This is Part 5 of the series 'Managing a Strategy into Reality'.. The objective of this series is to help organizations execute their strategies for success. It documents what I have learned from implementing and managing Strategy Management processes at international and national companies for over a decade, on 3 different continents. It focuses in particular on the 'soft side' – the 'Art' – of Strategy Management: how to engage an organization in strategy and induce it to support the change it entails. It is not intended as a summary of academic literature on the subject, therefore, but as a “practitioner’s guide” covering what I’ve seen work well and not so well.
The previous Part 4 of the series discussed the objectives of the Strategy Execution phase of Strategy Management, explaining the Strategic Performance Management (SPM) process and how it can be used in support of Strategy Execution. The following Part 5 will introduce Strategic Risk Management (SRM) as another tool for Strategy Execution. It explains how the Strategy Management Team (SMT) can use this tool to guide an organization towards achieving its aspirations.
It would be a mistake for an organization to become solely backward-looking after the development of a strategy and a strategic plan. Things change, after all, meaning that what yesterday seemed like the right thing to do, might no longer be the right thing to do today or tomorrow. Strategy Execution should, therefore, incorporate Strategic Risk Management (SRM), to ensure the organization’s attention is not just directed to what has been, but also to what could be coming. This makes an organization strategically agile, able to deal with the changing nature of its environment and manage pro-actively.
The SRM process and its objectives
During strategy execution there are two kinds of threats to the objectives that SRM should be concerned about. The first set of threats are those to the assumptions on which the strategy and strategic plan were built. If reality turns out to be different from what was assumed, namely, the decisions taken during strategy formulation and strategic planning – where to do business, how to do business there, and how to change the organization accordingly – will need to be reconsidered. The second set of threats are those related to execution of the plan. The more the assumptions underlying the strategy turn out to be correct, the more important it becomes to diligently execute the plan. If something can prevent this in the future, it should be dealt with today.
SRM is about identifying these two kinds of threats and evaluating them for likelihood and potential impact. A threat that has gone through this process of evaluation becomes a 'risk' that can be categorized (low / medium / high; financial / operational / HSE / reputational; et cetera). This facilitates decision making around risk mitigation, i.e. the development and execution of plans that would limit the likelihood of a threat materializing or its impact on the organization if it did occur. Since risk mitigation requires resources, the organization has to decide which risks it wants to see mitigated.
SMT task 1: Building a risk culture
An organization’s senior- and middle-managers – Mid-Management (MM) – should undertake threat identification and evaluation, for the same reason that it should do performance analysis and reporting: only MM possesses the deep insights into the business and specialized knowledge regarding operations that are required for these tasks. By extension, MM should also do risk mitigation because mitigation planning and execution require the same deep insights and specialized knowledge.
It should not be assumed, however, that MM will naturally take responsibility for risk management. It is not uncommon, namely, for managers to see gaps between the assumptions and reality as an excuse for deficiencies in progress towards achievement of the overarching objectives, rather than as something they need to manage. The SMT team should therefore take the lead in building the appropriate risk management culture at the organization. This means keeping MM aware of the assumptions that underlie the strategy and the strategic plan, and making it aware of the fact that since it is responsible for managing performance it also has to deal with threats to this performance. In practice, this task means (amongst other things):
- Making risk management simple. The SMT should develop tools that make risk management easy for MM. MM should only have to worry about doing risk management, not about how to do risk management. Therefore, there should be guidelines and templates that guide risk management thinking to focusing on the two key questions 'What would make my plans obsolete?' and 'What would prevent diligent execution of my plans?'. And there should be a single, standardized way of evaluating the identified threats, applied across the organization. SMT has to lead development and implementation of these guidelines and templates.
- Facilitate risk management communication with the C-suite. Since threat mitigation requires resources, MM should be given the opportunity to communicate with the C-suite on the topic of risk management, such that the risk mitigation expectations of the C-suite can be aligned with the risk management objectives of MM.
- Keeping things positive. It is important that the C-suite understands that risks do not equal 'bad performance'. If anything, it is the opposite. Missing important threats during the threat identification process signals that a manager is not aware of what external and internal factors impact the operations under his or her responsibility, or how exactly. Identifying too many threats means the manager is fully aware but lacks some basic prioritization skills – something the SMT could easily help them with. In the reporting process, managers should therefore not be judged on the number or type of risks they bring forward, but on the mitigation steps they propose and the execution of these.
