Hidden Strategic Risk

2013-07-24 / How to do Risk Assessment / 0 Comments

strategic riskHow is it that strategic risk assessment misses the obvious?  It seems the most fundamental risks, although right out in the open, are not recognized as risks.

How to Identify Strategic Risk
First, the basic process: As discussed in previous posts, strategic risk assessment should be a review of goals, objectives and corporate values, as expressed in a plan. Risk assessment benefits from a multi-disciplinary round table reviewing the schedule of intended action. The risk lens brings to light the things that may prevent the successful execution of the plan.

Tracing through all stages of the plan, ask the question: What could hinder or prevent the accomplishment of this particular objective?; or, What could compromise the safeguarding of this professional value? In the broadest analysis, it is a matter of identifying phenomena that call into question the strategic direction, approach to a project, or feasibility of a program. The mitigation of such risk involves action on the same scale: to shift the planned direction; to build up one aspect of the business; to attenuate another.

But there is always some unique twist in a risk assessment… Read the rest of this entry »

Read More

Systemic Risk – Challenging Assumptions

Risk managers should contribute to long range planning and analysis. They can cause planners and modellers to recast their assumptions. In a recent workshop, participants and I were discussing risk assessment of the firm’s strategic plan, and considered wider systemic risk and emerging risk, that could undermine the organization.

On the issue of strategic risk, I first draw the reader’s attention to my 6-part series in which I discussed high quality risk assessment and future scenarios; strategic identity; stakeholders; and environmental scan. The essential point in that series is that risk assessment should be part of a complete research and planning process, including methods to deal with “black swan” risks and high uncertainty.

In this post, I want to elaborate on the idea of risk managers questioning assumptions that typically go unchallenged.

Read the rest of this entry »

Read More

Strategic Risk Assessment-6/6

2010-08-05 / How to do Risk Assessment / 0 Comments

black-swan-eventThis is the last in a series on the risk manager’s role in strategic planning. In this post I describe the integration of the risk methodologies discussed so far.

Complex Enterprise Risk Management Mandate

We saw in post 1/6 that, from the Black Swan perspective, unless we are overstating it, risk-optimized decisions and rational planning are illusory;  redundancy and randomness are better.

But a balanced approach is required. Risk managers will not stop helping to optimize business decisions anytime soon, because people definitely want a risk-based analysis of the investment proposal, project, policy, plan or initiative. Excessive risk aversion can be costly and retrograde.

I wrote a statement today in support of a new Enterprise Risk Management certification:

‘Enterprise Risk Management will prove its value only as long as risk managers persist, with a variety of methods, to challenge assumptions in program plans and projects, and carry out strategic assessment to safeguard the organization’s core values and sustainability.’

That is pretty much the point of this series of posts. ERM presents risk managers with a complex mandate. They must identify and assess near-term operational risk, and in so doing overcome reliance on forecasts whose scope is insufficient, and whose underlying assumptions are not challenged.

They must also cope with the low-frequency/high consequence risk, and even the unknown and unpredictable (black swan). Time frames extending to 30 years are commonplace in infrastructure projects. Furthermore, they are charged with helping to create a risk-aware culture.

I believe it is possible to meet the ERM mandate, but only through a coordinated suite of risk methodologies.

Risk Methodologies

1. Strategic Identity is a model to help define the essence of the organization. It calls for a review of Mission, Vision,  Stakeholders, Corporate Values, Unique Assets and Capacity for Innovation.

2. Targeted Environmental Scan is a better use of your research dollars than generic industry reports, because it investigates your unrealized internal assets, as well as developments in your field.

Strategic Identity, informed by environmental scan, gives you a frame of reference for all strategic planning and risk assessment.

3. Business Continuity and Emergency Planning: this is the classic cornerstone to business resilience. A common problem is trying to identify disaster risk in a standard operational risk exercise – you can’t. You need to run a dedicated session, identify mission-critical functions, and set out mitigation with the help of a specialist.

4. High Quality Risk Identification and Assessment. With so many organizations still reporting dissatisfaction with their ability to effectively assess risk, this needs close attention.

5. Innovation. Arguably, the most important source of competitive advantage. This is not a fringe activity, but critical for the long term viability of the firm. Risk managers are well placed to lead the innovation process.

6. Future Scenarios Planning. Risk scenarios lets you expand the planning discussion, explore options, and stress test strategic plans in terms of their underlying dynamics and relationship of forces.


