Embedding risk into strategic planning and more
It is easy to say that risk management should be embedded into business processes such as strategic planning. But is it that easy to accomplish in practice?
I think it’s fair to say that in most organizations they are quite separate.
I would also say that many times risk management focuses on harms and strategy on opportunities, almost as if one was a pessimist fearing the worst and the other a cock-eyed optimist hoping for the best.
My good friend, Dan Swanson, shared a link to a series of questions about strategic planning from the consultancy firm of Bain & Company.
Is your strategic planning world class has twelve questions, each of which is relevant and useful.
Please go through the twelve and come back here for further discussion.
==========================================================================
So, did you see any mention of risk or risk management?
Did you see any indication that risk is embedded in any way into strategic planning?
Let’s consider another source, another major consultancy firm, McKinsey. In 2007, they published How to improve strategic planning.
Have a quick look.
==========================================================================
Correct. No mention of risk management.
One final source, the Boston Consulting Group. Four best practices for Strategic Planning.
I will pause while you check it out.
==========================================================================
So, none of these major management consulting companies mention risk management.
Is that because they don’t understand its value and how it should should be integrated or embedded into strategic planning?
Possibly so.
So how does a risk officer get involved? How can he or she ensure that risk is considered?
Well, to me it starts with the same point I have been making for a long time now.
STOP TALKING ABOUT RISK
Risk is a word that blocks thinking. While risk officers understand that it is about helping people make better decisions and achieve their objectives (exemplified by the organization’s stated strategies), executives see it as a compliance activity that is focused on avoiding harm.
There’s a huge difference between avoiding harm and achieving objectives.
If you want to eliminate cyber risk, destroy all your computers.
In real life, we have to take risks – and the key is to take the right level of the right risks.
A risk practitioner can bring the discipline, process, and tools that are associated with risk management to strengthening the strategic planning process.
If I were CRO, I would work with the CEO/COO and head of strategy to answer these questions:
- What assumptions have been made in defining the (internal and external) business environment and how it will change over the next period? What is the level of confidence in them?
- What has and will be done to confirm, monitor, and (to the extent possible) realize the assumptions? Can the likelihood of realizing the assumptions be improved?
- How confident are you in the quality of the information being used to understand the business environment and its future? Can that be improved?
- How were the potential consequences of each strategic option assessed? Were the likelihoods of each level of achievement estimated with confidence? Is the likelihood of the desired set of consequences at an acceptable level?
- Were potential adverse situations or events considered? How were they assessed?
- How were potential adverse and positive effects and outcomes assessed in aggregate?
- What is the level of confidence that the strategies will be achieved to the level of the goals and targets that have been set?
- Is that level of confidence acceptable? What can and will be done to improve it?
- Will performance against targets be measured in a way that incorporates changes in the potential for both positive and adverse effects in the future?
- Can strategies and targets be modified as conditions now and expected in the future change?
I am sure there are more questions that can be asked. What should be added?
I welcome your thoughts.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
1. You make the assumption or infer that because these high profile consulting firms (known more for selling and delivering strategic consulting) have not raised the questions in your list, that because of this such questions are not therefore considered by the strategy areas of organisations. Are you sure?. Just because they are not featuring in articles obviously designed to create uncertainty in the eyes of those responsible for strategy, does not necessarily mean they are not considered by strategy areas in practice.
2. Just because a CRO does not raise them or may not even be involved in the strategy process does not on its own necessarily mean what could be termed risk management, is not integrated into the strategic planning process.Think you would agree that it is irrelevant as to who asks the questions but the key thing is they are considered and factored into the strategy process.
3. A very helpful set of questions to optimise the chances a CRO or someone else involved in the process, can integrate risk management more effectively into strategic planning ie rather than simply think about all the “bad” things that may happen. Moves integration beyond simply a CRO attending the annual strategy retreat. Builds real substance into risk being incorporated into the process, assuming those responsible for strategy want all these questions fully answered?. And the answers made known to those approving the strategy?. Will leave it there.
Glenn, thank you for the comment. I referenced the 3 consulting firms as an indicator that it is likely that strategic planning does not consider what might happen in as disciplined a manner as risk professionals. Certainly, I hope they do and any questioning by practitioners will confirm that.
Integration (i think this is a much better term than embedding) is actually very easy and risk management can become a natural and value-adding part of any planning process providing:
– we drop all the risky language (I agree with you Norman)
– we strenuously avoid sending a risk register created sometime in the past to the strategic planning process and thinking that is integration
– we understand what the risk management process and its elements are really supposed to do (and its not to create a risk register!)
– we do the right things at the right times and, in particular, weave the elements of the risk management process into the steps of the planning process.
After all, the only purpose for risk management is to support decisions and plans are just lots of decisions taking place at the same time. Also, if risk is the effect of uncertainty on objectives, its pretty important to know the uncertainties inherent in any new strategic objectives when they are being made – so that we can change them at the time if necessary or take steps to reduce uncertainties to acceptable levels by generating actions that become part of the resulting business plan.
I normally start by helping the planning team reveal and agree the lessons learnt from the previous plan. This is part of ‘monitor and review’ in risk-speak and involves identifying and agreeing the successes and failures of the past plan, grouping those and then conducting root cause analysis to reveal the lessons learnt and hence the actions to repeat successes and prevent failures. Many organisations miss this step and also miss the valuable, free information that is generated that should become the basis for the next plan.
While SWOT, PESTLE and other environmental analysis tools are often used to provide an input to the plan, the stakeholder analysis (yielding stakeholder objectives and how they should be involved) together with the normal context setting we do prior to risk assessment always seems to provide complementary or more useful information. In particular, clearly understanding risk sources (aka assumptions) in the external and internal environment is particularly valuable.
