All organisations must take a certain degree of calculated risk to grow and mature their business. But how can senior leaders decide which risks are worth taking? To make the right decisions they need to understand the positive and negative impact of each choice they make on their strategic goals & objectives.
The only way leaders can truly understand the impact of risk on their strategic plans is to integrate risk management with strategic planning in a GRC tool. But how can businesses map these 2 functions to ensure alignment and get foresight of the likely impact of the decisions that they make?
In this blog we will explain:
- How organisations can map risk management to their strategic goals & objectives.
- How to successfully monitor the upside of risk to ensure your organisation takes advantage of opportunities.
- How to harness risk data to make strategic decisions.
How is risk typically managed?
Most organisations will likely have a risk management programme. They will have a risk register of their most pertinent risks and perform regular risk assessments. They will have defined a system to categorise and rate risks and will monitor them on an ongoing basis. At a basic level this is often done using spreadsheets, and teams from across the organisation will input the relevant data and metrics enabling the risk team to monitor risk exposure.
More mature organisations tend to use GRC software to run their risk management programmes. This enables the organisation to create a digital risk register and carry out risk assessments online. Departments can log their risks in the tool and select the preferred rating & categorisation. Once risks are logged, risk teams can use automated control monitoring techniques to monitor the level of risk against KRI’s, KPI’s and SLA’s. They do this by feeding in live transactional & operational data into the risk management tool via API’s enabling them to set rules based on the data. If the level of risk is too high, automatic notifications are sent to the risk owners so they can address the problem.
Learn the difference between Operational Risk Management and Enterprise Risk Management.
GRC tools offer the capability to implement detailed risk treatment plans to address problem areas. More advanced risk teams use the tools to monitor the upside of risk and investigate the positive outcomes if they were to take a particular decision or risk. These tools also offer a range of reporting capabilities enabling risk teams to drill down into risk data and address problems – advising the board on where budgets & resources and training & policies should be implemented to address high-risk, high-impact areas.
To get a handle on how successful your risk management programme really is, you need to link risk to enterprise performance data. This is usually done by pulling data from other systems & sources into a GRC tool via API integrations. This allows organisations to understand the impact of risk on the overall performance of the organisation in terms of sales, profit, resources, and efficiencies. This enables management teams to ‘take risks’ that will likely have a positive impact on the organisation, and mitigate unwanted risk by allocating budget, resources, and training to target high-risk areas.
But what about strategy?
As you can see from these typical examples of risk management programmes, strategy is often not considered when setting up a risk management plan. Most strategies start and end in the boardroom. Many organisations will have a top-level strategy that comprises of a mission statement and a series of strategic goals and key objectives. But many organisations struggle to cascade strategic plans throughout the organisation – let alone understand the potential risks to achieving their strategy.
Organisations who are serious about turning their strategy into reality tend to use strategic planning tools to bring their strategy to life. These tools enable organisations to break down their top-line strategic goals & objectives into a series of smaller programmes, projects, tasks, and actions and allocate them out across the business to various stakeholders. Each task is allocated an owner, timeline, budget, and KPIs. As information is entered, and tasks are completed, progress can easily be tracked at all levels of the strategy. Simple tree views help leaders to visualise progression. Automated control monitoring is used to flag missed deadlines and incomplete actions. When tasks are completed, automated workflows notify the individual in charge of the next stage of the strategy so they can progress with the next task.
These tools make it easy for employees at all levels of the organisation to understand the part they play in achieving the organisations strategy, it enables leaders to view progress and address problems, and it makes cascading changes to the strategy simple.
How to integrate risk & strategy
These 2 methods to manage risk and execute strategy plans sound great in isolation, but how should organisations go about integrating the 2 functions to build a more comprehensive view of risk.
The logical first step would be to use a GRC tool that offers both risk management and strategic planning in the same platform. It is only by using one coherent framework that these areas can be successfully mapped and provide organisations with sufficient data to understand the correlation between both functions.
The set up would start in the same way. Organisations would build their digital risk register in the tool, and as part of the framework specific categories would be added to identify ‘strategic risk’. These risks would be monitored in the same way as other risks, by collating data and setting controls to monitor risk exposure. Similarly, your strategy would be entered into the tool and broken down into the relevant projects, tasks and actions and you would add timelines and budgets and allocate ownership for each action. During this phase, teams would also be given the option to add any potential risks to achieving each stage of the strategy – and these would appear as strategic risks in the risk register.
Once the data is entered and risks are captured, the software’s’ reporting capabilities will do the rest. Teams will have the visibility to understand which potential risks could impact their strategic plans and their likelihood and criticality. Using the real-time reports & dashboards, teams will be able to analyse and explore risk impacts through quantitative risk analysis techniques to quickly understand risks that directly impact their strategy.
This combined method also enables organisations to explore the ‘upside’ of risk and identify potential opportunities. By considering all possibilities – including both the positive and negative impacts of risk – risk teams can identify potential opportunities and explore the likely outcomes if they take the risk or remain in the current state. There are a whole host of risks that could positively impact the organisation, and leadership need to explore those potential opportunities to make well informed decisions – with full awareness of any possible risks or negative outcomes.
Risk can originate in one part of the entity but impact a different part, therefore it is important to link ‘risk’ to different business areas and different aspects of the strategy to build a complete picture of the cross-functional impact. Good management decisions are based on a deep understanding of your end goals, as there may be short-term negative impacts but long-term gains.
GRC solutions that bring ‘risk elements’ into the strategic decisions that need to be made, very quickly show the value they can generate – both in opportunity and in avoiding costly issues. An entity’s medium and long-term viability depends on its ability to anticipate and respond to change – not only to survive but also to evolve & thrive. Linking risk to strategic goals builds an agile business model that can make fast decisions and implement change at speed, bringing a competitive advantage.
In short, ‘risk’ should not be viewed solely as a potential constraint or a challenge to setting and carrying out a strategy. Exploring both the positive and negative outcomes of risk will open up potential opportunities that may have gone unnoticed if they were not explored. Risk gives rise to strategic opportunities and aligning risk management with strategic goals & objectives provides the business intelligence needed for management teams to successfully pursue them, while being well informed of any potential risks.
If you are interested in aligning your risk management programme to reflect your strategic goals & objectives, request a demo of the Camms platform. Learn more about the risk management and strategic planning capabilities available within the Camms platform.