Strategic Risk for Organisations
The heart of Strategic Risk is the capture of information about the organisation and its operations. This includes the company's aims and objectives. Once the information has been captured it must be organised and the risks associated with each part thoroughly assessed. Once the risks have been assessed, work can begin on planning the management of the risks. This often leads to a fresh approach to strategic planning within the organisation.
In today's business climate, most organisations have a stated strategy. These fall into several categories:
Clearly, strategies that fit into Group 1 above are not the concern of this paper. However, it is often difficult to determine objectively whether or not a strategy fits into this group. Therefore the application of strategic risk is necessary to verify that a strategy is sound. In addition, the organisation must ensure that its strategy remains valid and that it does not slip into strategic drift . Strategies that fit into Groups 2 and 5 are candidates for conventional strategy analysis (see e.g. ), but could easily be identified by the application of strategic risk. Many strategies fall into Groups 3 and 4. These are the ones that will accrue the most benefit from the application of strategic risk.
The term "risk assessment" is used almost daily by politicians, the media, regulators and healthcare professionals. Unfortunately, this leads many of us to believe that risk-based methods are all about avoiding hazards. Originally, risk analysis was born out of the concerns resulting from incidents that had an impact on the safety of people, either employees at work, or the public at large. In its infancy, this was little more than hazard analysis: the identification of all the possible hazards. It spawned two clear branches: the hazard and operability approach (HAZOP) and risk assessment. The HAZOP approach is a purely technical one, related to other techniques such as failure mode and effects analysis (FMEA). Both are aimed at eliminating adverse occurrences. Risk assessment, on the other hand treats potential events as threats, with each threat having some likelihood of occurrence and some severity of impact. Threats with a high likelihood and a high impact are regarded as high risk, whereas those with a low likelihood and a low impact are regarded as low risk. A matrix is normally used, as shown in Figure 1.
The original objective of risk assessment was to classify risks into one of three categories:
The unacceptable category often relied on simple, prescriptive methods for the elimination of each risk (or its reduction into the ALARP region). Risks in the ALARP region were often dealt with in that way, but the concept of risk management emerged in this area, whereby a series of possible management responses, or risk controls, were identified and evaluated. Thus risk management came to encompass the formation of a risk management plan. There are, however, even today, those who think that risk management is solely about risk elimination. All this was originally applied purely to safety or environmental issues.
As major projects increased in complexity, it became common for them to be blighted by spiralling costs, late completion and often, an inability to meet the original objectives. More sophisticated project management techniques failed to halt this slide. Eventually, the concept of project risk management (PRM) was introduced to address these issues. In its purest form, PRM begins before the project starts. It comprises an assessment of all envisaged events that could cause an increase in cost, a delay to the project programme or a failure to deliver an effective solution. From this base, controls are identified to manage the risks. The controls are evaluated and used to produce the risk management plan. The PRM activities continue throughout the project, with continual monitoring and revision. PRM is often acknowledged to be the first really comprehensive embodiment of risk management.
A whole host of other risk-based activities have sprung up in recent years. These include business continuity planning (BCP), value management and, as a result of the Turnbull report, corporate risk profiling. Some of the exponents of these disciplines might dispute the risk management legacy, but in reality, any effective use of these disciplines must include an element of risk management. However, the use of risk-based techniques is much wider in today's business environment.
Example: At the concept and design stages for a new facility, it is possible to bring all the stakeholders together to consider the inherent risks and ensure that an effective, working facility is produced for the minimum practical cost. In such cases the various parties, such as the project sponsor (i.e. the paymaster), the end user, the mechanical and electrical (M&E) design engineers, the civil and structural engineers and the architect often operate in isolation. They may be blissfully unaware of the effects of their own decisions on the activities of the others. Bringing them all together in a risk-based activity is an effective means to identify and manage the risks associated with such decisions.
Example: A business carries out a number of operational functions to achieve its business objectives. These functions depend critically on the building infrastructure, such as the electrical supply and distribution, the building management system (BMS), the fire detection and extinguishing systems, the heating, ventilation and air conditioning (HVAC) systems, the access control systems and the communications interfaces. Failure to meet the business objectives may lead to financial penalties. Without sufficient knowledge and control of the risks to operations posed by the infrastructure, it is very possible that unrealistic business objectives may be set. The result is that, not only will there be financial consequences, but also there will be a reputational impact, resulting in disappointing long term business prospects.
