Overview of strategic risk management
In business, every decision involves some kind of risk. In strategic planning, leaders have to manage that risk and craft a solid strategy despite the undetermined future outcomes.
In this article, we'll cover:
- Why risk management is important
- What is strategic risk?
- The two kinds of strategic risk factors
- What is strategic risk management?
- How to identify strategic risks
- What types of strategic risk you should be looking for
- Managing Strategic risk vs operational risk
- How to mitigate strategic risk
- Strategic risk examples
- How to measure strategic risk
- A template for your strategic risk management framework
- A long-term strategic risk management principle
What is strategic risk?
Strategic risk is the probability of the organization’s strategy failing. It is an estimation of the future success of the chosen strategy. Since strategy is a set of clear decisions, strategic risk reflects the aggregate of the risks of those decisions.
At its core, strategic risks affect an organization's overall strategy. They can sometimes be difficult to spot and manage.
This means that particularly at an executive level, leaders and teams need to be able to look for strategic risk and, instead of categorizing them as things to hedge or mitigate, develop the acumen to ask the appropriate questions:
- Are we going to resist this, avoid it or maybe push it away?
- Or do we embrace it, use it as an indicator for the market and take it as an opportunity for a strategic change
Why risk management is important
Organizations that fail to do proper risk management face significant threats. At times, they face existential threats. Kodak was a pioneer in the photography space (they actually filed a patent for one of the first digital cameras), but they lost the digital camera race. Blockbuster made $6 billion in revenue at its peak, but there is only one store left in the world!
MySpace was once one of the dominant social networks until Facebook came along. You could argue that these companies failed to innovate. Maybe, but they also failed to evaluate the threat properly and the risk involved in not dealing with it.
Every great company takes risks.
Smartphones, eReaders, car-sharing services, even natural cleaning products — so much of what we as consumers now take for granted was a brave step, once upon a time. But Apple, Amazon, Zipcar and Method didn’t launch their category-defining products overnight.
These organizations safeguarded their success with a strong risk management strategy. They knew what success would look like, which factors could cause them to fail, what failure could cost them, and how they would respond to obstacles in their path.
Managing strategic risk is an essential activity for all businesses, whether you’re launching an innovative solution to market or just trying to stay ahead of the competition.
Understanding the dangers (however small) and their potential impact (however minor) empowers leaders at different levels to make smart, well-informed decisions.
That’s easier said than done.
Risk management is a dynamic process - it shifts focus as internal and external influences change. It also requires joined-up thinking and communication across an organization.
If you’re tasked with strategic planning and execution within your business, it can seem like an insurmountable task. Yet, armed with the right information, you can help ensure that your organization achieves its goals.
The two kinds of strategic risk factors
Internal strategic risk factors
Every business has strategic objectives and established routines.
Strategic risk relates to the dangers companies face in trying to accomplish their strategic objectives. Even though your plan might seem viable and on track for success, analyzing the strategic risks involved can help organizations identify obstacles (or opportunities) — and address them before it’s too late.
Strategic risks relate to a business’s internal choices, such as product development routines, advertising, communication tools, sales processes, investments in cutting-edge technologies, and more. These all directly impact function, performance, and overall results.
External strategic risk factors
Some strategic risks originate outside the company.
These could apply to the current or projected environment into which products will be released.
It’s often easier to understand strategic risk through real-world examples. For instance, a new type of smartphone might be in high demand today, but economic changes could lead to a drop in commercial interest, leaving the business in a totally different position than it might have expected.
Or a competitor may release a groundbreaking product or innovative service that fills the gap first, creating significant risk to the success of a strategy.
And let’s not forget that technology’s swift evolution could cause a new product to become obsolete within a few months — I’m sure that the manufacturers of wired headphones felt their stomachs drop when they saw Apple had cut the headphone jack.
These types of risks pose a real danger to companies. Investing in a business model with little chance of achieving the envisioned success can lead to severe financial strain, loss of revenue, and damage to reputation.
And none of these are easy to recover from.
What is strategic risk management?
Strategic risk management is the process of recognizing risks, identifying their causes and effects, and taking the relevant actions to mitigate them. Risks arise from inside and outside factors such as manufacturing failures, economic changes, shifts in consumer tastes, etc.
Strategic risk can disrupt a business’s ability to accomplish its goals, break out in the market or even survive. Effective, efficient management puts the power in leaders’ hands to avoid potential obstacles to success and maximize their performance.
One of the first things you need to do to better manage risks is learn to identify them.
Strategic risk assessment- How to identify strategic risks
Recognizing and taking action on strategic risks is vital to mitigate costly problems.
In your strategic risk management toolkit, you’ll need two essentials:
- An in-depth understanding of where your organization stands. This includes your target audience, market sector, competitors, and the environment in which your business operates.
- A clear awareness of your organization’s core strategic goals, from conception to proposed execution.
Gathering data on both areas can take time and investment, but it’s worthwhile to achieve accurate insights into strategic risks.
