Strategic risk: am I doing OK?
--------------------------------------------------------------------------------
Risk and its management have always been implicit in good business practice. Corporate governance, globalization, increasingly competitive markets requiring more risk to be taken to win business, political unrest and terrorism are some of many risk factors in the business environment. Uncertainty, ambiguity and risk are everywhere.
When considering business risk look at the following, amongst others:
business risk: that could prevent corporate objectives from being met;
financial risks: risks to the ability of our initiatives to deliver profit;
project and operational risk: risks in the implementation of strategy;
reputation risks: risks to our reputation which may follow from our activities; and
compliance risks: risks of non-compliance with good corporate governance practices, legislation and regulations.
The traditional approach to protecting and developing shareholder value has been based upon financial risk as defined by economic theory. However, in recent times, a wider view of risk has recognized that economic models of risk and shareholder value need to be moderated by less probabilistic factors such as reputation. Other factors which influence risk and shareholder value include:
Industry characteristics
Characteristics of the organization's decision makers
The process of achieving the organization's goals and the organization's resource base
The quality of strategic response to risk
Given that risk management can contribute to the protection and development of shareholder value, how can an organization tell if it is asking the right questions about its strategic response to risk?
There are well established stages to a risk management process, which are essentially:
1. Risk identification
2. Risk analysis, estimation and evaluation
3. Risk response
4. Risk monitoring
5. Risk reporting and communication.
However, what are the underlying key strategic questions an organization must ask itself if it is to not just manage risk well on a day to day basis but also have a conceptual understanding of the risk background and its current management competence in these areas?
Key dimensions to understanding risk in an organization
There are two key dimensions to the strategic understanding of risk within an organization:
1. The issue of understanding the organizational and personal attitudes to risk which will provide an "attitude and behavior" dimension
2. The business and project risk issues which will provide an "external and internal environment" dimension.
Combining these two dimensions will reveal four very important strategic challenges which, when accepted and satisfactorily met, will give an indication of how well a company is aware of real risk issues and the quality of its responses to those risks.
Do we understand the shareholder value risks of our strategy choices?
Our business choices are likely to increase or decrease shareholder value, so risk managing those choices is very important to protect the expected value and to deflect or out maneuver the inevitable uncertainties, ambiguities and risks which will occur as the business plan rolls out.
Risk management is not an option. It naturally occurs as part of the strategic planning process, like in more advanced applications of SWOT and PEST analyses. So the question is not whether or not it occurs, but how well it is understood and undertaken.
Strategic planning will often explicitly, or implicitly, use well established models for product-market strategies and implicit risk management of the competitive arena. Particularly important here are risks associated with the choice of product and market combinations in which to compete: clearly a market penetration strategy is potentially less risky than a diversification strategy provided that there is still a market to penetrate.
Branding is a high profile risk area at present. A failed brand extension, for instance, can undermine the customer's relationship with the whole brand not just the extension. Recent negative experiences for Royal Mail, formerly Consignia, and British Airways with their change of logo emphasize the risks of branding strategy.
In recent years we have witnessed reputations, like those of WorldCom and Enron, falling overnight. It is clear that there are a number of sources of risk to reputation. For instance, there are a number of threats from stakeholder groups that pose risks to reputation: from customers there is the threat of misunderstanding; from investors, the threat to value; from partners, the threat of defection; from the media there is the threat of exposure, and so on.
"The experience of a previous risk situation and decision can be a particularly important factor in an individual's perception of, and response to, risk"
Traditionally, risk has been associated with hazard or threat. However, modern risk management is moving towards recognizing that risky choices are as much about increasing shareholder value as they are about protecting such value.
Taking four generic strategies in response to risk there can be positive as well as negative responses:
1. While considering avoiding risk look to exploit risk
2. While seeking to transfer risk look for opportunities to share risk
3. Mitigation may, in certain circumstances, be replaced by enhancement
4. Acceptance in the baseline may be replaced, in certain circumstances, by simply ignoring the risk in the baseline.
The important practical implication here for managing risk within the business is to challenge whether chosen strategies are effective given the risk profile of the marketplaces. Have we managed risks to protect shareholder value and exploited those risks which offer potential development of such value?
Do we understand the risks that our structure and processes pose for implementation of chosen strategies?
We may understand the strategic risk of our business choices to shareholder value but a new challenge immediately arises. Is our approach to strategy implementation likely to support our strategic risk-aware choices, or will it adversely affect value creation and protection by the business?
Intuitively, the achievement of objectives will not stand or fall on one risk factor. Superb risk management in new product choices for instance will not be sufficient to ensure overall marketing success. It will, in this instance, be necessary to have diverse project risk management skills in place to ensure full and effective implementation of new product decisions.
A number of risk management maturity models exist. Such matrices suggest processes which, if followed, are likely to result in specific degrees of risk management maturity. The important practical implication here for managing risk within the business is that organizational structures and processes are key to effective risk response.
Is the risk appetite of our business consistent with the risk appetite of our staff?
Risk appetite is not a static concept within individuals. Risk will be perceived as either positive or negative depending upon the circumstances of the decision to be taken. Relationship to a strategic reference point - SRP - will have resonance for the organization, while individual staff will have their own internal SRPs.
Both gender and ethnicity have been found to influence risk perception and decision making under risk. Other factors to include in any analysis of managerial risk taking include framing, mood factors, dispersion of effects, and moral and ethical considerations based on heightened or reduced risk perceptions in consequential and non-consequential evaluations of outcomes.
Risk propensity or perception needs to be understood in a wide context with multiple measures taking account of the differences between organizational and individual risk attitudes and behaviors.
Are we confident that our staff are effective and efficient in reacting to and dealing with risks?
Understanding risk is important but responding to it is critical. We may have structure and processes designed to identify, analyze, evaluate, respond to and monitor risk but are our people willing and able to meet the challenges this brings?
Managerial decisions on allocation of resources are grounded in possible outcomes, likelihood of each of these outcomes, and ambiguity in these payoffs and probabilities. However, when making important decisions, managers rarely use formal risk analysis. Risk management is often ad hoc dependent upon the particular skills, experience and risk orientation of individual managers. Furthermore, corporate risk strategy varies across an organization with the consequence that an integrated approach to risk will need a watching brief company wide.
An important consideration for organizations is how risk is to be dealt with by staff. Do they need a set of competencies or simply an awareness? Who needs what? Clearly, where the move to enterprise wide risk management has begun the establishment of a chief risk officer is often appropriate. Such risk managers will need to combine technical and analytical excellence with an understanding of how risk measures relate to strategic and tactical business choices and decisions.
Managing Risks
Risk is complex, but is at the heart of the creation or destruction of shareholder value. An organization cannot wait for risk to be fully understood before attempting to manage risks.
There are instances of organizations buying in proprietary risk management products, which allow apparent compliance with corporate governance requirements, but which do not strongly influence the day to day risk awareness, mitigation and exploitation of risk.
Such an approach to risk is at the same time both a potential waste of effort and positively dangerous. In addition to adding cost for little benefit over compliance, such an approach can offer a chimera of risk awareness and management with the subsequent potential for overconfidence and negative surprises.
While nasty shocks cannot be completely avoided, for there are indeed some truly random events, it is evident that in many instances it is possible to isolate a set of damaging risks which, should they materialize, may derail the achievement of business objectives and compliance with corporate governance imperatives. Most importantly, an alert approach to risk management will find opportunity in many of the risks which may initially appear to be negative.
News 
Market Data 
Discover 
