Risk Management and Strategic Planning

Not linking your organisation’s Risk Management efforts to its Strategic Planning is to pass up on the opportunity to increase the likelihood of being successful in achieving the objectives set out in its Strategic Plan.

At a strategic level, there are two distinct stages at which risk must be actively managed. The first is during strategy development, when key decisions are being made on the direction the organisation is taking; the second is during the execution of the agreed strategy.

Strategy Development:

During this phase, it is important to identify the threats or risks to the strategy, to assess them and to develop plans accordingly.

Michael Porter, lauded by The Economist as “the doyen of living management gurus”, defined risk as: a function of how poorly a strategy will perform if the ‘wrong’ scenario occurs. Often it is not possible to forecast the precise cause of an event or circumstances that could have a devastating effect on the strategic plan, but high-level descriptions of “what-if scenarios” will help to inform your planning:

  • What if a building / facility you depend upon was no longer available due to fire, flood, etc.?
  • What if key employees were no longer available (resigned, ill, injured, etc.)?
  • What if a key supplier were to fail to deliver (disruption, insolvency, etc.)?
  • What if the IT infrastructure were to catastrophically fail?
  • What if funding expectations were not met?

Assessing the risks at this stage, when alternative strategies are being considered, will inform the decision-making.

If there is an organisation-wide approach to risk management then the senior leadership team will know how well these risks are currently managed. If they are well managed, the Board or senior leaders might well decide to take on more risk by increasing investment / spend. If there are unacceptable gaps in the levels of control in place, these can be addressed / modified by the allocation of additional resources, where required, or transferred to somebody else.

Strategy Execution:

One of the positive outcomes of considering the risks faced when formulating strategy plans is consensus on the amount or level of risk the organisation is willing to take in pursuit of its objectives; this is sometimes referred to as the “Risk Appetite”. The organisational risk appetite is a combination of statements that define the risks the organisation is willing to take, those it will not take and the limits / thresholds that must not be exceeded. For example: you might declare that the maximum unplanned closure of the school should not exceed two school days; this statement then informs your Facilities department as to what its strategy options are.

Whenever a decision is made, the risks that surround it must be managed. Key strategic decision makers may assume certain processes and systems are in place to support the strategic initiative so, risks need to be monitored and senior management needs to keep an eye on the Key Risk Indicators (KRIs) that will signal a deteriorating situation and prompt urgent action. A centralised management dashboard, such as the one available in CalQRisk, that indicates how well risks are being managed, that highlight incidents and near misses and that illustrates the organisation’s level of compliance with regulations will help to keep your organisation’s Board and senior management fully informed as to the likelihood that your strategic objectives will be met.

About the author

Leave a Reply