Strategic risk management encompasses both of the above examples. It involves matching vision and strategic objectives with current and future operational constraints. It is necessary to begin with a top down approach by questioning the realism of the organisation's vision, aims and objectives. These need to be served by the strategy, the means by which the organisation sets out to achieve its vision, aims and objectives. This in turn needs to reflect and be reflected by its operational activities. The operational activities are in turn subject to many constraints. The commissioning of new operational activities or facilities involves particularly difficult inter-relationships. The result of the whole is a multi-dimensional problem, the extent of which is difficult to comprehend.
Organisations often employ a risk manager. However, the normal concept of a risk manager is of managing technical risk and is usually confined to safety, finance or legal liability. The person best suited to owning the strategic risk process, if such a person exists, is the business continuity manager. This ensures that the strategic risk initiative furnishes the organisation with an ongoing process for managing its business as a whole.
Many organisations implement successful strategies at some time during their existence. This may be because of the flair of an individual in a particular situation, or because a particular set of circumstances conspires to produce a favourable business environment. Many organisations mimic others, whose strategies appear to be particularly successful. This can be described as strategic fashion. What is certain, however, is that no organisation manages to maintain a consistently successful strategy. Those praised as an example of excellence only a few years ago inevitably fall from grace. In essence, a successful strategy, without strategic risk, is largely a matter of luck and is unlikely to remain successful for a sustained period.
In order to come to terms with the complexity of the problem, organisations can use strategic risk. This involves considering the risk management implications of each of the facets of the organisation's business and their inter-relationships. It is not an overtaxing process, but usually requires some specialist help to get it kick-started. The overall effects are complementary to business continuity planning (BCP) cited in the previous section. Because it considers likelihood and impact, strategic risk can form the basis for an effective BCP programme, without the need to call in further expertise (see the next section).
When each facet of the organisation's business has been considered in isolation, including its inter-relationships with each of the others, it is necessary to bring together the people concerned with these different facets. They can then see the organisation from the perspective of those dedicated to other facets. Those concerned with vision, aims and objectives, will come to understand the point of view of those concerned with operations and vice versa. The same will apply to the spheres of strategic implementation and infrastructure. The operational activities, in turn, need to understand each other across their own internal and outward facing interfaces. Only by bringing all these diverse points of view together can there be any improvement in the long-term prospects for an effective business strategy. Business objectives and strategy may define the criticality of various business operations. These in turn may be influenced significantly by infrastructure considerations. In the past, the strategic function has been considered as a linear process, starting with vision, aims and objectives, with each stage designed to support the layer above. At best, it has been treated as a monitoring and retrenching process. In reality, the only way to build a successful long-term strategy is to structure these activities as an iterative process, using a risk-based approach.
Like many risk-based processes, strategic risk should be established as a live, ongoing activity within the organisation. Business continuity is a function of strategic risk. Unfortunately, BCP is often restricted to disaster recovery plans. This is because organisations fail to realise the ongoing, day-to-day impact of failures. The ideal solution is to establish a strategic risk capability within the organisation. Where there is an existing business continuity capability, this should be merged with the strategic risk capability, which would then encompass BCP and oversee many of the more technical risk activities. Although external, specialist help is almost certainly required to establish the strategic risk initiative, once established, it should be considered as a normal business function. The use of strategic risk gives an overall business perspective to operational failures. This is illustrated by Figure 2.
Because strategic risk will have determined the impact of the failure and the acceptable limits for a given likelihood of occurrence, it is possible to tailor operational considerations to either ensure that control action is sufficiently timely or that the extent of the failure is reduced to maintain operations above the minimum acceptable level. Conversely, if it proves impossible to constrain failures to the operational envelope, the latter may need to be defined, which may have an impact on strategy and business objectives.
Strategic risk increases cross-organisational understanding. It helps to ensure that an organisation's strategy can remain successful in the long term. It encompasses business continuity planning and disaster recovery and acts as a focal point for all risk-based activity.
 G Johnson Rethinking incrementalism Strategic Management
Journal 9 (1988).
 M Grant Contemporary Strategy Analysis, Blackwell (1995).