Integrating Risk Management and Corporate Planning

Therefore we recommend a balanced array of risk methodologies. The above listed methods cover the different philosophical approaches; i.e., rational planning and quantification of risk; and preparedness and resilience; adaptability and flexibility, as well as challenging assumptions, creativity and visioning.

Read More

Strategic Risk Assessment-5/6

2010-08-03 / How to do Risk Assessment / 0 Comments

This is a series on the risk manager’s role in strategic planning. In this post I describe the unique and complementary functions of two risk methodologies: risk ID and assessment, and risk scenarios.

Risk Identification and Assessment Process

If you think about it, risk assessment is the opposite of defining a business plan or constructing a forecast. Instead of building one fragile model, and placing all of your hopes on it, you are subjecting that single model to critique from 1000 different perspectives. To illustrate:

Consider a multidisciplinary round-table review of draft plans. In risk facilitation, participants consider the plan or proposal through the filters of many criteria, such as risk categories, organizational values, and financial limits.

To identify risk systematically is a form of stress testing, not by inflating variables in a financial model by a given percentage, nor by running Monte Carlo simulations, but by challenging a hundred assumptions – namely, the ones that underlie each element of the plan or proposal.

Thoroughness is built into the process. You are mapping many minds, each with its rich personal expertise and unique point of view, through many “lenses”, all directed to the scrutiny of the plan. If you lead a structured discussion among the right participants, you will identify comprehensively all the critical business risks.

If you share, as appropriate, the resulting risk profile with proponents or stakeholders, and get their input on risk and  mitigation, it is much easier to gain consensus on a plan for action.

Risk Scenario Analysis

Now we come to how to deal with the unpredictable and the unknown. Conventional forecasting tends to tie our fate to one picture of the future. Risk ID will lose its efficacy as time frames extend into the future and uncertainty rises dramatically. Another risk methodology is called for.

In a previous post, I talked about risk scenarios, and the value of this method to pursue robustness and resilience, similar to an all-hazards approach. Pictures of the future that are both plausible and critical serve as a litmus test of draft plans. Scenarios go beyond stress testing, because they consider structural change of the underlying relationship among future forces and influences. This enriches the planning discussion, creates possibilities, and opens up the examination of the long-term feasibility of the firm.

Enterprise Risk Management will continue to demand of risk managers support for planning objectives, including strategic risk assessment for major projects in the long term. Rigorous risk ID in a facilitated session of subject matter experts, as well as future risk scenario analysis, are two essential risk methodologies.

Read More

Strategic Risk Assessment-4/6

2010-07-29 / How to do Risk Assessment / 0 Comments

This is a series on the risk manager’s role in strategic planning. In parts 1/6 – 3/6,  I listed risk methodologies, reviewed mission statement examples, and addressed the question “What is an environmental scan?” – all to establish context.

Here I address reasons for poor risk assessment and the importance of risk facilitation skills.

Risk Methodology

Interviews are a common method of risk ID; surveys are also popular, and economy of scale of effort, in particular, recommends them. However, these two techniques commonly encounter methodological problems that invalidate their results.

I believe one reason for the use of interviews is that senior management and executive do not see a risk identification group session as worthy of their time. Organizations beginning an Enterprise Risk Management program will administer, if not interviews, then a survey to get the so-called “top 10 risks”. What can happen is that people responding to both interview and survey questions use very different language, frames of reference, time lines and definitions of risk. The shifting assumptions are not detected when the information is collected and aggregated.

The results of such risk surveys and interviews are not very compelling, and end up on a shelf. I have posted an introductory presentation on how to do risk assessment which quotes 5 studies from 2008 – 2009 in which firms of all types lament their poor risk assessment capability. Here is a screen shot:


I wrote a piece for Canadian Underwriter coming out in September on yet more similar findings in 2010. Essentially, information collected without rigorous risk methodology is not worth the effort.

Risk identification must be done in such a wide variety of contexts. Interviews and surveys (if well designed) will continue to be useful. But in many respects, a facilitated round table of subject matter experts is preferred, and it is an important competency for risk managers.

Risk Facilitation

The benefits of a structured discussion with a measured degree of free interaction – provided you establish the context – are quite amazing. As one client remarked, “People need to hear others’ views of risk around common issues.” This is particularly helpful in contexts where you are trying to achieve consensus in complex and controversial topics. I wrote piece back in 2006 for Risk Management Magazine with a case study of the risk facilitation process.

