Risk Management strategy

How to create value from mitigating Strategic Risks

Brexit is a great example of a 'known unknown' strategic risk, but all too often strategic risks are given overly-simplistic mitigation activities. However, through meaningful consideration, strategic risk mitigations can be quickly transformed from costly activities to material value drivers.

One of my wife’s favourite stories to tell about my fascination with whiteboards starts on the weekend after the Brexit result was announced.

Instead of doing my familial duty and spending time with her sister who had taken the short trip over to London from Australia, I locked myself away in the study and was furiously whiteboarding on how the UK’s decision to leave the EU would impact businesses across Europe.

Whilst I came up with some fairly bizarre theories, the one I settled on was Rumsfeld’s maxim of ‘known knowns’ and ‘known unknowns’ and set about devising a narrative as to why organisations should address the strategic risk posed by Brexit through tackling the ‘known unknowns’.

A proposed definition for strategic risk

In my world, strategic risk is:

  1. Anything that could get in the way of an organisation’s ability to deliver its strategy; or,
  2. Something that changes in the macro environment which impacts the assumptions upon which an organisation operates.

Brexit is a great example of a strategic risk event, manifest across a whole geography – not only does it have the potential to frustrate organisational strategies, it could result in a seismic shift in the macro commercial environment.

My message to clients was that businesses shouldn’t waste time speculating on the nature and extent of the risk event (i.e. what could change as a result of Brexit), but instead should focus on mitigating the impact of those unknown risk events through (amongst other things) identifying relevant suppliers, customers and deals, collating relevant data and mapping potential vulnerabilities and dependencies across the value chain.

This wouldn’t have any sort of impact on what the government would negotiate (the risk event), but could absolutely help reduce the impact of any such changes on the organisation, or at least its ability to triage and respond to those changes.

However, what was truly fascinating was the lack of organisational investment (irrespective of industry) directed at the strategic risks posed by Brexit – the generally accepted approach by the vast majority of the organisations I spoke to was to ‘wait and see’.

Is there any merit in ‘wait and see’?

Whilst this state of affairs suprised me, most people would probably find it pretty obvious:

There aren’t many executives keen on going in front of a demanding board and requesting a stack of cash to fund a set of activities to solve a problem which hadn’t been fully defined, and couldn’t guarantee would fix the problem once it was defined.

As a part of a considered strategic response to Brexit, ‘wait and see’ may prove to be a hugely efficient and cost effective response to Brexit. Equally, we may end up with organisations running around in an expensive frenzy closer to exit-date to get their house in order.

Either way, my problem with this assessment is that it assumes that ‘mitigation’ activities are zero-sum and that their value is relative only to the specificity of the risk that they are designed to address.

It takes a defeatist approach to risk management and relies on the false assumption that there is nothing we can do to meaningfully mitigate strategic risks.

A potential approach to mitigating strategic risk
Whilst we may not be able to mitigate the likelihood or nature of a risk event (i.e. a change in national legislation), it seems rash to believe that nothing can be done to identify or mitigate the risk impact.

Few organisations will do ‘nothing’ to mitigate a strategic risk, but sometimes (particularly abstract) risks can be assigned an over-simplified set of mitigating activities.

For example the strategic risk of a ‘change in government legislation’ could be assigned a mitigating activity along the lines of ‘proactively reviewing government white papers and policy statements’.

Now, there is nothing wrong with this as a spot of basic good practice, but by applying experience, industry knowledge and sensible educated ‘hypotheses’, it wouldn’t take much to narrow down a set of more meaningful activities which could materially mitigate the impact of known unknown risk events.

A basic approach could include:

  1. Identify strategic risks and draw up a list of the risk events and impacts which are ‘known’ and which are ‘unknown’.
  2. For the events and impacts which are ‘unknown’ leverage organisational and industry knowledge to build up a framework of areas that a strategic risk event would impact – specificity can be dependent upon your level of certainty and available information.
  3. Identify factors which could enable the organisation to increase the speed and effectiveness of its response (to changes in an area) and form a current-state assessment of those factors – identify activities to improve those factors.
  4. Review areas, factors and proposed activities to identify points of correlation and ensure coherence of activities in order to maximise value from any investment.

Example: Responding to legislative change in banking

A bank may not know what the regulator or legislator has in store for it over the next few years, but based on the past decade, we could take an educated view as to the areas impacted would likely include something to do with customer engagement, reporting or lending practices.

Next, we might identify factors necessary to quickly respond to changes in those areas, such as: (i) being able to change processes quickly, (ii) having high data integrity, (iii) being able to spin up new queries and reports previously unused, and, (iv) being able to communicate policy changes consistently.

Further to a current state assessment we could identify activities to address the strategic risks posed by legislative change through:

  • (1) Investing in data management to clean up our systems, increase data integrity and the ability to report across an expansive set of queries;
  • (2) Working to create a people culture which is engaged by change, and is responsive and agile in approaching new challenges.
  • (3) Focusing on digitising processes, documentation and forms so that we could rapidly amend terms and conditions, loan documents, or self-assessments without the need for a major change programme.

It is no accident that there are significant commercial and competitive benefits across all of these activities, many of which may already be underway as part of an unrelated initiative.

So why not align these efforts to strategic risks, and transform (perceived) zero-sum activities into material value drivers for the organisation?

Read more at http://www.sykessays.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s