Chief risk officer, Michael Doyle tells StrategicRISK why businesses need to be very clear on where strategic risk ends and operational risk begins.



Firstly, let’s examine what strategic risks are:

  • They are typically (but not exclusively) external risks and hence difficult to control and prevent;
  • They are typically (but not exclusively) low likelihood but high impact;
  • They should be “future focused” – ie risks associated with strategic direction and how to get there (risks to and of a strategy); and
  • They share attributes of standard risks (ie – not inherently undesirable).

There are many definitions of strategic risks – one of the better ones being “Strategic risks are risks that affect or are created by an organisations business strategy and strategic objectives[1]”

A recent study by StrategicRISK of heads of risk at ASX100 companies found that 3 of the key “keeps me awake at night” risks, as measured by likelihood, financial impact and time to impact were the strategic risks of damage to reputation, failure to innovate and changing competitive landscape.

Taking all the above into account, why is it that when reviewing strategic risk registers are we, as risk management professionals, often faced with a majority of operational risks.

Key cases in point being people risks (key person/lack of succession planning/aging workforce) or systems risk (non-integration of myriad system/do not support business requirements/vulnerable).

Both of these fall directly under the Basel II definition of operational risk “The risk of loss resulting from inadequate or failed internal processes, people, systems or from external events” – note also that strategic risk is specifically excluded but there is somewhat of a grey area around external events (but that will be the subject of another post).

So, how can we educate boards or executive management teams on what a strategic risk is and isn’t?

If we accept that strategic risks have the potential to derail your business, then you should structure a scenario that will resonate (read terrify!) your audience.

For a financial institution, this might be the impact of blockchain/peer-to-peer finance which could, in theory, negate the need for banking middle men. The collapse of Northern Rock as their funding sources dried up is a real example I’ve used.

For a resources company it might be nationalisation of industries in politically unstable countries they operate in and for a healthcare provider it might be changes to Medicare or bulk billing.

If you are one of the lucky ones who has been invited to help guide the development of a strategy early in the strategic planning process, then you should guide the board/executives in identifying the risks to, and of, each strategy.

I have found that a scenario(s) based workshop(s) is the best way to achieve this, as opposed to the more traditional “impact x likelihood” workshops.

Ask the executives (and selected, invited subject matter experts):

  • What could go wrong?
  • How this measures against Risk Appetite and Tolerance[2]
  • What is in place to manage this? (I have found that the 4T’s (Tolerate, Transfer, Treat, or Terminate) is easily understood)
  • Is there a gap relative to how we decide to progress and how do we close this? (treatment action plan)

Another hint would be to try to express this risk exposure across the key (from a Board perspective) areas of financial and reputational risk – this will help sharpen their focus.

Many of us will have experienced doing a strategic risk workshop when the strategic plan is “done and dusted”. My advice here is not to be a risk management fundamentalist and insist that it’s too late as strategic risk assessment should have been done in the strategy development, but rather take the strategy as presented and use the process as outlined above as a “reboot” of the strategy.

Finally, as you leave the workshop ask the Board are they happy that they have clearly defined and articulated their expectation around the escalation of operational risks/issues to them?

This should reinforce the following points:

  • The governance structures should ensure that operational risks are dealt with at an operational level: and
  • The Board sets strategy but is ultimately responsible and must have confidence that they are getting a complete and accurate (even if unpleasant) picture.

[1] Deloitte

[2] If the organisation doesn’t have a Risk Appetite Statement and tolerances identified, then this should be completed first.