The Importance of Identifying Strategic and Operational Risks Early

By Unnat Bak — Chief Strategy Officer @ TABS

We’ve been helping companies and investors feel more comfortable about operating and scaling their ventures with the TABS Score™ allowing them to not have to constantly worry about falling prey to the many hidden risks they encounter daily. Learn More about the TABS Score™ here.

Breaking Down ‘Strategic Risk’

Risks are connected to all facets of business life, from the decision to launch a major new product to the open box of small cash. A critical but often ignored component of corporate risk management (ERM) is strategic risk management. Although ERM has historically concentrated on financial and, more recently, operational risk, the fact of the matter is that strategic risk is far more important.

An in-depth research of the largest public corporations suggest that competitive risks constitute around 60% of major market capitalization declines. Operational risks only have half the impact (only 30%), and financial risks deliver about 10%.

What is strategic risk?

By what is often confused with operational risk, it may be easier to describe strategic risk. Great operations include doing things right, while good strategy means doing things right. Strategic risk occurs when a company fails to predict the needs of the market in order to meet them.

A business that has incredible production processes will still struggle if its goods are no longer wanted by customers. That was the lesson even the most successful buggy whip makers learned in 1908 when Henry Ford unveiled the Model T. When the Apple ® iPhone ® appeared on stage, cellphone handset makers faced a similar existential crisis.

Strategic risks are those resulting from the strategic decisions taken by the directors about the goals of an organization. Strategic risks are simply the consequences of failing to achieve certain business goals. Some subdivisions of strategic risk are:

· Business risks

Risks deriving from the Board’s decisions on the products or services provided by the company. These include risks associated with creating and selling such products or services, economic risks affecting the sales and costs of products, and risks resulting from changes in the technological environment that affect sales and production.

· Non-business risks

Risks which are not derived from supplied products or services. Risks related, for example, to the long-term sources of finance used. Strategic risk rates are related to how the entire organization is placed in relation to its environment, and are not determined purely by the decision of the directors. Competitor activities may influence product market risk levels, and technological developments can mean that production processes, or goods, are rapidly out of date.

Responsibility for the management of strategic risks

Strategic risks are calculated by Board decisions on the organization’s priorities and course. Therefore, strategic planning by the board and decision-making processes need to be comprehensive. The United Kingdom Cadbury report recommends that directors set a clear schedule of matters reserved for their decision. These should include major acquisitions and disposals of assets, investments, capital projects and treasury policy.

Boards need sufficient information about how the company is doing, and related aspects of the global, financial, and technical conditions to effectively take strategic decisions. To evaluate the organization’s variety of strategic risks, the board needs to have a wide vision; therefore, governance studies suggest combining a board with expertise, knowledge, and experience.

Furthermore, even if the board follows best practice in corporate governance on strategic decision-making processes, this won’t necessarily guarantee that the directors make the right decisions.

The serious problems faced by the UK’s Northern Rock bank, for example, were not caused by a lack of formality. Northern Rock’s approach to risk management was in line with banking regulations but its policy was based on the assumption that it would be able to access the funds it needed continuously. In 2007, the global credit crisis that resulted from problems on the U.S. subprime mortgage market threatened its funding, and action by the UK government was taken to save the bank.

Managing strategic risk

Strategic risks are often threats that companies may have to take to grow (certainly) and even survive in the long run. The risks associated with developing a new product, for example, can be very important–the technology can be unknown, and the competition the company faces will severely limit sales. The alternative strategy, however, may be to remain in mature markets with goods, the prices of which are stagnant, and inevitably likely to fall.

An organization can recognize other strategic risks in the short term but take action over a longer timeframe to reduce or eliminate those risks. A good example of this kind of risk would include fluctuations in the availability of a main raw material used in a company’s output worldwide. The problem may be global, for example, the company may not be able to avoid it in the short term by changing supplier. Nevertheless, it could reduce or eliminate its reliance on the commodity by redesigning its production processes over the longer term.

Strategic risk management is the method of recognizing, quantifying and minimizing any risk that affects or is inherent in the business strategy, strategic objectives and implementation of a company’s strategy. Those threats could include: Changes in consumer demand and expectations Legal and regulatory reform Market pressure Merger convergence Technological changes Senior management turnover.

Strategic risk is a bell curve

Strategic risk falls along a classic bell curve, with outcomes along the x-axis and probability along the y-axis, as with any danger. A given strategy’s expected outcome will reflect the peak of the curve. Some strategic planning just takes this plateau into account while overlooking the cliffs to either side.

Yet imagine two policy strategies, each with an anticipated similar outcome. One falls along a narrow, steep curve which indicates a low risk of failure and a small potential for upside. The other is represented by a broader bell, with higher chances of success both under and over. What one to pick? The answer depends upon the risk appetite of an individual company.

Shifting the curve

Now imagine a third curve with the same expected outcome. This one rises steeply from the left but slopes downward more softly to the right. Here, chance of downside was reduced and prospects for upside up increased. That is the strategic risk management goal: shaping the curve in a manner this encourages success.

