Risk Management is all about managing the uncertainty around achievement of objectives. So all risk assessments should start with the objectives of the organisation, business unit, program, project, process or system that is the subject of the risk assessment. Strategic Risk Management is the management of uncertainty around the strategic objectives of the organisation. Doing this well requires skill, experience and commitment of the most senior people in the organisation.

When I recently read “RIMS Defines an Emerging Discipline – RIMS releases definition for strategic risk management at RIMS 2011 in Vancouver”, I did so with mixed feelings. In the article RIMS described Strategic Risk Management (SRM) as a “growing discipline” and RIMS “emphasizes that SRM represents an important evolution in enterprise risk management”.

I hate to be too critical of an organisation promoting ways to improve managing risk, but I don’t see SRM as an “important evolution in enterprise risk management”. It has been a fundamental element of Enterprise Risk Management (ERM) as long as I have been practicing in the area. ERM is management of risk across, up and down all of the enterprise. How can it not include management of uncertainty of the strategic objectives of the enterprise?

Where I do support RIMS is in their assertion that doing it well does require some degree of specialisation. Yes, the risk management process is the same for all risk assessments, however, gaining the insight and knowledge to assess risk effectively differs from risk assessment to risk assessment. So assessing risk for an IT project requires a different approach to a risk assessment of the strategic objectives of a large multi-national.

When I conduct strategic risk workshops the first issue I explore with participants is whether the strategic objectives they already have are the right ones for the organisation in the first place. We then move on to assessing risk to the agreed objectives. The key tools I use are:

  • Stakeholder analysis
  • PEST (Political, Economic, Social and Technology) Analysis for external environment scanning.
  • Porter’s Five Forces for assessing the competitive threats and opportunities within the industry my client is operating in.
  • Risk Management Partners Building Blocks Analysis which is an internal assessment of the quality of an organisation’s key building blocks, laying the basis for the Risk Management Partners Healthcheck risk management maturity model:
    • Strategy and Performance
    • People and Knowledge
    • ­Processes and Systems
    • ­Assets and Liabilities
    • Culture

­ In my experience these four tools provide a very good understanding of the strategic imperatives for the organisation and reveal whether the strategic objectives already defined are the right ones. They are also excellent for identifying many of the sources of risk (uncertainty) to the achievement of the agreed objectives.

Bryan Whitefield

“demystifying risk”

www.rmpartners.com.au