Home > Risk > Disruption and risk

Disruption and risk

October 19, 2014 Leave a comment Go to comments

I like a very recent publication, Deloitte on Disruption.

They use a definition of strategic risk that I have not seen before (I don’t know whether they created the definition):

“Strategic risks are the ones that threaten to disrupt the assumptions at the core of a company’s strategy.”

I like it!

I also like these comments:

“Risk Is Not a Game: Because of the complex world in which companies now operate, strategic risk has earned a rightful position at the top of the executive agenda. Boards want to know that the executive team is “on it,” and CEOs want to make sure they’re not missing it.”

“We live in a world the U.S. Army War College has dubbed VUCA: volatile, uncertain, complex, and ambiguous.”

“You can be on top of the world today and hanging on for dear life five years from now.”

“Of course, the story is far from over: technological advances will only continue, and the speed of innovation will only increase, creating more and more opportunities to disrupt industries. Maybe even yours. The challenge facing organizations today is how to anticipate, adapt, maneuver, make decisions, and change course as needed in a VUCA world. And really, the only way to respond is by changing your approach to risk. You’re not out for a leisurely drive, sticking to the straightaway and steering clear of danger. You’re a Formula 1 driver, using every hairpin turn and unexpected development as an opportunity to secure the lead.

“The trouble with strategic risks is there’s often no historical precedent to draw from to assess their potential nature and impact. Sometimes they’re the product of a visible trend, but often they appear as a surprise. Subtle and difficult to quantify, strategic risks can’t be managed in the traditional ways with Enterprise Risk Management programs or software. And hard as they are to spot in time or manage, they are extremely difficult to recover from.”

“Spotted early and handled well, they can be the basis for game-changing moves that reorder the field. They can decimate what had looked like an indomitable leader, but they can also point the way to new options or the next market – the way BMW has launched its own car-sharing service DriveNow, or the way Avis is positioning its acquisition of ZipCar.”

Deloitte identifies 4 elements to the process for addressing these disruptive, strategic risks:

  1. Accelerate discovery. Make sure you have the ability to identify these risks early, so you can act quickly to embrace the opportunity or navigate the threat
  2. Confront your biases. As Deloitte points out, management and the board are composed of humans with all their frailties, such as bias from past experience, that can inhibit our ability to identify risks and act appropriately
  3. Scan ruthlessly (which I would have included in #1)
  4. Prepare for surprises

When I was leading risk management at Business Objects (prior to its acquisition by SAP), we were very much aware of disruptive risks. We identified competitor actions and the emergence of new technology, as well as regulatory changes and other shifts in our external business environment, as risks to monitor.

Part of our process for these risks was to assign to individual executives the responsibility for monitoring them – in addition to our teams specifically tasked with monitoring competitors and new entrants to the market.

One thing I would add to the Deloitte recommendations is this: ensure that your management and the organization are sufficiently agile to shift quickly when needed. Can you change strategy fast, accelerate or slow major projects, such as new product innovation? Or, are you so weighed down by short-termism, bureaucracy and legacy systems that it will be like trying to dance in the mud?

Is Deloitte correct in saying that traditional risk management is insufficient? My personal view is that if you follow guidance from ISO 31000:2009 and make risk management a dynamic activity that considers changes in the ‘external context’, you will have at least the skeleton of a process to follow that will work. But, if you have a periodic risk management process that is limited to a review of a limited number of risks, you are exposed and a candidate to be the next Blockbuster.

I welcome your comments.

  1. October 19, 2014 at 12:56 PM

    Inherent, but apparently unstated, in the concept of strategic risk is concept of strategic controls, and the underlying assumptions of the enterprise that define them.

    Strategic risk is intrinsic and inherent in the management environment.

    Strategic controls give context and a baseline for managing those risks against the desired direction of the organization. Strategic controls are primarily about how the organization proceeds to its destination, and secondarily about identifying deviations from that plan as they arise.

    Strategic controls create the first line of defense in identifying deviations from expectation.

    Strategic controls do not reduce the risks faced by the ogranization, but they make those risks more manageable.

    I have yet to encounter an organization that has an explicit definition of its strategic controls.

    Hence, the level of organizational failure that we witness too frequently today.

  2. Kathryn M. Tominey
    October 19, 2014 at 2:07 PM

    Yes interesting language. Extinction level events – the challenge is accepting what the messenger has to say rather than killing the messenger & message.

