I’ve been asked to review and improve how we manage risk. I’m not the risk officer but am responsible for strategic planning.

I want to move away from every Senior Manager reporting their operational risks and focus in on the top ~20 corporate risks to challenge the Board with.

I want to make sure these are then integrated into our long-term planning process to ensure that they’re properly managed.

Has anyone got any experience of simple strategic risk management and could share any ideas?

email in profile if you’d prefer to do it on the quiet!

thanks

simple strategic risk management

A bit of an oxymoron that.

IME it is so subjective that’s hard to get management consensus on what the top risks are. Normally turns into a massive round of BS bingo very quickly.

Not very helpful sorry.

You’re right – that’s the challenge!

Can’t you get everyone’s top 5 risks, then run a Monte Carlo analysis and then take the top 5/ 10 or so from the resultant profile?
Once you’ve done it once then each further iteration should see them being refined, managed out or replaced by new ones as the risk profile changes with time.

My 2p:

I don’t have much of a background in risk at all (purely from project risk reporting), but surely you’d need to quantify your risks so you can work out the top 20? I’d be looking at categorising everything by probability and impact, both potential and actual. If you can do that then you’ll be able to maintain an overall risk log/register, and build mitigating controls around each risk that you have determined sits above whatever threshold you set as an organisation. These will then form the basis of your discussion at senior level.

Feel free to pull this apart, just my initial thoughts.

I do this for a job 🙂 Remember that a risk is a ‘definition of any future event that would prevent the achievement of the strategy’ so you need to develop a fresh risk register at the strategy level

do you have a proper business strategy with a Target Operating Model? do you have an inventory of all products and services and key processes? what is your business appetite for taking risk? gather these things and then get the brightest sparks in a room

do a fresh risk assessment that is based on scenarios that would prevent achieving the strategy (the impact you can align to the products and/or strategy goals) and identify the inherent risk (worst case). look for themes in the existing operational registers, ask questions like ‘what is bothering you at the moment’ or ‘if you had another £xm in your budget what would you spend it on’

then go back to whatever control framework you have and figure out the residual risk (current risk accounting for processes and other reducing factors) to report back to the exec

the way to ensuring this will work is to make sure you state the risk right, think ‘situation X caused by Y results in Z’

I want to make sure these are then integrated into our long-term planning process to ensure that they’re properly managed.

your investment decision process needs to have risk reduction as part of the benefits case

you need to review the risks and your appetite as part of the strategic planning

also, don’t hide it, get it out in the open and make sure that the managers are having honest conversations about problems based on evidence not hunches/opinion

best of luck

I’m not the risk officer

WTF is he/she doing then ???

I’m not the risk officer
WTF is he/she doing then ???

Retiring soon!

This is awesome. Thanks. It validates my thinking around basing it on scenarios preventing us from achieving strategy (documenting and delivering against the strategy is my real job but I see risk as a key element in the planning).

The tricky bit seems to be getting the level right – I want to challenge the Directors to make decisions on the key corporate risks at the same time as using operational risks to identify any hidden corporate risks (eg Senior Managers across the world have been highlighting staff recruitment/ retention issues on a regional level but this needs joined up into a corporate issue to be addressed centrally by HR Director)