Business can't be done, and money can't be made without taking on risks. Risk is an inevitable fact of business life. Big things, like expanding internationally or launching a new service, and little things, like remembering to change passwords or lock the front door, all involve proportionate risk. Risk management is avoiding and mitigating risk; it is a key responsibility of any commercial organization's directors, officers and supervisors. There is a school of thought that claims all management is essentially risk management.
There are different categories or classifications of risk. This blog post addresses the broad and significant subject of strategic risk and suggests strategic risk best practices.
All risk management begins with setting objectives, identifying (anticipation) and defining risk, and assigning responsibility (accountability). All risk management also requires continuous evaluation through robust audit, risk and accounting procedures.
What Is Strategic Risk?
Strategic risk is the largest and broadest type of organizational risk. It is the risk derived from the fundamental "big picture" aspects of precisely what a company is, what it is trying to accomplish and how it plans to succeed.
Strategic risk derives from the foundational, essential decisions that are initially and continuously made by a company's founders, directors and top officers. They are risks inherent to an organization's industry, objectives and methods.
A sales organization, for instance, entails different risks than a manufacturing concern. Likewise, a "virtual" (online only) company is subject to risks that a company with a physical storefront is not subject to and vice versa.
There are two types of strategic risk to be concerned with.
- Direct business risk
- This risk originates from running the business.
- This risk is derived from the product, service, marketing, sales, costs and other challenges associated with a particular business and particular business methods.
- Indirect (nonbusiness) risk
- This risk does not originate from operations.
- This risk is derived from competition, banking (financing) and general positioning, as well as changes in the commercial (including technology) environment that are beyond management's control.
The strategic risk policies companies implement and the strategic risk procedures they follow must be tailored and customized. As a result, strategic risk assessment is not a one-size-fits-all proposition.
What Strategic Risk Is Not
It is helpful to differentiate strategic risk from the other large organizational risk category: operational risk.
If strategic risk concerns the "big picture," operational risk involves the day-to-day parts of running a modern commercial enterprise. Strategic risk comes from external and even conceptual sources. Operational risk is all internal. It encompasses a company's physical, digital (data), human resources and the systems it uses to get things done.
There is an overlap in these critical risk areas. Take machines and equipment, for example. The risks associated with long-term machine costs, replacing them over time and that they might become obsolete are all strategic risks. These are external issues. Whereas the fact that a machine will break if maintenance crews don't lubricate it every week is an internal issue and an example of operational risk.
Be aware that one risk category is not necessarily more important than another. Strategic risk processes and operational risk processes should not be carbon copies of each other, but both must be addressed and neither can be neglected.
Managing Strategic Risk
Not all risks can be or should be avoided. Trying to avoid all or most risks is a bad idea that will quickly lead to stagnation and, eventually, business failure.
Opening more locations, expanding into new markets, and adding or changing products and services involve significant strategic and operational risks. But officers and directors must ask themselves, "What is the alternative to such risks?" In today's fast-moving, ever-changing environment, the unfortunate answer is that the company will be overtaken and drummed out of business by more nimble competitors unless some risks aren't intelligently assumed.
The key is risk management and risk mitigation rather than flat-out risk avoidance. The first step is a complete strategic risk assessment. Most other steps are deciding which risks to take, how best to take them and which not to take.
Directors should make the most informed decisions possible with full knowledge of the potential consequences. Once decisions are made, and a business plan has the green light, their job becomes tasking the implementation — including risk mitigation — and assigning responsibility to heads of the various divisions and departments (as well as other managers).
Finally, conducting constant follow-up through scheduled and spontaneous audits and adhering to accounting best practices is vital.
Strategic Risk Is Everyone's Job
Corporate governance best practices maintain that deciding which strategic risks to assume and which to avoid is the job of the board of directors in concert with top officers. Therefore, strategic planning must be top-down. However, risk is everyone's problem and, therefore, everyone's job.
Accepting risk is the purview of the board of directors. The task of employees — from the CEO on down — is to deal with those risks as responsibly as possible.
Aside from the everyday aspects of running an organization, one of the most important things management needs to do is keep upper management informed of what's happening in the field. The best board in the world can only make proper and profitable decisions with enough information. Communication, like risk, is everyone's job.
Risk Reporting
Strategic risk communication up through the chain of command takes the form of risk reporting. A concise definition is all that's necessary.
Risk reporting means accounting and audit personnel identifying and passing on procedural and practical failures in operational and strategic risk best practices that are (or are likely to be soon) exasperating risk. For example, when audits fail, systems are inadequate or financial misstatements are uncovered, it's essential to inform the CEO and the board.
In simple terms, risk reporting is the formal way to give the boss bad news.
A Step-by-Step Guide
Our goal at KnowledgeLeader is to make your job easier. That includes the difficult job of risk reporting.
On the subject of strategic risk, we're proud to recommend the Risk Reporting Guide.
The format of this guide is a (20-slide) PowerPoint presentation that we've made adaptable. It can be customized for almost any company — for-profit or nonprofit — in nearly every industry.
The guide extensively discusses 19 specific risk-reporting subjects based on Protiviti's proprietary Business Risk Model. The same model (outlined in the guide) that Protiviti uses when consulting with its Fortune 500™ and other clients.
Our Risk Reporting Guide is appropriate for presentation to C-suite executives and any board of directors as well as a company's rank and file. There is no doubt that this is a highly valuable, information-rich resource.