Disruption and risk
I like a very recent publication, Deloitte on Disruption.
They use a definition of strategic risk that I have not seen before (I don’t know whether they created the definition):
“Strategic risks are the ones that threaten to disrupt the assumptions at the core of a company’s strategy.”
I like it!
I also like these comments:
“Risk Is Not a Game: Because of the complex world in which companies now operate, strategic risk has earned a rightful position at the top of the executive agenda. Boards want to know that the executive team is “on it,” and CEOs want to make sure they’re not missing it.”
“We live in a world the U.S. Army War College has dubbed VUCA: volatile, uncertain, complex, and ambiguous.”
“You can be on top of the world today and hanging on for dear life five years from now.”
“Of course, the story is far from over: technological advances will only continue, and the speed of innovation will only increase, creating more and more opportunities to disrupt industries. Maybe even yours. The challenge facing organizations today is how to anticipate, adapt, maneuver, make decisions, and change course as needed in a VUCA world. And really, the only way to respond is by changing your approach to risk. You’re not out for a leisurely drive, sticking to the straightaway and steering clear of danger. You’re a Formula 1 driver, using every hairpin turn and unexpected development as an opportunity to secure the lead.”
“The trouble with strategic risks is there’s often no historical precedent to draw from to assess their potential nature and impact. Sometimes they’re the product of a visible trend, but often they appear as a surprise. Subtle and difficult to quantify, strategic risks can’t be managed in the traditional ways with Enterprise Risk Management programs or software. And hard as they are to spot in time or manage, they are extremely difficult to recover from.”
“Spotted early and handled well, they can be the basis for game-changing moves that reorder the field. They can decimate what had looked like an indomitable leader, but they can also point the way to new options or the next market – the way BMW has launched its own car-sharing service DriveNow, or the way Avis is positioning its acquisition of ZipCar.”
Deloitte identifies 4 elements to the process for addressing these disruptive, strategic risks:
- Accelerate discovery. Make sure you have the ability to identify these risks early, so you can act quickly to embrace the opportunity or navigate the threat
- Confront your biases. As Deloitte points out, management and the board are composed of humans with all their frailties, such as bias from past experience, that can inhibit our ability to identify risks and act appropriately
- Scan ruthlessly (which I would have included in #1)
- Prepare for surprises
When I was leading risk management at Business Objects (prior to its acquisition by SAP), we were very much aware of disruptive risks. We identified competitor actions and the emergence of new technology, as well as regulatory changes and other shifts in our external business environment, as risks to monitor.
Part of our process for these risks was to assign to individual executives the responsibility for monitoring them – in addition to our teams specifically tasked with monitoring competitors and new entrants to the market.
One thing I would add to the Deloitte recommendations is this: ensure that your management and the organization are sufficiently agile to shift quickly when needed. Can you change strategy fast, accelerate or slow major projects, such as new product innovation? Or, are you so weighed down by short-termism, bureaucracy and legacy systems that it will be like trying to dance in the mud?
Is Deloitte correct in saying that traditional risk management is insufficient? My personal view is that if you follow guidance from ISO 31000:2009 and make risk management a dynamic activity that considers changes in the ‘external context’, you will have at least the skeleton of a process to follow that will work. But, if you have a periodic risk management process that is limited to a review of a limited number of risks, you are exposed and a candidate to be the next Blockbuster.
I welcome your comments.