The more information you have to draw upon, the more likely it is that you’ll be able to implement processes and safeguards that facilitate organizational success.
Teams have a choice of different approaches when identifying strategic risks.
Initiate “What if” discussions
Gather employees from across the business to explore ‘what-if’ scenarios.
By mind mapping risk factors collaboratively — with a mix of perspectives and experiences from different departments — Heads of Strategy, Change Managers and Business Analysts may discover risks they wouldn’t have thought of on their own.
All potential risks are worth considering, no matter how unlikely they may seem at first. That’s why participants should be encouraged to let their minds wander and suggest virtually any viable risk that occurs to them.
It’s best to have a long list that can be reduced through elimination: underestimating risks can lead to businesses being unprepared down the line.
Gather input from all stakeholders
Speak with the whole range of stakeholders and consider their views on strategic risks.
If you consult a wide enough group, they have different perspectives on an organization from your core employees.
Collecting a wide range of perspectives creates a holistic view of risk factors which can prove hugely beneficial when trying to understand the dangers the organization faces.
Their broad awareness of how the company operates can raise unexpected possibilities that need to be factored in.
What types of strategic risk you should be looking for
The specific strategic risks relevant to your business will largely depend on your sector, product range, consumer base, and many other factors. That being said, there are some broad types of strategic risk, each of which should be on your radar.
Let’s demonstrate the importance of regulatory risks with an example.
Imagine an organization working on a new product or planning a fresh service set to transform the market. Perhaps it spots a gap in the industry and finds a way to fill it, yet needs years to bring it to fruition.
However, in this time, regulations change and the product or service suddenly becomes unacceptable. The company can’t deliver the result of its hard work to the target audience, risking a substantial loss of revenue.
Fortunately, the organization had prepared for unexpected regulatory change. Now, elements of the completed project can be incorporated into another or adapted to offer a slightly different solution.
The lesson here?
It’s vital for companies to stay updated on all regulations relevant to their market and be aware of upcoming changes as early as possible.
Most industries are fiercely competitive.
Companies can lose ground if their market rivals release a similar product at a similar or lower cost. Pricing may even be irrelevant if the product is suitably superior. Competitor analysis can help mitigate this strategic risk: businesses should never operate in a vacuum.
Economic risks are harder to predict, but they pose a real danger to even the most well-realized strategy.
For example, economic changes can lead a business’s target audience to lose much of its disposable income or scale back on perceived luxuries.
Customer research is imperative to stay aware of what target audiences desire, their spending habits, lifestyles, financial situations, and more.
Managing strategic risk vs operational risk
Companies face various kinds of risks.
Strategic risks and operational risks are two distinct kinds. While strategic risks originate from both internal and external forces, operational risks stem solely from the internal processes within a business. And they stand to disrupt workflow.
However, the biggest difference between them is the level of the decisions they reflect.
Strategic risks reflect the risk of the decisions at a higher level, where the overall strategic plan is considered. The operational risks reflect the risk of the decisions in a lower level, the operational level, where the execution of the strategic plan is outlined.
Simply put, strategic risk is about what you do, and operational risk is how you do it.
Operational risks examples
Operational risks are critical to consider and must be dealt with as soon as possible. They directly impact a business’s work and can tie in with strategic risks, as the resources, processes, or staff available may be unable to achieve the established goals.
One example of operational risk is outdated machinery. They can cause a slowdown in production, delay completion, and ultimately damage employee morale. In this case, the operational risk might stem from what appears to be a non-critical problem but has the potential to drag productivity down to rock bottom. So the decision of whether to upgrade the machinery should be considered.
Another example of operational risk is a company’s current payroll system. Let’s say they outsource to a small team with a weak reputation purely because it’s a cheaper alternative to working with a more reliable, respected group. But this option could create a higher risk of late payments, processing errors, or other issues with the potential to frustrate the company’s most valuable asset: its employees.
How to mitigate strategic risk
Discuss opportunities and risks separately
This is something that needs to happen before the risk identification process. Mixing in the same conversation potential opportunities and their risks handicaps the opportunity conversation.
You want your people to free their minds, brainstorm ideas, and locate all possible growth and incremental opportunities. Don’t allow that process to shrink and miss out on great opportunities. Discuss risks in a different meeting on a different day.
Distribute resources at the operational level
Once you have decided on your company’s strategy, you’ll have to align every department and person with it.
Allocate your resources in a way that serves your overall strategy to succeed. That means starving certain departments or regions to feed the ones that contribute the most to your strategic objectives.
Mitigating strategic risks is often nothing more than focusing on a great execution of your strategic plan.
Align your incentive structure
Focus on execution takes another form besides resource redistribution.
You have to visit and align with your strategic objectives the incentive structure of your top and middle management. This is a crucial step to executing your strategy because it eradicates internal conflicts.
