Close Sidebar
The Financial Gazette
The Financial Gazette
The Financial Gazette

Input your search keywords and press Enter.

Home Opinions How to take the right level of risk to achieve your strategic objectives?
Opinions
April 27, 2023

How to take the right level of risk to achieve your strategic objectives?

Print
EMail

ALL  organisations must take a certain degree of calculated risk to grow and mature their business.

But how can senior leaders decide which risks are worth taking? To make the right decisions they need to understand the positive and negative impact of each choice they make on their strategic goals & objectives. The only way leaders can truly understand the impact of risk on their strategic plans is to integrate risk management with strategic planning in a GRC tool.

How is risk typically managed?
Most organisations will likely have a risk management programme. They will have a risk register of their most pertinent risks and perform regular risk assessments. They will have defined a system to categorise and rate risks and will monitor them on an ongoing basis. At a basic level this is often done using spreadsheets, and teams from across the organisation will input the relevant data and metrics enabling the risk team to monitor risk exposure.

Lloyd Chirindo is the Enterprise Risk Management Institute of Zimbabwe (ERMIZ) award winner for Risk Manager of the year 2022.

More mature organisations tend to use GRC software to run their risk management programmes. This enables the organisation to create a digital risk register and carry out risk assessments online. Departments can log their risks in the tool and select the preferred rating & categorisation. Once risks are logged, risk teams can use automated control monitoring techniques to monitor the level of risk against KRI’s, KPI’s and SLA’s. They do this by feeding in live transactional & operational data into the risk management tool via API’s enabling them to set rules based on the data. GRC tools offer the capability to implement detailed risk treatment plans to address problem areas. More advanced risk teams use the tools to monitor the upside of risk and investigate the positive outcomes if they were to take a particular decision. To get a handle on how successful your risk management programme really is, you need to link risk to enterprise performance data. This is usually done by pulling data from other systems & sources into a GRC tool.

But what about strategy?
Strategy is often not considered when setting up a risk management plan as most strategies start and end in the boardroom. Many organisations will have a top-level strategy that comprises of a mission statement and a series of strategic goals and key objectives. But many organisations struggle to cascade strategic plans throughout the organisation, let alone understand the potential risks to achieving their strategy.
Organisations who are serious about turning their strategy into reality tend to use strategic planning tools to bring their strategy to life. These tools enable organisations to break down their top-line strategic goals & objectives into a series of smaller programmes. Each task is allocated an owner, timeline, budget, and KPIs. As information is entered, and tasks are completed, progress can easily be tracked at all levels of the strategy. Automated control monitoring is used to flag missed deadlines and incomplete actions. When tasks are completed, automated workflows notify the individual in charge of the next stage of the strategy so they can progress with the next task. These tools make it easy for employees at all levels of the organisation to understand the part they play in achieving the organisations strategy.

How to integrate risk & strategy?
These two methods to manage risk and execute strategy plans sound great in isolation, but how should organisations go about integrating the two functions to build a more comprehensive view of risk?
The logical first step would be to use a GRC tool that offers both risk management and strategic planning in the same platform. It is only by using one coherent framework that these areas can be successfully mapped and provide organisations with sufficient data to understand the correlation between both functions.

Organisations would build their digital risk register in the tool, and as part of the framework specific categories would be added to identify ‘strategic risk’. These risks would be monitored in the same way as other risks, by collating data and setting controls to monitor risk exposure. Similarly, your strategy would be entered into the tool and broken down into the relevant projects, tasks and actions and you would add timelines and budgets and allocate ownership for each action. During this phase, teams would also be given the option to add any potential risks to achieving each stage of the strategy and these would appear as strategic risks in the risk register.

Once the data is entered and risks are captured, the software’s’ reporting capabilities will do the rest. Teams will have the visibility to understand which potential risks could impact their strategic plans and their likelihood and criticality. Using the real-time reports & dashboards, teams will be able to analyse and explore risk impacts through quantitative risk analysis techniques to quickly understand risks that directly impact their strategy.
In short, risk should not be viewed solely as a potential constraint or a challenge to setting and carrying out a strategy.

Exploring both the positive and negative outcomes of risk will open up potential opportunities that may have gone unnoticed if they were not explored. Risk gives rise to strategic opportunities and aligning risk management with strategic goals & objectives provides the business intelligence needed for management teams to successfully pursue them, while being well informed of any potential risks. By Lloyd Chirindo

Chirindo is the Enterprise Risk Managment Institute of Zimbabwe (ERMIZ) award winner for Risk Manager of the year 2022.