    Think, type writer companies that would not look at the PC with word processing software & printers. Or, firms that make film given the digital camera – Kodak. Or, finding that a big chunk of your paper profits are tied up in MBSs with triple AAA ratings that were unwarrented at best, fraudulently assigned most likely & treasury won’t bail you out. Lehmann Bros. Or you did a lot of careless lending and did not unload them – WaMu. Or ignoring Mr. Bass’s warnings about the unsoundness of advice Arthur Anderson was giving to Enron. Or, Kyle Bass ( different Bass family I think) showing Bear Stearne’s exactly how much risk exposure they had in subprime loans.

    There are ton’s of smaller scale examples – where corporations were damaged but not killed by bad decisions.

    I feel confident that in every situation someone gave mgt a heads up and were dumped on. I suggest that refusal to see or listen is at the root of this reality.

    It would be useful to hear insights from folks who have successfully managed this sort of situation.

  3. Norman Marks
    October 19, 2014 at 2:35 PM

    Sidney, do you like the Deloitte definition of strategic risk? I think it is better than most – because the only risks that matter (including so-called operational or compliance risks) are those that affect the achievement of our objectives and strategies.

  4. October 19, 2014 at 4:00 PM

    I have no problem with the Deloitte definition as it addresses risk per se.

    As an alumnus of Deloitte of some vintage, I have always respected the firm for its focus on internal control and risk assessment as the foundation for its audit methodology.

    But in my years of internal audit and consulting, I have been greatly dismayed that internal audit and risk management professionals focus so intently on risks, while senior management focuses on strategies….and yet we continue to have strategic failures which in many cases are preventable.

    What is missing? In too many cases, strategic controls. Directive controls (as distinguished from the evaluative controls that auditors and risk managers primarily focus on) that translate strategic concepts of the executive suite into actions and performance standards for measurement of attainment. Strategic controls are those directive controls that operate across the organization’s functional and marketing silos, and over the long term, to bring cohesion to the performance of the entity in achieving its long term objectives. Alternatively, strategic controls can also assist in defining boundaries that can prevent failures of operational control in one dark corner of the operation from sinking the ship.

    Without defining strategic controls, the potential number and nature of strategic risks will likely be much greater than it needs to be.

    The definition of strategic controls will be the first test of whether executive management’s grand strategy is in fact actionable to positive outcome. They are, or ought to be, the basis for evaluative controls that auditors and risk managers should be testing.

    The operation of strategic controls, and the subordinate operational directive control systems defined within them, is the means by which we can best identify strategic and all other risks.

    In my view, the great dilemma of risk managers and internal auditors is to recognize the unknown-unknowns, as the great philosopher-warrior Donald Rumsfeld so eloquently described them. The easiest way to do that is to be ruthlessly explicit about what you want to achieve, why you want to achieve it and how you intend to go about it. And then as soon as deviation raises its ugly head, be equally ruthless about hunting down the cause. In many cases, that leads back to the executive suite.

    And here is where Deloitte makes two critical points that are particularly relevant to the operations in the Executive Suite: Items 2 and 3. Confront your biases, and scan ruthlessly.

    If executive management is unwilling to confront its biases, it is often equally unwilling to acknowledge its limits. This is the first step down the slippery slope to strategic failure.

    To these two I would add a corollary: Scan internally as vigorously as you scan the horizon.

  5. Gregory Sosbee
    October 21, 2014 at 7:15 AM

    Norman’s assumption is correct as a properly designed, implemented and managed risk management program by definition is sufficiently robust to account for all risks of the organization.

    What has to be understood is risk is risk. One either manages risk in a comprehensive manner or in an ad hoc manner. The former has the power to produce superior results while the later produces issues, holes and ultimately failure.

    Strategic risk is no different from any other risk an organization faces and has to manage. The issue with strategic risk is historic as strategic risk traditionally was the sole and absolute purview of select senior executives rather than a Board of Directors directed function. It is unfortunate that even in the risk management field (such as RIMS) still exclude strategic risks from their definition of risk.

    The take away is risk is risk and to manage one risk differently from other risks creates creases and holes in an effective risk management program.

  6. Norman Marks
    October 21, 2014 at 7:31 AM

    Gregory, do you think ‘strategic’ risk is different as it may require a radical shift in strategy? The whole organization may need to adjust, rightsize, etc? You can’t wait for the risk to appear before readying the organization for change at speed.

