The following is taken from an interview with the CIMA “Excellence in Leadership“ magazine. To read the glossy version click here.
“Strategic Risk Management – Taking the Long View”
Most companies have risk management processes in place, but there is too much focus on operational risk and not enough on strategic risk, De-Risk’s Keith Baxter tells Mark Stuart.
Strategic risks are, by definition, the risks that could threaten your business strategy. Keith Baxter, who runs De-Risk, a specialised consultancy that provides enterprise risk management solutions across all business sectors, says: ‘Fail to identify the strategic risks and you fail as a business, no matter how well you manage your operational and project risks.
‘For example, you can successfully deliver a new product to market, but if the market has changed while you were designing and manufacturing and no longer wants the product, your strategy will fail. If this is a key new product, such as a car launch for instance, it could spell financial disaster.’
There is also confusion over the difference between enterprise risk and strategic risk. ‘Enterprise risk is the total risk to your business and strategic risk is a subset of enterprise risk,’ explains Baxter. ‘The strategic part is the most important, yet many companies don’t consider it.’
For Baxter, one big problem with identifying strategic risks is that you can’t brainstorm them: ‘You get too much noise and everyone gets distracted by irrelevancies. Instead, capture your business strategy first – write it down and make it specific with numbers and dates. Ensure that it is communicated to the rest of the board, and to at least
two management levels down.
The next step is to break down the strategy into its constituent assumptions – things that need to happen, both externally and internally – to ensure the strategy is met. Focusing on assumptions rather than risks works well, as people are more comfortable discussing positives than negatives.
Show these assumptions to the board and top-level management, and obtain ratings to identify which are “safe” assumptions, “risky” ones, etc. It is also important to test these assumptions by bringing in one or two industry experts to make sure that the board is not falling into the trap of insular thinking.
‘At that point you may start to see patterns – you’ll see where people have consensus on stable assumptions, where they agree that the assumptions are at risk and, most interestingly, where there’s a lack of consensus because different managers are not seeing eye-to-eye.
It’s the assumptions that some people think are safe and others believe to be risky that are the really dangerous ones – they represent risks that would not be identified by any traditional risk process.’
Baxter continues: ‘An effective strategic risk management process must also include escalated project and operational risks that have strategic implications. The danger here is that nothing gets escalated or too much gets escalated and the board can’t see the wood for the trees.
Only risks that have a potential impact on business strategy or require board intervention should be escalated. Everything else should be managed at lower levels in the organisation. To control this efficiently in a large organisation, you will need an automated software tool.’
Baxter sums it up by offering an example of his assumption-based strategic risk management approach in action. ‘We worked on a large government programme which was halfway through a five-year plan. Programme risks were being escalated but senior management perceived everything to be ticking along satisfactorily. We set up a strategic risk assessment with the executive team and in just a fortnight it became clear that the programme was not going to meet the strategic objectives of the department. They re-scoped it and re-launched it two months later and it is heading for a successful outcome.
‘It wasn’t a case of telling the board what we thought their risks were; it was simply a matter of capturing their assumptions and presenting them in such a way that the managers would realise that what they were planning wasn’t going to work. Our approach is about making senior management see the risks within their own strategic assumptions. It’s the purity of the process that gets the message over.’