What is strategic risk management (SRM)?

Strategic risk management is the process by which the strategy of an organisation (or a strategic programme) is formally accessed for any risks that might affect them.

You can deliver a project or programme on time, to budget and meet all your declared programme objectives; likewise, all your business operations could be functioning as expected. But if your overall business strategy is ultimately incorrect, the business will be deemed a failure.

Strategic risk management looks at current strategic market trends. It then tries to predict the risks that your current business strategy might face in the future as a result of these strategic trends.

Two people thinking about their Strategic Risk Management

Why is strategic risk management important?

Strategic risks are, by definition, the risks of you not achieving your business strategy. This means that a business which fails to deal with its strategic risks faces failure if those risks eventually materialise.

For example, if a core part of your business’s strategy is introducing a new product to the market, that strategy will be deemed a failure if the market no longer wants that product. And this applies no matter how you define your “customers”.

Few businesses take the time to assess their exposure to strategic risk appropriately — even though it takes relatively little effort to perform a strategic risk assessment and the payback can be huge.

What type of risk is ‘strategic’ risk?

Any risk that is considered to be threatening to an organisation’s strategic objectives is considered a strategic risk.

Strategic risk is sometimes confused with operational risk. Good operational risk management means doing things in the right way. While having good strategic risk management means doing the right things in the first place.

In the example above, your business strategy might be to introduce a new product into the market and the development and delivery of the project might have gone exceptionally well. This suggests good project and operational risk management. But if you introduce the product at a time when the market no longer wants it, then that product would still be deemed a failure and the strategy has failed.

In this case, the blame would be down to poor strategic decisions based on a failure to use appropriate strategic risk management to identify and manage the threats.

Strategic risks essentially come from three directions:

  • Internal risks identified at board level (or equivalent)
  • External risks identified (typically) by external industry experts
  • Escalated risks ie programme and project risks that potentially impact overall business strategy

What is the relationship between SRM and enterprise risk management (ERM)?

ERM is a process implemented by an organisation’s board of directors to identify the risks and manage risks to be within its risk appetite while pursuing its objectives, across the entire business. It is a broad planning process that encompasses internal strategic decision making.

SRM, on the other hand, is a critical part of the overall ERM process. It looks both internally and externally, as good strategy execution depends on external market circumstances as much as it does on internal competencies.

The strategic risk management process: How do organisations manage strategic risk?

There are a number of steps an organisation can take to successfully minimise strategic risk:

  • A good start would be to capture a suitable statement of the overall business strategy. This should be done by the board of directors and needs to be as specific and as quantifiable as possible.
  • Establish key performance indicators (KPIs) to help you measure forthcoming results. Failure to meet — or success of — these KPIs will provide a road map for progress in the future.
  • Establish key risk indicators (KRIs). These are the opposite of KPIs and are proactive rather than reactive. KRIs anticipate risk events that may happen in the future.
  • Once the business strategy, KPIs and KRIs are made clear, they should then be suitably communicated from the board members to at least two levels down within the organisation, or even the whole organisation if you are dealing with a small or medium-sized businesses.
  • The directors should then break down the business strategy into approximately 10-20 assumptions i.e. “What are the key things that need to happen in order to deliver the strategy?”. Then each assumption can be tested for its susceptibility to risk. Looking at assumptions and not ‘risks’ removes much of the negative psychology associated with risk management. Assumption analysis is also a core component of ABCD risk management, which can be applied to strategic risk management.
  • Bring in an external perspective. The process of capturing assumptions is often one which is internal to the company or organisation in question. As a result, the risk managers or risk management team may be “too close” to the risks to notice them. An external perspective can help with decision-making and prevent possible risk oversight.
  • Market trends for specific products being offered.
  • Competitors’ likely strategy, including pricing policy changes. Socio-political shifts or external crises which may impact your business strategy.
  • Macro or microeconomic trends.

Struggling with strategic risk management implementation? We can help.

In order to be successful, every business strategy needs testing against the dynamic of their marketplace.

We work by identifying the key assumptions underpinning a strategy through a series of interviews or workshops with senior management and industry experts to build a strategic risk profile.

After this initial analysis, a number of discrete scenarios can then be developed. Then, using the ABCD-based approach, we analyse each of the assumptions in each of the scenarios. This presents a clear picture of the risks and their potential impact on each scenario, which allows us to adjust the business strategy-setting to prevent the risks from happening, or develop a contingency plan to manage them.

An ABCD-based risk analysis approach can also highlight some of the potential reasons why key assumptions underpinning a strategy may be unstable that may not have been obvious before.

current baseline