This post continues my “essence of ERM” series. The goal of this series is to address all manner of risk management topics in small sensible components. I’m writing this series to help make risk management a practical tool for organizations of all types.
This post is about strategies.
Strategies are the foundation of risk management. That’s right – strategies, not risks. All so-called risk management is (or at least should be) performed within the context of strategy management. We don’t manage risk for its own sake. We do it to help us develop and execute strategies. So let’s put a different spin on risk management.
First, people own objectives and associated strategies. By “strategies” I simply mean the processes that we use, or steps that we take, to accomplish the objective. People own strategies, not risks. See my prior post on risk ownership for more explanation.
Here is why it makes much more sense to focus on strategies. No organization is in business in order to “manage risk”. It is in business in order to accomplish something. In our personal lives, we don’t design our day around “managing risk”. Instead, we have goals – things we want to accomplish. We develop a plan (strategy) either intuitively or explicitly to accomplish our goal.
So where does risk come in? Risk is the variability in that strategy. It is the potential that this strategy may not lead to the results that we want. We manage risk for only one reason – to improve the odds that our strategy will deliver a favorable result.
Virtually any strategy has some set of potential risk events that could cause problems. Risk management is the process of understanding and addressing those potential risk events. There are two types:
- Controllable: Some risk events can be controlled if we choose to invest appropriate time, money, and energy. We can put additional procedures in place (internal controls), we can buy insurance, we can create and test prototypes, or any number of other potential options. These are all ways that we can prevent potential risk events from derailing our strategy by investing additional time, money, or energy. Now it becomes a strategy decision – do we want to strengthen our strategy by investing the time, money, and energy to make it a bit more predictable?
- Uncontrollable: Some risk events we cannot control. The economy could falter. New unforeseen regulations could be harmful. Weather patterns could change, impacting company logistics. One way to address this is by thinking of these as “strategic assumptions”. Simply put, what assumptions are we making as a foundation for this strategy? What operational, financial, legal, compliance, etc. assumptions are we making? Although we may not be able to control these assumptions, we can typically monitor their potential existence. We can set up a Key Risk Indicator that monitors the economy. If the economy declines, it turns our “KRI” from green to yellow to red. Now we know that we need to revisit any and all strategies that were based on those economic assumptions. Simply put, those assumptions are no longer valid so the strategy is no longer optimal.
The essence of strategy management is to recognize it as the focus of risk management. Strategy management is the sole reason that we spend any time or energy focusing on risks. Keep “risk management” in that perspective.
You can read more about my view of risk management (which I call Performance Risk Management) at Risk Leader (rskldr.com).