As part of my role at various clients I have been responsible to varying degrees for the review, design and facilitation of my clients’ risk management systems. In doing these roles it has always struck me that one system, even within one organisation, does not fit all. Operational, project and programme, tactical and strategic risks all require different responses. It was with some interest then that I read a piece in this month’s Harvard Business Review by Kaplan, the guy that brought us the balanced scorecard.
What was interesting about it was the endorsement that different types of risk need different treatments. He distinguishes different types of risk. Controllable compliance risks are those which should be treated through compliance and control mechanisms. Strategic (preventable) risks should be managed through groups that consider risks and form and deal with risk appetite (the article suggests embedded risk management depending on the nature of the client’s business). The key point the article makes about these risks is that they are wanted risks, that is the company must and should take risk to make its strategy work. The last category are strategic (unpreventable) risks. In this the article categorises items such as natural disasters, changes to business models and macro economic changes. Here the risk treatment is all about identifying the risks, then modelling the impact of them through war-games or sensitivity analysis and then putting in contingency plans.
Now this is all fine and good stuff. The point that struck me most about this though was the point that managing strategic risks is different to managing risks to a strategy. A simple point but a powerful one. The article points out that risk is long term, strategy short term; risk managing about spreading resource, strategy about focusing it; risk is dealing with the negative, strategy about being positive; and finally that risk is about preventing something that may not happen, whereas strategy is about tangible outcomes.
Now I have always linked risk to strategies. The strategy embeds the risk appetite and takes on risk. There are, however, the strategic unpreventable risks that have nothing to do with strategy and indeed are counter to it. It is worth considering, therefore, the article’s typology of risk: operational compliance; strategic preventable; strategic unpreventable.
It seems to me that the one of the few organisational parties that worries about the latter often is internal audit. How do you consider this with your clients?