Home > Risk > Risk and Strategy

Risk and Strategy

My good friend, Nenshad Bardoliwalla, is the co-author[1] of Driven To Perform and his latest blog (at http://bardoli.blogspot.com/) starts a discussion about the first phase in the book: strategize and prioritize.    

What I want to focus on here is this sentence from the blog:    

“In the process of setting business strategy, the development of strategic and operational plans should include the identification and assessment of risks to short- and long-term objectives and plans.”    

There is no point in setting unrealistic and unattainable strategies, goals, and objectives. There is also a problem when the risk of a strategy outweighs the reward – even when the risk is managed as well as you realistically can.    

So an effective strategy-setting process should include:    

  • understanding the risks to each of the desired activities
  • setting only attainable strategies, goals, and objectives where the rewards exceed the risks (the degree should be set by the board and executive management), and the risks are within organizational tolerances
  • taking advantage of the upside of risk – opportunity (for example, L3 Communications is benefiting from the perceived risk of passengers smuggling bombs onto planes by selling more full body scanners)
  • establishing how the organization will manage the risks to optimize the likelihood of achieving strategies, goals, and objectives

But there is more to the relationship.    

The only risks that need to be managed are those that are material to organizational strategies, goals, and objectives (Marks, 2010)    

What is the value in monitoring and managing risks that are not material to strategies, goals, and objectives, and would not impact the likelihood of corporate success? Surely, these are what the Lean practitioners would call muda, or waste.    

So, the best risk management system – surely – is one where there is linkage between the system for managing strategies and the risk management system. Strategies are linked to risks, so a review of performance against them also includes a review of related risk levels – and so can drive action to either modify the strategy or change the risk response. Linking risks to strategies also ensures that muda is limited, and resources are spent only on risks that are material to the success of the organization.    

Do you agree?


[1] With Stephanie Buscemi (another friend) and Denise Broady.

  1. Cees Klumper
    January 7, 2010 at 4:24 AM

    Agree that setting objectives and strategy need to include a risk/return comparison. What I would add as a caution to your argument that only the material risks need managing is that it can be difficult to establish exactly what constitutes ‘material’. To a small player with many like-competitors, the difference between being successful and failing can lie in excelling in what may appear to be small details (compare ‘retail is detail’) while for a company that has just invented a unique breakthrough product or service, it can be sufficient and indeed advisable to just focus on its Big Hairy Audaucious Goals and worry about the details later (but, then even for this company, success probably means managing literally hundreds of risks well rather than the maybe tens that companies that go through an explicit risk assessment exercise oftentimes end up documenting).

  2. Peter Prims
    January 7, 2010 at 10:06 AM

    I agree on the need to align strategy and risk management. I also share the concern about materiality of risks. In practice how often can a board of directors or even executive management allocate the necessary time and thought to the risks involved? Management of many risks naturally moves to lower levels in an organization as do job responsibilities and operational details. A big challenge comes when those risks managed at a lower level change in magnitude either for external reasons or internal reasons. Are the changes in risk adequately communicated upwards? Organizations evolving through growth, acquisitions, changing markets, and even changing executive and board ranks have particularly significant challenges in managing risk and identifying the risks with strategies. That is not a criticism of the management, which may often be trained or hired for skills that address these potential risks. Nonetheless, changes often mean unfamiliarity on the part of many key players, different personal biases on the part of decision makers, and quite possibly insufficient internal resources. In theory risk management that aligns with strategy should be able to address all of these matters, but in practice it is much harder. I do think that raising this topic is well worth while at a time when some limited optimism and the change of the year will encourage many companies to review their strategies going forward.

  3. David Yeomans
    March 5, 2010 at 8:27 AM

    I agree about the need for explicit alignment between strategy and risks by Boards & Executive Management. Your quote from Marks refers to which risks should be managed – not assessed or controlled or reviewed but managed. As such, it is not materiality (whether measured by Impact or Likelihood etc) but those risks where the exercise of judgement by responsible competent managers is required. These are the ones to consider in the context of the choices made in deciding on diferent possible courses of action involved in strategic & operational plans and consequently how the risks are to be assessed/controlled/reviwed/updated etc.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: