Not linking your organisation’s Risk Management efforts to its Strategic Planning is to pass up on the opportunity to increase the likelihood of your organisation being successful in achieving the objectives set out in its Strategic Plan.
At a strategic level, there are two distinct stages at which risk must be actively managed. The first is during strategy development, when key decisions are being made on the direction the organisation is taking; the second is during the execution of the agreed strategy.
During this phase, it is important to identify the threats or risks to the strategy, to assess them and to develop plans accordingly.
Michael Porter, lauded by The Economist as “the doyen of living management gurus”, defined risk as: a function of how poorly a strategy will perform if the ‘wrong’ scenario occurs. Often it is not possible to forecast the precise cause of an event or circumstances that could have a devastating effect on the strategic plan, but high-level descriptions of “what-if scenarios” will help to inform your planning:
Assessing the risks at this stage, when alternative strategies are being considered, will inform the decision-making.
If there is an organisation-wide approach to risk management then the senior management team will know how well these risks are currently managed. If they are well managed, the Board or senior management team might well decide to take on more risk by increasing investment / spend. If there are unacceptable gaps in the levels of control in place, these can be addressed / modified by the allocation of additional resources, where required, or transferred to somebody else.
One of the positive outcomes of considering the risks faced by the organisation when formulating its strategy plans is consensus on the amount or level of risk the organisation is willing to take in pursuit of its objectives; this is sometimes referred to as the “Risk Appetite”. The organisational risk appetite is a combination of statements that define the risks the organisation is willing to take, those it will not take and the limits / thresholds that must not be exceeded. For example: if IT resilience is important to your organisation then the Maximum Tolerable Outage could be defined as 30 minutes. This statement will inform your IT function as to what its recovery strategy options are.
Whenever a decision is made, the risks that surround it must be managed. Key strategic decision makers may assume certain processes and systems are in place to support the strategic initiative so, risks need to be monitored and senior management needs to keep an eye on the Key Risk Indicators (KRIs) that will signal a deteriorating situation and prompt urgent action. A centralised management dashboard, such as the one available in CalQRisk, that indicates how well risks are being managed, that highlight incidents and near misses and that illustrates the organisation’s level of compliance with regulations will help to keep your organisation’s Board and senior management fully informed as to the likelihood that your strategic objectives will be met.