How Risk Management Supports Strategic Planning

Many things support strategic planning. Effective leadership, team building, and a clear vision and mission statement. However, did you ever consider how the risk management process can support strategic planning? If not, that is okay. We have thought about it and discuss the topic in detail in this article.

How Does Risk Impact a Strategic Plan?

Every organization faces risks. Risk is how we typically describe anything that threatens an organization’s ability to successfully accomplish its strategy – to achieve its purpose, grow and/or sustain itself. But it’s not all bad. It’s important to understand that risk, at its core, simply represents uncertainty and uncertainty can manifest either positive or negative outcomes. The missing link is context – if we are only looking for the bad stuff, that’s all we will find.

If we think about the risk management process as the way we identify uncertainties in order to determine their potential impact on the organization, then we have a much more holistic framework. The critical element is creating the proper context: for instance, looking at loss runs and safety trending doesn’t really tell us if we have particular exposure with a strategic initiative, we will need to look at all the things that could impact that initiative such as staffing capacity, financial strength, required supporting systems, etc. If we find negative exposures then we implement controls, and if we find positive opportunities then we leverage them to our advantage.

The processes used by risk management to identify, analyze and manage risk are the right ones to use and can provide tremendous support to the strategic planning process if, and only if, we start with the correct inputs and properly define the parameters of what we are assessing.

A strategic plan is a guide for how an organization reaches its long-term goals and fulfills its mission. Identifying risks is an essential part of that strategic planning process. Unfortunately, most organizations only look at risk and risk management as a way to deal with hazard loss and miss out on leveraging that capability for more holistic strategic purposes. An organization that fails to connect and leverage a risk framework in its strategic planning process is slowing itself down, and worse, setting itself up for failure.

For example, strategic objectives that exceed the organization’s capability, experience, or resources create unnecessary exposure that jeopardizes sustainability. Plans that underestimate the complexity of the project can create risk of cost or time overruns. A failure to consider how new strategies might impact the existing organizational structure, goodwill, or regulatory requirements creates risk of compliance and legal risk. Enterprise Risk Management was intended to help make this connection between strategy and risk.

What is Enterprise Risk Management?

Enterprise Risk Management or ERM identifies potential risks that an organization might face with specific focus on the uncertainties tied to achievement of strategic objectives. Just as we would assess the potential risk involved with a new regulation coming out, starting a new project or signing a contract, we must assess the risk faced in executing our overall strategy. The risks may come from internal or external sources and may include staffing capacity and availability, organizational expertise, location exposure to natural disaster, global financial crisis, competition, corporate scandals and reputation baggage, industry regulations, or ever-evolving technology just to name a few.

When we use an ERM lens to identify, assess and plan for uncertainties to strategy, we create a more intelligent, agile and resilient plan.

The biggest mistake organizations make is thinking that risk management belongs to the risk manager. To correct this, we have to break functional risk management (safety, environmental, insurance, etc.) apart from enterprise risk management which is a holistic business discipline focused on the information and analysis we apply to key decision-making processes. This cannot be accomplished by one or two people.

We use an ERM process to compile and organize data from subject matter experts and leaders across the organization ensuring that the context – the focus of the thing we are trying to assess – is correctly defined. This in when we start achieving Strategic Risk Management.

What Roles are Involved in Strategic Risk Management?

Senior leadership and the board of directions work together to build this discipline. The board is responsible for setting the vision and ensuring the organization stays on course. Leadership is responsible for continually pulling, analyzing and responding to business intelligence as they navigate the organization’s actions based on its strategic plan. This may include scenario planning, risk modeling and internal health assessments to develop strategies for leveraging and mitigating emerging uncertainty.

Ways that senior management can improve ERM and integrate risk management into the organization’s strategic plan include:

• Including regular discussions about strategic risk on the agenda

• Periodically polling its management ranks on new and emerging uncertainties impacting the organization

• Formalizing the integration of risk and strategy capabilities and processes

• Creating a mechanism for identifying, tracking and reporting on strategy-impacting exposures such as attaching a Critical Path descriptor to exposures that meet that criteria

Five Steps to Integrate Risk Management into Strategic Planning

When leadership understands that risk management processes are valuable to strategic planning and are willing to get the right people at the table, then we see the true emergence of an ERM discipline and strategy is more informed and agile. Five steps for effective risk management planning as a part of strategic planning are:

1. Get the Right People at the Table

First and foremost, you need to have the right people involved. Many organizations only allow senior leadership in on the strategic planning process and this is a mistake. While key decisions and final planning happen at the top level of the organization, the process of Discovery (gathering internal and external business intelligence to support planning) requires input from across the organization.

Your risk manager may not be an operations expert outside of their functional role for safety, environmental and insurance, but they are your resident expert on the process for identifying, assessing and recognizing the interconnectedness of risks across your organization – don’t underestimate their value in helping you facilitate that conversation.

2. Define Strategic Context

You cannot properly assess uncertainties with your strategy unless you’re willing and intentional about defining context around each element. In other words, you can’t simply ask your people to tell you what risks the organization has and expect to get good results. Define context like a problem statement – what our risk if we double operations in the next two years; what is our risk if we started doing business in a new country; what is our risk if we close a location or cut staff. These questions will focus your people in the right areas.

3. Plan Enough Time for Discovery

The first place that strategic planning falls down is in pre-planning data gathering and analysis. Don’t shortchange this process. Give your teams plenty of time to do the work. Provide the context and let them pull and compile their input, then engage in workshops for broader discussions to further brainstorm, vet and define priorities around delivering on mission, growing the organization and creating resilience.

4. Connect the Dots between Strategy & Risk

Don’t make the mistake of completing a SWOT and then discarding it. SWOT, PESTLE, SOAR and other similar tools don’t stop with identifying a list in each category. Once done, you then need to connect the dots. Where do we have strengths that support opportunities? These are growth priorities. Where do we have weaknesses that exacerbate threats?

These are survival priorities.

These priorities then need to factor into the strategic initiatives created, showing up as key tactics supporting key initiatives, and sometimes becoming a strategic initiative in its own right.

5. Actively Manage

The second place that strategy falls down is in post-planning execution and performance. You have to remember that every decision made is based on a snapshot in time. Things change. Things change all the time. In order to ensure success, we must actively monitor for emerging risk and opportunity, gauge how those uncertainties affect the plan we have in place and then make decisions on if and how to adjust.

This requires setting and tracking both key performance indicators (KPIs) which track how well we’ve done so far, as well as key risk indicators (KRIs) which give us a heads-up that risk is emerging.

Create efficiency and improve decisions by integrating your risk management process into your strategic planning process. The ultimate goal is to execute on purpose, drive growth and ensure survival of your organization, so make the most of the risk management process you already have to support better strategic planning!