Lloyd Chirindo
All organisations must take a certain degree of calculated risk to grow and mature their business. But how can senior leaders decide which risks are worth taking? To make the right decisions, they need to understand the positive and negative impact of each choice they make on their strategic goals and objectives. The only way leaders can truly understand the impact of risk on their strategic plans is to integrate risk management with strategic planning in a Governance, Risk, and Compliance tool.
How is risk typically managed?
Most organisations will likely have a risk management programme. They will have a risk register of their most pertinent risks and perform regular risk assessments. They will have defined a system to categorise and rate risks and will monitor them on an ongoing basis. At a basic level, this is often done using spreadsheets, and teams from across the organisation will input the relevant data and metrics enabling the risk team to monitor risk exposure.
More mature organisations tend to use GRC software to run their risk management programmes. This enables the organisation to create a digital risk register and carry out risk assessments online. Departments can log their risks in the tool and select the preferred rating & categorisation. Once risks are logged, risk teams can use automated control monitoring techniques to monitor the level of risk against KRI's, KPI's and SLA's. They do this by feeding in live transactional and operational data into the risk management tool via API's enabling them to set rules based on the data. GRC tools offer the capability to implement detailed risk treatment plans to address problem areas. More advanced risk teams use the tools to monitor the upside of risk and investigate the positive outcomes if they were to take a particular decision. To get a handle on how successful your risk management programme really is, you need to link risk to enterprise performance data. This is usually done by pulling data from other systems and sources into a GRC tool.
But what about strategy?
Strategy is often not considered when setting up a risk management plan as most strategies start and end in the boardroom. Many organisations will have a top-level strategy that comprises a mission statement and a series of strategic goals and key objectives. But many organisations struggle to cascade strategic plans throughout the organisation, let alone understand the potential risks to achieving their strategy.
Organisations who are serious about turning their strategy into reality tend to use strategic planning tools to bring their strategy to life. These tools enable organisations to break down their top-line strategic goals & objectives into a series of smaller programmes. Each task is allocated an owner, timeline, budget, and KPIs. As information is entered, and tasks are completed, progress can easily be tracked at all levels of the strategy. Automated control monitoring is used to flag missed deadlines and incomplete actions. When tasks are completed, automated workflows notify the individual in charge of the next stage of the strategy so they can progress with the next task. These tools make it easy for employees at all levels of the organisation to understand the part they play in achieving the organisations strategy.
How to integrate risk and strategy?
These two methods to manage risk and execute strategy plans sound great in isolation, but how should organisations go about integrating the two functions to build a more comprehensive view of risk?
The logical first step would be to use a GRC tool that offers both risk management and strategic planning in the same platform. It is only by using one coherent framework that these areas can be successfully mapped and provide organisations with sufficient data to understand the correlation between both functions.
Organisations would build their digital risk register in the tool, and as part of the framework specific categories would be added to identify 'strategic risk. These risks would be monitored in the same way as other risks, by collating data and setting controls to monitor risk exposure. Similarly, your strategy would be entered into the tool and broken down into the relevant projects, tasks and actions and you would add timelines and budgets and allocate ownership for each action. During this phase, teams would also be given the option to add any potential risks to achieving each stage of the strategy and these would appear as strategic risks in the risk register.
Once the data is entered and risks are captured, the software's reporting capabilities will do the rest. Teams will have the visibility to understand which potential risks could impact their strategic plans and their likelihood and criticality. Using the real-time reports and dashboards, teams will be able to analyse and explore risk impacts through quantitative risk analysis techniques to quickly understand risks that directly impact their strategy.
In short, risk should not be viewed solely as a potential constraint or a challenge to setting and carrying out a strategy. Exploring both the positive and negative outcomes of risk will open up potential opportunities that may have gone unnoticed if they were not explored. Risk gives rise to strategic opportunities and aligning risk management with strategic goals and objectives provides the business intelligence needed for management teams to successfully pursue them, while being well informed of any potential risks.
Chirindo, Pro.Dir, Cr. FrA, Risk Leader of the Year-African Region (2023) awarded by Enterprise Risk Management Institute of Zimbabwe [ERMIZ]
Leave Comments