  7. Jim Mewburn
    October 22, 2014 at 6:55 PM

    I note that conversations around strategic risks (as with most risk conversations … sigh) intuitively jump to ‘risk controls’ whereas I would suggest they should focus first on the strategic objectives. Take the examples of Kodak and typewriter companies … it was potentially flaws in their company objectives rather than their controls i.e. if their objectives centred around quality, production costs etc. then the elephants in the room stay hidden behind a pot plant. However if their strategic objectives were around return on investment + more opportunistic goals then the elephants are more likely revealed through context discussions.

  8. October 23, 2014 at 9:59 AM

    Norman, strategic risk is that which has the potential to prevent Management from meeting its objective, so yes the definition of Deloitte is not incorrect but on that can be accepted as a reasonable definition.

    Deloitte is also correct to say that traditional risk management (alone) is insufficient to manage strategic risk because traditional risk management has to do with checking against past events (things that has already occur).

    For businesses to survive these days (i.e. in a VUCA: volatile, uncertain, complex, and ambiguous world), then it must be able to assess risk that have never been experienced before by the business. This is not an easy task and calls for a change in the outlook and assessment of risk which is what you and Deloitte have been advocating for.

    You stated and I quote:

    One thing I would add to the Deloitte recommendations is this: ensure that your management and the organization are sufficiently agile to shift quickly when needed. Can you change strategy fast, accelerate or slow major projects, such as new product innovation? Or, are you so weighed down by short-termism, bureaucracy and legacy systems that it will be like trying to dance in the mud?

    End of quote.

    My question to you is whose responsibility is this to ensure that management and the organization are sufficiently agile to shift quickly when needed and how should one go about establishing that?

    • October 23, 2014 at 10:00 AM

      Norman, strategic risk is that which has the potential to prevent Management from meeting its objective, so yes the definition of Deloitte is not incorrect but one that can be accepted as a reasonable definition.

      Deloitte is also correct to say that traditional risk management (alone) is insufficient to manage strategic risk because traditional risk management has to do with checking against past events (things that has already occur).

      For businesses to survive these days (i.e. in a VUCA: volatile, uncertain, complex, and ambiguous world), then it must be able to assess risk that have never been experienced before by the business. This is not an easy task and calls for a change in the outlook and assessment of risk which is what you and Deloitte have been advocating for.

      You stated and I quote:

      One thing I would add to the Deloitte recommendations is this: ensure that your management and the organization are sufficiently agile to shift quickly when needed. Can you change strategy fast, accelerate or slow major projects, such as new product innovation? Or, are you so weighed down by short-termism, bureaucracy and legacy systems that it will be like trying to dance in the mud?

      End of quote.

      My question to you is whose responsibility is this to ensure that management and the organization are sufficiently agile to shift quickly when needed and how should one go about establishing that?

  9. Norman Marks
    October 23, 2014 at 10:03 AM

    Tamika,

    First, the question of strategic risk. Won’t a failure to comply with regulations that results in a shutdown of manufacturing, recall of thousands of your product, loss of consumer confidence, and billions of dollars in fines impact the achievement of objectives? How about a failure to file materially correct financial statements that leads to a 10% drop in stock value, or the theft of massive amounts of IP?

    On the question of responsibility for agility? I hold the CEO, CFO, the COO, and CIO primarily responsible, with oversight the responsibility of the board.

    Do you agree?

  10. October 23, 2014 at 10:17 AM

    Yes I truly do agree.

  11. Khanh Vuong
    October 23, 2014 at 11:09 AM

    Norman,

    I like the points you added to the list of Deloitte’s recommendations, but not their definition of strategic risk (as the risks that that threaten to disrupt the assumptions at the core of a company’s strategy). There is in this definition a subtle implication that only what appears on the radar would be identified. Strategic risks are also the ones that spring up out of nowhere, having nothing to do with the assumptions of the management team or leadership of an organization. What are your thoughts?

  12. Norman Marks
    October 23, 2014 at 4:50 PM

    Khanh, I think the relentless scanning should address those that “spring up out of nowhere”. Of course, you do need to be looking in the right direction.

  13. Khanh Vuong
    October 24, 2014 at 5:56 AM

    Norman,

    Agreed with the relentless scanning comment. May be this can be incorporated into the definition, such that it can be: “the risks that threaten to disrupt the core of a company’s strategy, in any respects from the underlying key assumptions and premise to the direction taken by the company.

  1. October 19, 2014 at 9:20 AM
  2. October 19, 2014 at 10:34 AM
  3. October 28, 2014 at 11:17 AM
  4. October 28, 2014 at 11:19 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: