Why Integrating Risk & Strategy is So Important

Why Integrating Risk and Strategy Is So Important

Author: Anne Dixon, Managing Partner
Original Publication Date: September 20, 2009 (on The Minerva Blog)

Whether you are in the private or the public sector, it’s been quite a year, from economic challenges to political change. Many organizations are rethinking strategy in the face of these big changes. If you lead an organization or, like me, are part of a strategy or risk function, you know a lot rides on the strategic bets our organizations are now making.

But not all risk is bad; organizations need to take risks to build value, whether through diversification, key acquisitions or strategic divestiture, to name a few options. The trick is to know which risks will have the biggest effect on strategy—and which environmental shifts may provide hidden opportunities with the right strategic adjustment.

If We Already Do Both, Why Integrate?

Integrating risk into the strategic planning process may help to make strategic planning more robust. For example, in some US firms, “strategic” objectives only look a year ahead. However, most of the factors that drive strategic risk, such as political and regulatory change—or the current global economic shift—do not play out on yearly cycles. Good strategic risk assessments look further forward, often employing tools like scenario planning.

On the other hand, linkage to strategy can also help to focus risk activities. Knowledge of where the organization wants to be in five years or so and how leaders plan to get there drives risk assessment and monitoring priorities. In addition, integration with strategy discussions can help to ensure that judgment tempers the results of quantitative risk analyses. Over-reliance on these analyses has been called out as an issue with some of the risk approaches used in the financial services sector prior to last year’s meltdown.

When strategy and risk are integrated, there is a better basis for setting three- to five-year strategic objectives with more concrete annual operational objectives—and risk-based triggers to identify when a course correction is needed. What’s the tangible value? Here are just a few benefits:

Better allocation of resources in a cost-constrained environment
Less “churn” with fewer major decisions revisited
Fewer change management challenges

Why Don’t Organizations Already Do This?

Well, some do. But there are historical and cultural reasons that can inhibit many others from either trying or succeeding.

1. No Shared Vision of Willingness to Take Risk

This is often the critical but missed grounding conversation. Leadership may see the organization as “aggressive” or “conservative” without having explicitly discussed what that means, whether the culture is aligned with the organization’s strategy or where the risk propensity is higher or lower (in R&D vs. Supply Chain, for example). They may not agree on what high or low means, or, more fundamentally, how much risk the organization can take on overall. This is the organization’s Risk Appetite, and it will be the subject of a future post.

2. Fragmented or “Secret” Strategic Planning

Some organizations do strategic planning by unit or function; this is more common when the company has discrete business areas or geographies—but in the face of the global changes many organizations face today, it can be worth considering how to conduct a risk-based review of the full set of strategies.

On the other hand, since strategy is a competitive asset, many organizations restrict participation in its development, an understandable choice that will affect how risk can be integrated into the planning process and who can participate.

3. Fragmented Risk Analyses

This often occurs in siloed organizations—each unit or function catalogues and ranks its own risks, reporting the top risks to leadership. This bottom-up approach can impede strategic risk assessment due to:

A tendency to get stuck at the operational level due to the analysis techniques that are used—often quite appropriately for the level and type of risk of concern to the specific risk owner
Inability to see across risks and identify how one risk might either create or exacerbate another—so-called risk contagion
Inability to calibrate across risks in different parts of the organization
Risk simply being seen as separate from strategy—and not at the same level

How Do Organizations Overcome These Challenges?

Oulixeus has a four-step approach to helping organizations overcome these challenges. Contact us to learn more.