Then, once the draft plan is developed (and NB, not after it is finalised) we can stress test the draft objectives using risk assessment. Existing strategic enablers (we risky people call them controls) are taken into account and this leads to a set of actions that aim to provide greater certainty that the draft objectives are achieved. Another important outcome is an understanding of which of the risk sources need subsequent monitoring to ensure our plan remains valid. We set lead measures for these indicators (some people call them KRIs).
Of course, once the plan is made, the risk management process still has a role in understanding performance and responding to changes in assumptions about the external or internal environment including changes to strategic enablers (monitoring and review).
This is all quite easy and natural – especially if we just call it strategic management and performance management and drop all the risky language and crazy risk confections we all love but which distance us from our clients.
Reblogged this on RISK-ACADEMY Blog and commented:
Great piece on integrating risk into strategy
Great piece
Hi Norman. My immediate reaction to your piece, before rational thought takes place, is: where is internal audit? I think you have inadvertently raised this as a question, since I would expect that the questions you have posed should be asked by IA and tests carried out by them to confirm the answers. I realize that my point is slightly ‘off message’ except that the involvement of IA could change the dynamics and attitude to ‘risks’.
In my experience, the problem with the CRO asking these questions is that he/she does not necessarily have the independence to challenge the answers. (That’ll put the cat among the pigeons).
I will give further thought to your main argument!
Thanks for the post. Working in government one thing I’ve encountered amongst planners is a sense they are documenting plans very much as an afterthought, or as window dressing. (It’s not just risk people who lie awake wondering what value we got from our noble information gathering exercise!) There’s many reasons for this (eg perhaps the purpose of the plan is to satisfy government stakeholders) but I sense a growing acceptance that 20th century management and planning doesn’t work that well for government monopolies trying to address complex human problems. So there’s a bigger order question above all this: what control mechanisms provide value to management and how do they operate? I sense the annual / 3 year plan (or many parts of it) isn’t working.
Combination of Norman’s questions and Grant’s overall method/approach uplifts risk input into the strategic planning process (and also more specifically input into investment proposals that relate to the overall strategy) significantly beyond the stock standard list of risks with controls/actions. An investment proposal came in over the weekend and applied it – works a treat..albeit some of the questions and answers given then pose the issue as to why they were not raised before during the annual business planning phase!. Thank you.
I like the combination of Norman’s questions and Grant’s approach. I would expend a bit by adding consideration to the risks that the strategy is now introducing into the business (maybe it is the intent of Norman’s question regarding adverse situation or events) but I would go a little further. My clients are often ignoring the impact of the new strategic objectives or initiatives on the ongoing activities and goals. These impacts may show up from the bottom up which is usually too late. The likelihood of strategic success is higher if management takes the time to consider and make risk informed decisions on how the strategy will be integrated into the current business; to me that this is part of the first stage of delivering the strategy and the risks to that stage must be known and managed as appropriate. Some may call it change management, others call it project risk management, but few give it the appropriate consideration.
Risk management is a tool, not a product. In my experience, what tends to happen is that management are handed a list of risks and then expected to incorporate them somehow into their process. My preference would be rather to ask where risk management as a tool can be applied to strategic planning to better inform and augment it. For example, to take the first question from the Bain questionnaire:
Our strategic planning produces a clear set of actions and is linked to performance management to ensure successful strategy execution.
– Strategic planners, how has risk management been used to contribute to the definition and assessment of the set of actions produced? How do you know that the set of actions adequately addresses uncertainties inherent in the strategy? To what extent will the performance management information feed back into risk management?
Boards need to expect risk management to be used where appropriate and for it to contribute to the decision-making process. Management need to be able to demonstrate application of the process in defining and assessing their control strategies, or explain why risk management was not applied. Not so much incorporate, but use where it can contribute.
As usual a good piece.In particular the fact that word risk should be minimally used
Few observations
1. Glen has raised an important point here that “Just because a CRO does not raise them or may not even be involved in the strategy process does not on its own necessarily mean what could be termed risk management ..”
This is an important question and we need to think what exactly the “add on” from the CRO.In my opinion strategic planning and goal setting process does have few biasednesses here and there.CEO having a 3 year term taking a short term perspective, Targets coming from the Group with no alignment to situation on ground or an unwarranted association of a business manager with a certain product.CRO here should come in to provide more objective view on all this.
2.Secondly, I feel that apart from focusing on the risks of objectives not bring met risks of key opportunities not considered need also be evaluated.
We work with strategic planning to male sure that risks to strategy are properly identified and the mitigation plans are in the ERM risk register.
A common risk criteria.
A common strategic vision!
Thus covering an important area ie ERM level risk to strategic objectives.
No issues there.
The key is to work together as a team.
Is this really integrating risk and strategy? Are the disciplines used to assess the extent and likelihood of harms extended to the potential for achievement? I’m not persuaded. Sorry
Strategy has two major processes, formulation and implementation. In the past, IA was only concerned with implementation. We took the objectives as a given and began analyzing the risks to those objectives.
COSO ERM 2017 is going to push IA closer to evaluating formulation, which starts with the vision/mission, the fit with the external environment, and the processes used to establish objectives. The risks considered prior to setting objectives are analyzed.
That will be new ground for IA and we have to get educated on how to handle that.
Here are two great articles on the subject:
A history of the major concepts in strategy from Harvard professor:
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=264528
Article by Peter Drucker on analyzing assumptions underlying the business model.
https://hbr.org/1994/09/the-theory-of-the-business
It was a great experience of visiting this post of risk management . Thank you for sharing.