Formal training in facilitation is good preparation, especially if the subject matter is highly controversial or emotionally charged. If you can chair a meeting and lead a group through a complex agenda, that’s a good start. The crucial difference is that you are carrying out an ordered method, and must meet its requirements.

At the beginning of this series of posts, we listed methods: business continuity and emergency planning; innovation; high quality risk ID and assessment, and risk scenarios. These activities are scarcely possible as solitary research or surveys; they require group sessions. I believe the risk practitioner can facilitate such processes, and transfer this skill to other managers to build organizational capacity.

The next post compares and contrasts two essential risk methodologies:  risk ID and assessment,  and future scenarios planning.

Read More

Strategic Risk Assessment-3/6

2010-07-27 / How to do Risk Assessment / 0 Comments

This is a series on the risk manager’s role in strategic planning. The model for risk context described in posts 1/6 and 2/6 – Strategic Identity – needs to be complemented by research.  In this post I describe Environmental Scan as a preparatory step in strategic risk assessment.

The Black Swan author Nassim Taleb’s lamentation is that we suffer from an illusion that the world is comprehensible. Granted, we can’t know everything – but that admission is no substitute for trying.

Research in pursuit of strategic resilience is often of a general nature: a PEST (Political, Economic, Social and Technology) summary; or a précis of economic trends and forecasts. Generalized research is not really sufficient to inform strategic risk assessment.

Environmental Scan

What is an environmental scan?  It is research oriented towards 1. the internal setting; 2. the task environment; and 3. global conditions.

This means turning attention first to an internal review of the firm – precisely to identify the unique assets and competencies mentioned in the last post, as well as “hidden assets” in the form of intangibles and abstract qualities. Many of these might escape a cursory review, but actually be of value – for example, the past experience of employees, or a unique position in the market or supply chain.

The second area is the “task environment” which is the domain of all the firm’s various interactions and stakeholder relations. The third area is the macro or global scene, but is still specific in the sense that you pay attention to developments in your field, and compare cross-jurisdictional practices.

Environmental Scan Template

Comprehensive environmental scan templates and resources are provided in the online course Creating Value: Risk Manager as Innovator. These templates contain:

1. Environmental Scan practice: The who, what, when, and how of a complete environmental scan research process for the organization, integrated with planning.

2. Internal Scan: Listing of 14 internal elements to review as scan targets, in the categories of Assets: e.g., Hidden, Under-Recognized, Not Counted in Financial Statements; Facilities; Processes; People.

3. Task Environment: Plan to conduct scan of stakeholder and firm interactions (see diagram). Stakeholders identified in 6 general categories. Review of  Obligations, Dependencies, Interactions, Deliverables.

Strategic Risk Assessment - Stakeholder Analysis

4. Macro/Sector Scan. Macro and Sector trends set out in many classes and categories.

Methodology: The environmental scan templates aims to identify and assess opportunities for innovation in 5 levels of improvement, from compliance to changing business practice.

Environmental scan is therefore a targeted effort, first, to take stock of the organization itself, then to investigate the trends, interests and motivations of stakeholders. Finally, it gives you sufficient preparation to be able to enter into the strategic discussion and identify crucial risks – and opportunities – in industry developments, social trends, geo-politics, technological innovation, and market shifts.

With the risk context defined authoritatively through Strategic Identity and informed by environmental scan, the risk manager has an excellent basis on which to lead group sessions. Risk manager as facilitator is the subject of the next post.

Read More

Strategic Risk Assessment–2/6

2010-07-22 / How to do Risk Assessment / 0 Comments

This is a revised series on the risk manager’s role in achieving strategic resilience. I discussed in part 1 risk methodologies, and establishing context in terms of companies’ mission statements. In this post I address the remaining parts of Strategic Identity: Special Relationship and Values, Unique Assets and Competencies, and process for Innovation.

Stakeholders and Organizational Values Special Relationship signifies a particular stakeholder or client group that your mission may serve and that therefore is part of the organization’s identity. It refers to the history and unique sorts of connections your organization has with regard to this group. The Vision statement will illustrate the desired future state of this group; i.e., its anticipated evolution. Values may be less familiar as defining elements of an enterprise. They give character and humanity to the organization, and define how it wishes to engage with the world. Values can take the form of ethical or professional standards, or business rules and operating guidelines, whether required by statute or not. While treated as platitudes, the enactment of values affects the quality of the organization’s contribution to the world. The point in planning is to consider how how values contribute to the organization’s reputation, and how they constitute a source of economic worth.

