Strategic Risk Assessment-3/6

2010-07-27 / How to do Risk Assessment / 0 Comments

This is a series on the risk manager’s role in strategic planning. The model for risk context described in posts 1/6 and 2/6 – Strategic Identity – needs to be complemented by research.  In this post I describe Environmental Scan as a preparatory step in strategic risk assessment.

The Black Swan author Nassim Taleb’s lamentation is that we suffer from an illusion that the world is comprehensible. Granted, we can’t know everything – but that admission is no substitute for trying.

Research in pursuit of strategic resilience is often of a general nature: a PEST (Political, Economic, Social and Technology) summary; or a précis of economic trends and forecasts. Generalized research is not really sufficient to inform strategic risk assessment.

Environmental Scan

What is an environmental scan?  It is research oriented towards 1. the internal setting; 2. the task environment; and 3. global conditions.

This means turning attention first to an internal review of the firm – precisely to identify the unique assets and competencies mentioned in the last post, as well as “hidden assets” in the form of intangibles and abstract qualities. Many of these might escape a cursory review, but actually be of value – for example, the past experience of employees, or a unique position in the market or supply chain.

The second area is the “task environment” which is the domain of all the firm’s various interactions and stakeholder relations. The third area is the macro or global scene, but is still specific in the sense that you pay attention to developments in your field, and compare cross-jurisdictional practices.

Environmental Scan Template

Comprehensive environmental scan templates and resources are provided in the online course Creating Value: Risk Manager as Innovator. These templates contain:

1. Environmental Scan practice: The who, what, when, and how of a complete environmental scan research process for the organization, integrated with planning.

2. Internal Scan: Listing of 14 internal elements to review as scan targets, in the categories of Assets: e.g., Hidden, Under-Recognized, Not Counted in Financial Statements; Facilities; Processes; People.

3. Task Environment: Plan to conduct scan of stakeholder and firm interactions (see diagram). Stakeholders identified in 6 general categories. Review of  Obligations, Dependencies, Interactions, Deliverables.

Strategic Risk Assessment - Stakeholder Analysis

4. Macro/Sector Scan. Macro and Sector trends set out in many classes and categories.

Methodology: The environmental scan templates aims to identify and assess opportunities for innovation in 5 levels of improvement, from compliance to changing business practice.

Environmental scan is therefore a targeted effort, first, to take stock of the organization itself, then to investigate the trends, interests and motivations of stakeholders. Finally, it gives you sufficient preparation to be able to enter into the strategic discussion and identify crucial risks – and opportunities – in industry developments, social trends, geo-politics, technological innovation, and market shifts.

With the risk context defined authoritatively through Strategic Identity and informed by environmental scan, the risk manager has an excellent basis on which to lead group sessions. Risk manager as facilitator is the subject of the next post.

Read More

Strategic Risk Assessment–2/6

2010-07-22 / How to do Risk Assessment / 0 Comments

This is a revised series on the risk manager’s role in achieving strategic resilience. I discussed in part 1 risk methodologies, and establishing context in terms of companies’ mission statements. In this post I address the remaining parts of Strategic Identity: Special Relationship and Values, Unique Assets and Competencies, and process for Innovation.

Stakeholders and Organizational Values Special Relationship signifies a particular stakeholder or client group that your mission may serve and that therefore is part of the organization’s identity. It refers to the history and unique sorts of connections your organization has with regard to this group. The Vision statement will illustrate the desired future state of this group; i.e., its anticipated evolution. Values may be less familiar as defining elements of an enterprise. They give character and humanity to the organization, and define how it wishes to engage with the world. Values can take the form of ethical or professional standards, or business rules and operating guidelines, whether required by statute or not. While treated as platitudes, the enactment of values affects the quality of the organization’s contribution to the world. The point in planning is to consider how how values contribute to the organization’s reputation, and how they constitute a source of economic worth.

Competencies and Process of Innovation
Unique Assets and Competencies will be: 1. concrete, like a certain technologies and associated equipment and infrastructure; 2. less tangible, such as skill sets and intellectual capital; 3. abstract, such as the configuration of the business model or place in a supply chain that gives competitive advantage. Some of these might be so unique and deeply ingrained that they define the character of the firm itself.

Finally, process of  innovation is not a fringe activity, but a core competency. It signifies organizational vitality, as these quotes indicate:

“…management innovation has created the most enduring source of competitive advantage.” ~ Gary Hamel

“The ability to learn faster than your competitors may be the only sustainable competitive advantage.” ~ Peter Senge

What the Capacity for Innovation requires is the subject of the online course Creating Value: Risk Manager as Innovator. We suggest that the risk manager is in a good position to facilitate the systematic identification of opportunities to acquire new income streams, and develop new practices and business models. This is now a virtual necessity. This model of Strategic Identity, which started in the last post with Mission and Vision, might help you to differentiate and better articulate the characteristic elements of your organization. You don’t have to use all parts of the model. Notice that they consist of both content (assets, knowledge) and process – particularly, innovative capacity which signifies adaptability and flexibility. While all parts of the strategic identity are subject to change, the idea is to set out the relatively stable basis of the firm. The reason for doing so is to give a frame of reference for the wider purpose of this series of posts: to integrate risk assessment and strategic planning. The next post will address environmental scan.

