Strategic Risk Assessment–1/6

2010-07-20 / How to do Risk Assessment / 2 Comments

This is a revised series on the risk manager’s role in planning and strategic risk assessment. Here I discuss risk methodology and establishing the organizational context, including a review of mission statement examples.

Risk Methodology: Techniques to Meet High Uncertainty

Rational planning and risk forecasting are no good — this is the message that Nassim Taleb has recently reiterated. He seems to want to be highly risk-averse in the face of black swan (low frequency, catastrophic consequence) events. But I don’t think rational planning needs to be so extremely discredited, and excessive risk aversion is not the answer.

Despite inaccuracies in forecasts and unpredictable events, we can’t give up planning altogether. Risk managers can use several complementary methods to approach strategic risk assessment. Notice how each of them does require planning, but reduces reliance on a precise forecast of events:

1. Business continuity and emergency planning, of course, strive for preparedness against disaster risk. An all-hazards approach efficiently protects mission-critical functions.

2. Innovation. I believe in the role of the risk manager as innovator to lead a culture of invention, adaptability and flexibility. This is the pro-active identification of opportunity, and supports strategic objectives.

3. High Quality Risk Assessment. We need to check the assumptions underlying conventional forecasting, modeling and probability estimates. High quality risk assessment means identifying risk comprehensively and rigorously within a properly defined context

4. Future scenario planning contemplates extreme yet plausible futures: we can develop options, and improve strategic resilience.

All of these methods start with an exercise in establishing the organizational context, in terms of what I call Strategic Identity.

Strategic Identity

This is a diagram to help define the essence of an organization, as a preliminary step to planning and risk assessment. Notice that objectives do not appear in the model, because they are means to pursue the vision and will vary to suit circumstances.

Mission and Vision

Mission is the reason for being of an enterprise, public or private, describing how the organization is answering a need.

Consider the first few in this list of Fortune 500 mission statements examples.

Many mission statements use hyperbole and vague language (“the best…” “the most progressive…”). The mission statement for Aflac near the top of that page, for example, is a little too vague; it could almost apply to any business. It also states “aggressive strategic marketing” – which is a method towards an end, not the end itself, and so has no place in the mission.

Compare it with the one for Advanced Auto Parts, at the very top of that same page. That mission statement includes mention of the client group, the service staff and the nature of the products and services (“inspire, educate and problem-solve”) in terms that are recognizable and verifiable – without being actual performance measures, and without limiting the methods and delivery channels the firm might use to achieve those things. In other words, a good mission statement will galvanize and focus action, but not limit it.

Distinct from Mission is Vision, which is an eventual outcome, a picture of a future state towards which the organization is striving. If I were to invent one for Advanced Auto Parts, I could say: “A satisfied, diverse, extensive and well-informed clientele enthusiastically engaged with the firm as loyal clients, interested students, business partners and participants in our programs.” I just made this up on the spot, but I tried to make each element of the vision something fairly concrete to strive towards in one or another aspect of the business; it also describes a desired end state.

In the next post I’ll talk about the other elements of Strategic Identity.

Read More

Risk Scenario Analysis

2010-06-17 / How to do Risk Assessment / 0 Comments

It is ironic that future scenario analysis, developed famously by Royal Dutch Shell, was not used when it should have been in that very same industry. AP reported on May 06 that:

“…a site-specific exploration plan filed by BP in February 2009 stated that it was “not required” to file “a scenario for a potential blowout” of the Deepwater well.”

Risk and international business managers could take a close look at risk scenario planning as a way to grapple with black swan risk, defined here in the Barnes and Noble synopsis of Nassim Nicholas Taleb’s book:

“an event, positive or negative, that is deemed improbable yet causes massive consequences.”

Doesn’t that definition, by the way, assume that you were able to at least identify the risk before deeming it improbable? Perhaps the true black swan risk is the one that broadsides you altogether. In any case, the value in future scenario planning is that it sidesteps the necessity to predict. It does not depend upon forecasting.

We all know business continuity scenarios are not like conventional risk management, not only because they deal specifically with disaster and emergency risk, but also because they focus on mission-critical functions, and often take an all-hazards approach. There will be significant areas of overlap in plans to address several different perils.

Similarly, risk scenario analysis is interested in resilience, and starts from a consideration of a core mission. You define the trends with the most significant influence upon that mission, and then create extreme – but plausible – scenarios. The advantage is that you are not relying on one narrow prediction or forecast. You have instead rich scenarios that present conditions that challenge your organization’s survival in different ways.

The team can then plan pre-event treatment, and adjust its plans to meet difficult conditions in something like an all hazards approach.

Risk practitioners point out another advantage to future scenario analysis. It permits a freer discussion than is normally held to identify essential business functions, assets at risk, types of threats, and the longevity and relevance of the organization’s very mission. For example, if the team determines that, in three out of four future scenarios, shifts in industry practice, business models and technology would likely render the core business obsolete, they might well re-evaluate their strategic direction.

I have put in a proposal to RIMS to develop another risk assessment online course [update: Creating Value: Risk Manager as Innovator — up and running], in which I would include a module on risk scenario analysis, using the future scenario planning model.

Read More