now attempt the not-so dark art of strategic risk.

Now, what would you do differently and what help do you need to get there?