Embedding risk into strategic planning and more
It is easy to say that risk management should be embedded into business processes such as strategic planning. But is it that easy to accomplish in practice?
I think it’s fair to say that in most organizations they are quite separate.
I would also say that many times risk management focuses on harms and strategy on opportunities, almost as if one was a pessimist fearing the worst and the other a cock-eyed optimist hoping for the best.
My good friend, Dan Swanson, shared a link to a series of questions about strategic planning from the consultancy firm of Bain & Company.
Is your strategic planning world class has twelve questions, each of which is relevant and useful.
Please go through the twelve and come back here for further discussion.
So, did you see any mention of risk or risk management?
Did you see any indication that risk is embedded in any way into strategic planning?
Let’s consider another source, another major consultancy firm, McKinsey. In 2007, they published How to improve strategic planning.
Have a quick look.
Correct. No mention of risk management.
One final source, the Boston Consulting Group. Four best practices for Strategic Planning.
I will pause while you check it out.
So, none of these major management consulting companies mention risk management.
Is that because they don’t understand its value and how it should should be integrated or embedded into strategic planning?
So how does a risk officer get involved? How can he or she ensure that risk is considered?
Well, to me it starts with the same point I have been making for a long time now.
STOP TALKING ABOUT RISK
Risk is a word that blocks thinking. While risk officers understand that it is about helping people make better decisions and achieve their objectives (exemplified by the organization’s stated strategies), executives see it as a compliance activity that is focused on avoiding harm.
There’s a huge difference between avoiding harm and achieving objectives.
If you want to eliminate cyber risk, destroy all your computers.
In real life, we have to take risks – and the key is to take the right level of the right risks.
A risk practitioner can bring the discipline, process, and tools that are associated with risk management to strengthening the strategic planning process.
If I were CRO, I would work with the CEO/COO and head of strategy to answer these questions:
- What assumptions have been made in defining the (internal and external) business environment and how it will change over the next period? What is the level of confidence in them?
- What has and will be done to confirm, monitor, and (to the extent possible) realize the assumptions? Can the likelihood of realizing the assumptions be improved?
- How confident are you in the quality of the information being used to understand the business environment and its future? Can that be improved?
- How were the potential consequences of each strategic option assessed? Were the likelihoods of each level of achievement estimated with confidence? Is the likelihood of the desired set of consequences at an acceptable level?
- Were potential adverse situations or events considered? How were they assessed?
- How were potential adverse and positive effects and outcomes assessed in aggregate?
- What is the level of confidence that the strategies will be achieved to the level of the goals and targets that have been set?
- Is that level of confidence acceptable? What can and will be done to improve it?
- Will performance against targets be measured in a way that incorporates changes in the potential for both positive and adverse effects in the future?
- Can strategies and targets be modified as conditions now and expected in the future change?
I am sure there are more questions that can be asked. What should be added?
I welcome your thoughts.