Measuring strategic risk

You can not control what you can’t measure, as the saying goes. So, to understand how to handle strategic risk, we’ll start by exploring how to quantify the risk. A key tenet of ERM is measuring risk with the same yardsticks used to measure results. In this way, businesses can measure how much their projects contain inherent risk.

You can measure strategic risk using two key metrics:

Economic capital

Based on a prescribed solvency principle, economic capital is the amount of equity required to cover unforeseen losses. This level is usually derived from the target debt rating of the company. Economic capital is a common currency with which any risk can be quantified. This uses the same criteria and assumptions used in determining the value of the company, making it ideal for strategic risk.

Risk adjusted return on the capital

Risk-adjusted return on capital, the estimated after-tax return on an investment separated by economic capital. When RAROC exceeds the cost of capital of the company, then the project will be sustainable and add value. When RAROC is less than capital cost, otherwise interest will be lost.

Some steps to manage strategical risk are:

Define your business objectives

There are several methods widely used by organizations to execute strategy, ranging from simple SWOT analysis to the more complex and holistic Balanced Scorecard. Nevertheless, the one thing these structures do have in common is their failure to address risk. So it is important that companies take additional steps at the planning stage to manage risk.

Establish your key performance indicators

The best KPIs provide guidance on the levers that the company should pull to change. Overall sales thus make a poor KPI, while per-customer sales allow the company to drill down for answers.

Identify risks that affect your performance

Those are the unknowns that will dictate outcomes, such as future customer demand.

Establish indicators that can tolerate the level of risks

While KPIs measure historical performance, KRIs are the leading forward-looking indicators designed to anticipate potential roadblocks. Niveaus of tolerance serve as stimuli for intervention.

Breaking Down ‘Operational Risk’

Operational risks significantly impact a firm’s credibility and financial stability. A lack of strong plans for risk mitigation leads to different operational problems, leading to organizational management crises. That’s why many companies have started to provide substantial resources to develop a more comprehensive risk-management system.

Contemporary businesses are especially interested in developing business strategies which align with the evolution of risk. Characteristically, the process begins with the assessment of variables that can spring up challenges that also focus on existing and future business goals.

Organizations must ensure that controls are in place at the first, second and third stages of risk-evolution. The earlier in the risk journey the controls are developed, the more successful the mechanism for risk identification and mitigation is.

While boards need to integrate strategic risk analysis in their decision-making, there is a danger that they will concentrate excessively on high-level plans and ignore what is happening in the company’ on the ground.’ When production is interrupted by machine malfunction, key personnel leave because they are frustrated, and sales are lost due to poor quality of the product, then the company may end up in serious trouble before all the exciting new plans can be introduced. These are all organizational risks-risks associated with the organization’s internal resources, infrastructure, procedures, and staff.

If these are not prevented, certain operating threats can have serious impacts. The failure to receive material sent by mail is a good example of an operational danger, as it was not sent by a secure method. For the UK Government tax authority, HM Revenue & Customs (HMRC), this operating risk materialized. In October 2007, 25 million people’s personal data, stored on two CDs, were lost in internal mail. The loss of these CDs resulted in the loss of HMRC chairman Paul Gray’s resignation due to the’ substantial organizational failure’ of the company.

What happens with respect to these CDs is an example of an organizational danger that would have a serious impact if it even ever materialized. Other operating threats, if they only arise once or twice, may not have serious financial (or other) impacts. Nevertheless, if they are not dealt with efficiently, they can result in quite significant losses over time-if they materialize regularly. Again, a good example to demonstrate the latter would be a fear that security measures at a factory may not be enough to deter burglaries. The effect of a single burglary may not be very great; more important may be the effects of frequent burglaries.

Responsibility for the management of operational risk

The board can’t handle all the operating risks on their own. They are however responsible for ensuring that control systems are able to handle operating threats adequately.

A risk committee may be set up by the board to track disclosure, actions taken and threats that have materialized. The risk committee is likely to determine overall operating risks across the company and decide the risks are most relevant and what steps should be taken to combat these risks. This may include setting control systems goals and connecting with an internal audit to ensure that these risks are covered by audit work.

A risk management feature, which is responsible for setting a risk management structure and policies, promoting risk management through information provision and training, and reporting on risk levels, may help the risk committee.

Managing the operating risks in their field is a key part of the duties of line managers. As well as ensuring that particular risks are adequately handled, managers will be concerned with their local work environment and will contend with circumstances that may result in risk materialization. We may need to determine, for example, that employees work excessively long hours, and are more likely to make mistakes as a result. It will also provide senior managers with information to allow them to determine the risk situation over the company as a whole.

Workers must eventually be responsible for taking steps to control operating risks. Nevertheless, it is the duty of the senior management to ensure that workers collectively have the expertise, skills and understanding required to effectively operate internal controls.