- Establish examples of success. Especially in the initial stages following implementation of the SRM process the SMT should support MM to address threats and actively promote success stories. Cases where a risk mitigation plan was put into action, helped the organization to deal with an adverse event and thereby kept it on track to achieving the overarching objectives, should be communicated positively.
A highly effective tool to build the risk-aware culture is 'forecast reporting'. Managers are then not only asked to report and explain differences between achieved and planned performance, but also to report a performance forecast and explain its difference with the planned performance. This incentivizes the manager to be forward-looking, aware of what might happen, capturing new opportunities, and preventing threats from materializing or offsetting their negative impacts on performance.
SMT task 2: Organizing risk ownership
While certain threats can be unique to a particular function, others have the potential to impact multiple functions in the organization. For risks that have the potential to impact multiple functions, the SMT needs to organize risk ownership. This means agreeing who in the organization will monitor and mitigate which threat. Typically, a function such as operations or R&D monitors technological developments; the finance function looks after exchange rates, interest rates, and solvency of customers and contractors; and human resources looks at the local, regional and global developments in labor market supply and demand. The responsibility for monitoring geopolitical developments and other macro indicators is usually handed to the function responsible for forecasting.
There can also be risks that have the potential to impact just one function, but that can not be (entirely) mitigated by that function. An example is contract non-compliance risk, the risk of a contractor not doing what they have agreed to do. There are usually limits to what the operations function (for whom the contractor might be building an asset) can do to mitigate this risk. A procurement function that evaluates contractors on past performance, or a legal function that sets up the contracts (including the definition of penalties), or a finance function that manages insurance, can often do a lot more.
In all such cases where risk ownership is not intuitively clear, either because a single risk impacts many functions or because a single risk can only be mitigated if different functions work together, the SMT has to coordinate between the functions to ensure risk ownership is established in a comprehensive and transparent manner: all risks are covered and everyone knows what to do.
SMT task 3: Ensuring risk management for strategy optimization
Ultimately, SRM tries to make an organization 'ready for whatever' where it not only has a strategy and a plan to achieve this strategy, but also a deep understanding of the different scenarios that could potentially play out and pre-agreed, ready to roll out plans to deal with each of these alternative scenarios. This, in fact, is ultimate strategic agility and enables the organization to appropriately deal with events, faster than its competitors.
To ensure the risk information is used to optimize the strategy in this manner, the C-suite needs to be involved in the decision-making around risks to be mitigated. For this, the SMT needs to work with MM to organize risk reporting to the C-suite. Just as was the case for SPM, for SRM as well this communicator-role goes beyond collecting, adding up and passing on the risk reports coming from MM. The corporate risk report is similar to the corporate performance report, namely, in that it is more than a summation of the reports coming from the functions. For example, a risk to one function might already be mitigated by another function's without the first function realizing this, such as when the price of a particular commodity is a threat for one function but an opportunity for another. In this case, the portfolio of the organization has effectively mitigated the risk, meaning it doesn’t have to feature on the corporate risk report although it might feature heavily on the risk report of a function. To the risks analyses done by MM, the STM, therefore. has to add an analysis that uses the comprehensive, organization-wide perspective, in order to develop the corporate risk report.
After the C-suite has decided on the risks to be mitigated, the SMT needs to coordinate the risk mitigation efforts with MM. The development and execution of risk mitigation plans is usually a cross-functional exercise, namely, since most activities undertaken by an organization require cross-functional cooperation.
The next article in the series, Part 6, will discuss in more detail the key competencies required for a Strategy Management Team.
The “Managing a Strategy into Reality”-series
Part 1 discussed the necessity of establishing a Strategy Management Team (SMT).
Part 2 reviewed the Strategy Formulation phase of Strategy Management.
Part 3 reviewed the Strategic Planning phase of Strategy Management.
Part 4 reviewed the Strategy Execution phase of Strategy Management, focusing in the Strategic Performance Management process.
Part 5 continued the review of the Strategy Execution phase of Strategy Management, focusing on the Strategic Risk Management process.
Part 6 will discuss the key competencies required for effective Strategy Management.
Part 7 will review the relationship between Strategy and Corporate Culture and explain how Corporate Culture can be managed to supporting the Strategy.
Part 8 will review whether Strategy Management remains relevant in today’s volatile, uncertain, complex, and ambiguous world.
If you have any kind of feedback, feel free to leave a comment or connect with me on LinkedIn.