Most organisations today have laid out strategies that fall within the following categories:
1 Strategies that reflect a realistic means of achieving well thought out aims, objectives and visions
2 Strategies that reflect a means of achieving aims, objectives and visions which are either not sustainable or not worthwhile, or both
3 Strategies that do not support the achievement of aims, objectives and visions
4 Strategies which contain contradictions
5 Aims, objectives and vision statements posing as strategies.
Clearly, those strategies that fit into Group 1 are the ideal. However, it is often difficult to determine objectively whether or not a strategy fits into this group, and you may need to apply strategic risk management to verify that a strategy is indeed sound. In addition, it is important that organisations ensure that their Group 1 strategies remain valid and do not slip into strategic drift(1).
Strategies that fit into Groups 2 and 5 are candidates for conventional strategy analysis(2),but could equally easily be identified by applying strategic risk management. However, many strategies will fall into Groups 3 and 4, and these are the ones that stand to benefit the most from strategic risk management.
Politicians, the media, regulators and healthcare professionals use the term 'risk assessment' almost daily. Unfortunately, this carries the implication that risk-based methods are all about avoiding hazards.
Originally, risk analysis was born out of concern resulting from incidents that had an impact on the safety of people, either employees at work, or the public at large. In its infancy, this was little more than hazard analysis - the identification of all the possible hazards. It spawned two clear branches: the hazard and operability approach (HAZOP) and risk assessment.
The HAZOP approach is a purely technical one, related to other techniques such as failure mode and effects analysis (FMEA). Both are aimed at eliminating adverse occurrences. Risk assessment, on the other hand, treats potential events as threats, with each threat having some likelihood of occurrence and some severity of impact. Threats with a high likelihood and a high impact are regarded as high risk, whereas those with a low likelihood and a low impact are regarded as low risk. A matrix is normally used, as shown in Figure 1.
The original objective of risk assessment was to classify risks into one of three categories:
- Acceptable and therefore needing no remediation
- Unacceptable and therefore to be eliminated
- Intermediate and therefore to be reduced to a level known as 'As low as reasonably possible' (ALARP).
The unacceptable category often relied on simple, prescriptive methods for the elimination of each risk (or its reduction into the ALARP region).
Risks in the ALARP region were often dealt with in the same way, but the concept of risk management emerged in this area, whereby a series of possible management responses or risk controls were identified and evaluated. Thus risk management came to encompass the formation of a risk management plan, although, even today, there are those who think that risk management is solely about risk elimination.
All this originally applied purely to safety or environmental issues.
Emergence of risk management
As major projects increased in complexity, it became common for them to be blighted by spiralling costs, late completion and often an inability to meet the original objectives. More sophisticated project management techniques failed to halt this slide. Eventually, the concept of project risk management (PRM) was introduced to address these issues.
In its purest form, PRM begins before the project starts. It comprises an assessment of all envisaged events that could cause an increase in cost, a delay to the project programme or a failure to deliver an effective solution. From this base, controls are identified to manage the risks.
The controls are evaluated and used to produce the risk management plan.
The PRM activities continue throughout the project, with continual monitoring and revision. PRM is often acknowledged to be the first really comprehensive embodiment of risk management.
A whole host of other risk-based activities has sprung up in recent years.
They include business continuity planning (BCP), value management and, as a result of the Turnbull report, corporate risk profiling. Some of the exponents of these disciplines might dispute the risk management legacy, but in reality any effective use of these disciplines must include an element of risk management. However, the use of risk-based techniques is much wider in today's business environment.
For example, at the concept and design stages for a new facility, it is possible to bring all the stakeholders together to consider the inherent risks and to ensure that an effective, working facility is produced for the minimum practical cost.
Equally, the operational functions of a business may depend critically on its buildings' infrastructure. Without sufficient knowledge and control of the risks posed by the infrastructure, it is possible that unrealistic business objectives may be set.
Principles of strategic risk management
Strategic risk management encompasses both of the above examples. It involves matching vision and strategic objectives with current and future operational constraints. It is necessary to begin with a top down approach by questioning the realism of the organisation's vision, aims and objectives.
These need to be served by the strategy, the means by which the organisation sets out to achieve its vision, aims and objectives. This in turn needs to reflect, and be reflected by, its operational activities. The operational activities are in turn subject to many constraints. The commissioning of new operational activities or facilities involves particularly difficult inter-relationships. The result of the whole is a multi-dimensional problem, the extent of which is difficult to comprehend.
Many organisations implement successful strategies at some time during their existence. This may be because of the flair of an individual in a particular situation, or because a particular set of circumstances conspires to produce a favourable business environment. Many organisations mimic others, whose strategies appear to be particularly successful. This can be described as strategic fashion. What is certain, however, is that no organisation manages to maintain a consistently successful strategy. Those praised as an example of excellence only a few years ago inevitably fall from grace. In essence, a successful strategy, without strategic risk management, is largely a matter of luck and is unlikely to remain successful for a sustained period.
In order to come to terms with the complexity of the problem, organisations should consider the risk management implications of each of the facets of the business and their inter-relationships. It is not an overtaxing process, but usually requires some specialist help to get it kick-started.
The overall effects are complementary to business continuity planning (BCP) cited earlier. Because it considers likelihood and impact, strategic risk management can form the basis for an effective BCP programme, without the need to call in further expertise.
After considering each facet of the organisation's business, including inter-relationships with others, in isolation, it is necessary to bring together the people concerned with these different facets. They can then share each others' perceptions of the organisation. Those concerned with vision, aims and objectives, will come to understand the point of view of those concerned with operations, and vice versa. The same will apply to the spheres of strategic implementation and infrastructure. The operational activities, in turn, need to understand each other across their own interfaces.
Only by bringing all these diverse points of view together can there be any improvement in the long-term prospects for an effective strategy.
Business objectives and strategy may define the criticality of various business operations. These in turn may be influenced significantly by infrastructure considerations. In the past, the strategic function has been considered as a linear process, starting with vision, aims and objectives, with each stage designed to support the layer above. At best, it has been treated as a monitoring and retrenching process. In reality, the only way to build a successful long-term strategy is to structure these activities as an iterative process, using a risk-based approach.
Like many risk-based processes, strategic risk management should be established as a live, ongoing activity within the organisation. Business continuity is a function of strategic risk management. Unfortunately, BCP is often restricted to disaster recovery plans. This is because organisations do not realise the ongoing, day-to-day impact of failures. The ideal solution is to establish a strategic risk management capability within the organisation.
Although external, specialist help is almost certainly required to establish the strategic risk management initiative, once established, it should be considered as a normal business function. The use of strategic risk management gives an overall business perspective to operational failures.
This is illustrated by Figure 2.
Because strategic risk management will have determined the impact of the failure and the acceptable limits for a given likelihood of occurrence, it is possible to tailor operational considerations either to ensure that control action is sufficiently timely or that the extent of the failure is reduced to the minimum. If it proves impossible to constrain failures to the operational envelope, the latter may need to be redefined.
Strategic risk management increases cross-organisational understanding.
It helps to ensure that an organisation's strategy can remain successful in the long term. It encompasses business continuity planning and disaster recovery and acts as a focal point for all risk-based activity.
References: [1) G Johnson Rethinking incrementalism Strategic Management Journal 9 (1988).
[2) M Grant Contemporary Strategy Analysis, Blackwell (1995).
Dr Laurence Howe is a risk consultant for Serco Assurance, Tel: 01635 280 342, E-mail: Laurence.Howe@sercoassurance.com.