Competencies and Process of Innovation
Unique Assets and Competencies will be: 1. concrete, like a certain technologies and associated equipment and infrastructure; 2. less tangible, such as skill sets and intellectual capital; 3. abstract, such as the configuration of the business model or place in a supply chain that gives competitive advantage. Some of these might be so unique and deeply ingrained that they define the character of the firm itself.

Finally, process of  innovation is not a fringe activity, but a core competency. It signifies organizational vitality, as these quotes indicate:

“…management innovation has created the most enduring source of competitive advantage.” ~ Gary Hamel

“The ability to learn faster than your competitors may be the only sustainable competitive advantage.” ~ Peter Senge

What the Capacity for Innovation requires is the subject of the online course Creating Value: Risk Manager as Innovator. We suggest that the risk manager is in a good position to facilitate the systematic identification of opportunities to acquire new income streams, and develop new practices and business models. This is now a virtual necessity. This model of Strategic Identity, which started in the last post with Mission and Vision, might help you to differentiate and better articulate the characteristic elements of your organization. You don’t have to use all parts of the model. Notice that they consist of both content (assets, knowledge) and process – particularly, innovative capacity which signifies adaptability and flexibility. While all parts of the strategic identity are subject to change, the idea is to set out the relatively stable basis of the firm. The reason for doing so is to give a frame of reference for the wider purpose of this series of posts: to integrate risk assessment and strategic planning. The next post will address environmental scan.

Read More

Strategic Risk Assessment–1/6

2010-07-20 / How to do Risk Assessment / 2 Comments

This is a revised series on the risk manager’s role in planning and strategic risk assessment. Here I discuss risk methodology and establishing the organizational context, including a review of mission statement examples.

Risk Methodology: Techniques to Meet High Uncertainty

Rational planning and risk forecasting are no good — this is the message that Nassim Taleb has recently reiterated. He seems to want to be highly risk-averse in the face of black swan (low frequency, catastrophic consequence) events. But I don’t think rational planning needs to be so extremely discredited, and excessive risk aversion is not the answer.

Despite inaccuracies in forecasts and unpredictable events, we can’t give up planning altogether. Risk managers can use several complementary methods to approach strategic risk assessment. Notice how each of them does require planning, but reduces reliance on a precise forecast of events:

1. Business continuity and emergency planning, of course, strive for preparedness against disaster risk. An all-hazards approach efficiently protects mission-critical functions.

2. Innovation. I believe in the role of the risk manager as innovator to lead a culture of invention, adaptability and flexibility. This is the pro-active identification of opportunity, and supports strategic objectives.

3. High Quality Risk Assessment. We need to check the assumptions underlying conventional forecasting, modeling and probability estimates. High quality risk assessment means identifying risk comprehensively and rigorously within a properly defined context

4. Future scenario planning contemplates extreme yet plausible futures: we can develop options, and improve strategic resilience.

All of these methods start with an exercise in establishing the organizational context, in terms of what I call Strategic Identity.

Strategic Identity

This is a diagram to help define the essence of an organization, as a preliminary step to planning and risk assessment. Notice that objectives do not appear in the model, because they are means to pursue the vision and will vary to suit circumstances.

Mission and Vision

Mission is the reason for being of an enterprise, public or private, describing how the organization is answering a need.

Consider the first few in this list of Fortune 500 mission statements examples.

Many mission statements use hyperbole and vague language (“the best…” “the most progressive…”). The mission statement for Aflac near the top of that page, for example, is a little too vague; it could almost apply to any business. It also states “aggressive strategic marketing” – which is a method towards an end, not the end itself, and so has no place in the mission.

Compare it with the one for Advanced Auto Parts, at the very top of that same page. That mission statement includes mention of the client group, the service staff and the nature of the products and services (“inspire, educate and problem-solve”) in terms that are recognizable and verifiable – without being actual performance measures, and without limiting the methods and delivery channels the firm might use to achieve those things. In other words, a good mission statement will galvanize and focus action, but not limit it.

Distinct from Mission is Vision, which is an eventual outcome, a picture of a future state towards which the organization is striving. If I were to invent one for Advanced Auto Parts, I could say: “A satisfied, diverse, extensive and well-informed clientele enthusiastically engaged with the firm as loyal clients, interested students, business partners and participants in our programs.” I just made this up on the spot, but I tried to make each element of the vision something fairly concrete to strive towards in one or another aspect of the business; it also describes a desired end state.

In the next post I’ll talk about the other elements of Strategic Identity.

Read More