If your leadership team is rewarded according to an older strategic plan, don’t expect them to take care of your new plan’s risks. They simply won’t have the incentive to do so.
Strategic risk examples
Let’s examine two specific real-life examples of strategic risk. One that happened a little while ago, and one that is still happening now.
Complacency vs Disruption
Before Netflix, HBO Go, Amazon Prime, Disney + and all the other streaming platforms, people used to go to Blockbuster.
In its prime, Blockbuster had over 9,000 locations around the world and became synonymous with movie rental. It had a huge slice of the market share and looked pretty peachy until the late nineties. Until in 1997, when a little company called Netflix came knocking.
At the time, Netflix didn't stream. It simply delivered rentals in the mail for a set fee each month. There were no late fees (which was one of the biggest gripes from Blockbuster customers), and movie delivery was very convenient.
Netflix was a pretty obvious strategic risk to Blockbuster, which needed to manage it somehow. This could also be seen as a clear opportunity for Blockbuster since they were in a position to buy Netflix but refused to do so.
Yes, Blockbuster passed on the $50 Million deal of Netflix and sealed its fate in the process.
This story is still in development, so who knows how it will end.
Uber is known as the company that shook the cab industry around the world, but things are still changing. Uber is a tech company and understands that change happens and risk evolves faster than ever before.
This is why they began investing in self-driving technology early on. At first glance, this seems counter-intuitive since moving in this direction could really upset the thousands of Uber drivers out there, but Uber gets it.
They know that if they do nothing, someone else will sweep in, and soon enough, turn Uber into another Blockbuster story.
Uber is a great example of strategic risk management since they not only have to manage things like implementing self-driving cars, but they have also had to navigate through complex regulatory risks in multiple countries.
They have also faced issues around customer safety, assaults, and constant battles with all kinds of protests and regulatory issues.
How to measure strategic risk
So now you know the strategic risks your organization faces, you need a quantifiable figure to measure them. We suggest two specific tools:
This relates to the amount of equity a business needs to cover any unplanned losses, according to a standard of solvency (based on the organization’s ideal debt rating).
This metric allows businesses to quantify all types of risks related to launching new products, acquiring enterprises, expanding into different territories, or internal transformation. Then, it can take the necessary actions to mitigate against it.
RAROC: Risk Adjusted Return On Capital
This applies to the expected after-tax return on a scheme once divided by the economic capital.
Companies can leverage this metric to determine if a strategy is viable and offers value, helping to guide leaders’ decision-making process. Any initiative with a RAROC below the capital amount offers no value and should be scrapped (sorry!).
Businesses on all scales can utilize both metrics to measure strategic risk, but the stakes will be different for a small enterprise than for a global corporation. The former may never recover from a bad investment, while the latter has a higher chance of weathering the storm.
As a result, companies may use a decision tree to map the possible outcomes of a decision. This enables teams to determine which choices yield which results and prepare for all eventualities. Specific turning points can be identified and handled appropriately.
Strategic risk management strategies
Now you have all the information, you need to capture it in one place: the strategic risk management framework. This is where you bring together all the resources (employees, technologies, capital, etc.) required to mitigate losses caused by internal or external forces.
Exactly how your framework is structured is your choice, but the following is a great strategic risk management template:
- Understand where you are right now. You could use a SWOT (Strengths, Weaknesses, Opportunities, and Threats) analysis, for example. Here you need to know where your organization is, your vulnerabilities, and what threats you face in the market.
- Define your strategy and its goals. This is where you clearly outline the strategy for your organization. Use this battle-tested strategic planning template to build or revisit your strategy.
- Next, key performance indicators (KPIs) should be selected. These can be used to measure success, monitor changes, and explore improvement opportunities over time.
- The next step is to identify those risks which can affect productivity and performance in the future.
These factors may not be as apparent as others. For example, consumers’ changing tastes can be hard to predict but still have the potential to knock plans off the rails.
- KRIs (key risk indicators) should be identified to gauge your business's tolerance to obstacles. Be sure to look ahead at issues that may lurk around the corner, and determine the right time to put mitigating actions into effect.
- The final step is to continually monitor KPIs, KRIs, and their internal processes to chart progress.
Are problems being resolved fast enough? Are target customers’ needs being addressed? Are all essential programs and processes in place? The aim is to stay on track and adapt to ensure you achieve your objectives.
A long-term strategic risk management principle
Managing strategic risk is an ongoing process.
It enables organizations to minimize their danger of experiencing severe losses and, ultimately, failure. It doesn’t guarantee every project will be a success (far from it!), but it will provide all the necessary tools to make better decisions in the long run.
Remember to take your time, even if there’s market pressure to act fast. Trying to rush this process could lead to missed threats or opportunities in your risk analysis. Stay on top of your strategic risk management well into the future, that’s the key to organizational success.
Cascade has integrated risk values that automatically calculate your strategic plan’s risks. Take a tour of our platform or book a demo with one of our strategist experts to help you develop your strategy.