Read More

Strategic Risk Assessment–1/6

2010-07-20 / How to do Risk Assessment / 2 Comments

This is a revised series on the risk manager’s role in planning and strategic risk assessment. Here I discuss risk methodology and establishing the organizational context, including a review of mission statement examples.

Risk Methodology: Techniques to Meet High Uncertainty

Rational planning and risk forecasting are no good — this is the message that Nassim Taleb has recently reiterated. He seems to want to be highly risk-averse in the face of black swan (low frequency, catastrophic consequence) events. But I don’t think rational planning needs to be so extremely discredited, and excessive risk aversion is not the answer.

Despite inaccuracies in forecasts and unpredictable events, we can’t give up planning altogether. Risk managers can use several complementary methods to approach strategic risk assessment. Notice how each of them does require planning, but reduces reliance on a precise forecast of events:

1. Business continuity and emergency planning, of course, strive for preparedness against disaster risk. An all-hazards approach efficiently protects mission-critical functions.

2. Innovation. I believe in the role of the risk manager as innovator to lead a culture of invention, adaptability and flexibility. This is the pro-active identification of opportunity, and supports strategic objectives.

3. High Quality Risk Assessment. We need to check the assumptions underlying conventional forecasting, modeling and probability estimates. High quality risk assessment means identifying risk comprehensively and rigorously within a properly defined context

4. Future scenario planning contemplates extreme yet plausible futures: we can develop options, and improve strategic resilience.

All of these methods start with an exercise in establishing the organizational context, in terms of what I call Strategic Identity.

Strategic Identity

This is a diagram to help define the essence of an organization, as a preliminary step to planning and risk assessment. Notice that objectives do not appear in the model, because they are means to pursue the vision and will vary to suit circumstances.

Mission and Vision

Mission is the reason for being of an enterprise, public or private, describing how the organization is answering a need.

Consider the first few in this list of Fortune 500 mission statements examples.

Many mission statements use hyperbole and vague language (“the best…” “the most progressive…”). The mission statement for Aflac near the top of that page, for example, is a little too vague; it could almost apply to any business. It also states “aggressive strategic marketing” – which is a method towards an end, not the end itself, and so has no place in the mission.

Compare it with the one for Advanced Auto Parts, at the very top of that same page. That mission statement includes mention of the client group, the service staff and the nature of the products and services (“inspire, educate and problem-solve”) in terms that are recognizable and verifiable – without being actual performance measures, and without limiting the methods and delivery channels the firm might use to achieve those things. In other words, a good mission statement will galvanize and focus action, but not limit it.

Distinct from Mission is Vision, which is an eventual outcome, a picture of a future state towards which the organization is striving. If I were to invent one for Advanced Auto Parts, I could say: “A satisfied, diverse, extensive and well-informed clientele enthusiastically engaged with the firm as loyal clients, interested students, business partners and participants in our programs.” I just made this up on the spot, but I tried to make each element of the vision something fairly concrete to strive towards in one or another aspect of the business; it also describes a desired end state.

In the next post I’ll talk about the other elements of Strategic Identity.

Read More

Risk Scenario Analysis

2010-06-17 / How to do Risk Assessment / 0 Comments

It is ironic that future scenario analysis, developed famously by Royal Dutch Shell, was not used when it should have been in that very same industry. AP reported on May 06 that:

“…a site-specific exploration plan filed by BP in February 2009 stated that it was “not required” to file “a scenario for a potential blowout” of the Deepwater well.”

Risk and international business managers could take a close look at risk scenario planning as a way to grapple with black swan risk, defined here in the Barnes and Noble synopsis of Nassim Nicholas Taleb’s book:

“an event, positive or negative, that is deemed improbable yet causes massive consequences.”

Doesn’t that definition, by the way, assume that you were able to at least identify the risk before deeming it improbable? Perhaps the true black swan risk is the one that broadsides you altogether. In any case, the value in future scenario planning is that it sidesteps the necessity to predict. It does not depend upon forecasting.

We all know business continuity scenarios are not like conventional risk management, not only because they deal specifically with disaster and emergency risk, but also because they focus on mission-critical functions, and often take an all-hazards approach. There will be significant areas of overlap in plans to address several different perils.

Similarly, risk scenario analysis is interested in resilience, and starts from a consideration of a core mission. You define the trends with the most significant influence upon that mission, and then create extreme – but plausible – scenarios. The advantage is that you are not relying on one narrow prediction or forecast. You have instead rich scenarios that present conditions that challenge your organization’s survival in different ways.

The team can then plan pre-event treatment, and adjust its plans to meet difficult conditions in something like an all hazards approach.

Risk practitioners point out another advantage to future scenario analysis. It permits a freer discussion than is normally held to identify essential business functions, assets at risk, types of threats, and the longevity and relevance of the organization’s very mission. For example, if the team determines that, in three out of four future scenarios, shifts in industry practice, business models and technology would likely render the core business obsolete, they might well re-evaluate their strategic direction.

I have put in a proposal to RIMS to develop another risk assessment online course [update: Creating Value: Risk Manager as Innovator — up and running], in which I would include a module on risk scenario analysis, using the future scenario planning model.

Read More