Management of operational risks

What are the most significant strategic threats and how critical they are, can be fairly obvious. Yet due to the number and variety of operational risks, accurate analysis of operational risk can be more difficult, and can require evidence from a large number of different sources.

A key distinction in describing different types of operating risk is between high-impact low probability risks and low-impact high-probability risks. Risk management with low probability but severe impact may well require compensation, such as a sporting venue insuring against revenue loss incurred by cancelling an event. Instead, the company may have a contingency plan in place for other threats, such as the availability of alternate information technology facilities where there is a major system failure.

The safeguards placed in place to deal with high-consequence threats with low probability should usually be designed to prevent risks from happening. Preventive measures would be considered as appropriate to reduce the risk for toxic chemical emissions.

On the other hand, threats that sometimes materialize but are unlikely to have a significant impact if they do, may be handled by controls that identify or correct problems as they occur. Such controls often reduce risks, rather than completely eliminate them.

Some examples of strategic risks are:

No company is resistant to operating risk. At any time, risk may emerge from internal process failures or discrepancies, human errors, system failures or external risks placed by consumers, suppliers, natural disasters, regulatory changes or geopolitical shifts in any business activity or procedure. Operational risk may include legal risks, risks to human capital and physical assets, or risks to the firm’s bottom line. Strategic and reputational risks are not usually included in the concept of operational risk, but can be adversely affected if operational risks stay unchecked for too long.

For many years, the financial industry has been at the forefront of operational risk management, but all companies stand to significantly benefit from a better approach to defining and coping with operational risks. Consider the following examples of risks common across vertical lines of industry:

· A capital expenditure does not receive appropriate approvals because it has been hurried into ad hoc procurement procedures

· The sudden dismissal of a rogue employee does not follow a specified list of steps, so that the offender still has access to critical business systems after escorting from the premises

· An HR Director inadvertently sends out a table of employee names, addresses and social security numbers

· A reception inspection phase was skipped, and low-quality raw materials created a safety problem for the customer

· Failure to follow appropriate protocols when a plant production line needs repair results in an environmental catastrophe and major regulatory fines

· Maintenance workers are not given adequate notice when diagnostic equipment needs to be recalibrated and life-threatening behavior based on incorrect readings are taken

Risk Assessment

The effect of the threats varies. This can result in the company paying huge legal fees and fines, wasting money on repeated transactions, serious loss of control over the company’s books and records, and risks to the health and safety of employees and customers. The level of risk tolerance often varies according to prevailing conditions of industry. That company will regularly evaluate the threat horizon from all expected threats as the first step towards continued reduction of operating risk.

When you are doing risk assessment, the focus should be on the following things

· Risk recognition by category (physical safety, data security, reduction of expenditures, health and safety, safety and quality of goods, etc.)

· Rating of hazards by predicted incidence and effect severity. Historical data plays an enormous part in correctly rating risks.

· Mitigation plan suggested. Start with the options brainstorming. Guided by the severity and frequency ratings, you’ll find it easier to figure out where to assign your resource for risk reduction.

An industry standard risk assessment like the TABS Score™ is an excellent, cost-effective tool that can provide a holistic risk assessment, complete with a detailed action plan to attack them. Holding off on doing a risk assessment because you feel the company may be too early / too big is never a good excuse — as a business owner, it is your job and fiduciary responsibility to ensure that issues are identified and addressed before they become problematic, irreversible, or in many cases, fatal.

Some ways to reduce operational risk are described below:

· Divide tasks

List the steps necessary to eliminate a given danger. If they are actually carried out by a single individual or function, split the tasks so that one role carries out the tasks and another role checks or approves the outcome of the job. Proper division of roles and duties eliminates internal theft and fraud-related risks. It prevents a single individual from manipulating the many facets of transactions and business processes or practices.

· Delegate, and delegate efficiently

Faced with the need to work with a lean headcount, some companies ask people to wear multiple hats. Do not be so aggressive in trying to increase workloads that you are assigning vital tasks to individuals who are untrained or unwilling to take on the additional responsibility.

· Brainstorm the exceptions

Most risk incidents derive from the unexpected circumstance of anomalies that was not explored during the initial design of business process. Wait orders, abrupt withdrawals of employees, delivery of substandard raw materials, missing steps during the peak season of the company or product recalls are just a few of the many exceptional situations that could create operational risk if no structured procedures are in place.

· Measure your performance

Data is crucial and provides companies the means to verify their initial risk assessment. Does the frequency and severity of the effect suit what you originally expected? Is or do you need to tweak the new mitigation plan working? Should you transfer those measures to different roles, are some individuals or departments better than others at the risk? When, due to a particular risk, you are served with a complaint or face regulatory investigation, the historical data is often critical to mitigating penalties, judgments and fines.

· Adopt the approach that is ongoing

In the context of your current business environment, risk assessment is only relevant. Risks and mitigation strategies from last year may now work in today’s world. Regularly check your risk assessment (quarterly, semi-annually, or annually). If you need to tighten or relax some of your business rules or adjust your workflows, a workflow automation tool will accomplish it quickly.