Reflect on Risks to your Strategy or the Lack of Risks in your Strategy
We recently assisted an organization review its program risks for regular reporting purposes, but also with an eye toward enhancing their risk management methodology and, potentially, their risk posture. At the same time, we’re working with the same organization on a refresh of their multi-year strategy based on new technology developments and, as always, changing requirements.
As we reviewed their existing set of known programmatic risks, we also questioned whether we had also correctly aligned their strategic initiatives to best address their risks. In the end, we did this because we incorporated a Strengths, Weaknesses, Opportunities, and Threats (SWOT) analysis into the strategic planning process. Until that point, however, I had not consciously checked the strategy with the organization’s risks in mind.
Risk management includes avoiding, mitigating, or transferring risks. Each approach requires some determination on risk priority and then an organizational decision, initiative, or allocation of resources. They should be traceable to elements in an organization’s strategy. Here are a few examples:
- If an organization relies on cooperation with a number of external organizations to accomplish its own objectives, the organization may have a corresponding risk of those external organizations later choosing not to cooperate. If this is the case, then an organization’s strategy should include resources dedicated to stakeholder outreach and strategic communications
- If an organization relies on certain technology channels to deliver key messages, the organization may have a corresponding risk from disruptive consumer technologies that, if widely adopted, obviate existing channels while strengthening a new channel that the organization is not using. If that is a risk, then an organization’s strategy might include resources dedicated to identifying emerging technologies with an initiative to establish criteria for determining which technologies are on a consumer adoption horizon. In fact, there’s a large body of knowledge available for this type of evaluation, and a corresponding initiative could be undertaken relatively inexpensively
Conversely, if an organization identifies a risk that cannot be addressed through a strategic initiative, it is also possible that the risk itself is invalid. Rather than assuming that all risks should be traced and managed in the context of an organizational strategy, I suggest using risk management practices as a litmus test for organizational strategy, and vice versa.
If the outcomes of each process complement the other, then both risk management and strategic activities are on the right track.