Strategic Risk

Management

Lecturer : Sean Fouché, MBA (with a Specialization

in Strategic Planning), PMP

Focus on slides 11 - 27
Common Misconceptions about Risk and Risk
Management
1. All Risk is bad
• Risk and opportunity are intrinsically linked
• Risk can be positive or negative
• If risk is managed effectively it can become an asset rather than a
liability
• A “bad” risk for one can be a “good” risk for another

2 © Edinburgh Business School

Common Misconceptions about Risk and Risk
Management (Cont’d)
2. It is better not to take risks if they can be avoided
• The risk of not taking risk – no risk, no reward
• Depends on the risk appetite of the organisation, which can also affect
its competitive position.
• The following should be considered when deciding ehether or not to
avoid a particular risk: -
• Risk should not be taken just for the sake of taking risk – Consider the
opportunity/reward
• The opportunity should be greater than the risk
• Avoid using other people as an excuse for inaction – be sure to include
“accountability” in your risk management system
• Never risk more than you can afford to lose
3 © Edinburgh Business School
Common Misconceptions about Risk and Risk
Management (Cont’d)
3. Some risks are so great that they have to be eliminated
• Not all risks can be eliminated – consider unforeseeable risk
• Consider the cost benefit analysis

4. If in doubt, play safe

• Consider the risk appetite
• Consider the competitive advantage gained or lost

4 © Edinburgh Business School

Common Misconceptions about Risk and Risk
Management (Cont’d)
5. Groups tend to make less risky decisions than individuals
• Individual accountability can be protected by the group
• Many people prefer to be perceived as risk-seeking rather than risk-averse
• The tendency for groups to make riskier decisions than individuals is known
as the Risk Shift phenomenon. This is time-based and a function of the
multidisciplinary nature of the group.

6. Well established groups are more efficient at identifying and handling risk
• Consider groupthink
• Decision-maker may consider risk to group/team as being more important
than risk to the organisation
5 © Edinburgh Business School
The Increasing Significance of Risk
• The number of risks increases as a function of both human and
organisational evolution and development.
• As organisations become larger and more complex they tend to face an
increasing array of complex and diverse risk.
• Additionally as the array of risk increase so to does the interconnectivity of
the risk.
• Risk Analysis is based on the consideration of risk and reward, which is a
basic function of the human cognitive process.
• The was in which people think is important as risk are perceived and
evaluated by people. This also applies to the design and implementation of
Risk Management Systems.
6 © Edinburgh Business School
The Increasing Significance of Risk (Cont’d)
• Risk is not a negative concept
• Change is time-driven and observers an only look in one direction on
the time continuum.
• The key issue is the ability to identify risk and manage them. The
development of a Risk Management System in which risk can be
controlled at acceptable levels while corresponding opportunities are
exploited.

7 © Edinburgh Business School

The Increasing Significance of Risk (Cont’d)
• Risk also has a number of positive attributes

• Risk intimidated competitors - Organisations vary by risk appetite and its

range of acceptable outcomes.

• Risk is a dynamic entity – The apparent “risk universe” is in fact dynamic

• Risk Management is about looking at the complex world of business,

analysing the myriad of opportunities and making an informed decision on
which is the best one to accept.
• “Risk Universe” means a representation of all the risk of all types that can
8
impact on the decision-maker. © Edinburgh Business School
The Risk of Not Managing Risk
• Risk profiles are becoming very complex
• There are a number of misconceptions about risk
• The number and range of risk faced by the organisation continues
to increase
• There is now an increasing need to manage risks so as to minimise the
net impact on the organisation.

• Failure to manage risk is itself a risk

9 © Edinburgh Business School

The Risk of Not Managing Risk (Cont’d)
• Failure to Properly Identify Risk – Only identified risk can be properly
managed
• Failure to Properly Assess Risk – this cascades and the consequences
of interdependent risk must also be considered
• Failure to Properly Monitor Risk – unlikely events can become more
likely as conditions change, effects (likelihood and impact) may also
change over time. This can be aligned to continuous Environmental
Scanning.
• Failure to Properly Control Risk – Control systems must be adequate
and must be properly implemented
10 © Edinburgh Business School
 Risk Levels
A risk level or ‘stratum’ defines the specific layer of risk within the overall risk profile: -
• Strategic Risk – any of the range of issues that can affect the organization’s ability to
succeed in its strategic planning and implementation process
• Change or Project Risk – issues which may affect the successful implementation of
projects (or change initiatives). Change in the direction of the organization towards the
achievement of its strategic goal is often brought about by the implementation of
projects. Project management disciplines are used for the management of such
projects which also include the management of such risk.
• Operational Risk – issues which may affect the production process and thus the ability
of the organization to meet its operational targets and also includes issues related to
the people, equipment, material, etc.
• Unforeseen and Unforeseeable Risk – unforeseen issues are those which are not
specifically identified but could be detected if the level of analysis was sufficiently
detailed. Unforeseeable issues are those that cannot be identified and analysed no
matter what level of detail is used. © Edinburgh Business School
11
 Risk Types
These are used to classify risk levels: -

• Speculative and Static Risk – Speculative risk is dynamic and is concerned with
both positive and negative values (gains and losses). It is unavoidable as it relates
to factors outside the control of the organization. Static risk considers losses only.
• Internal and External Risk – Internal risk originates inside the organization and as
such are ‘controllable’. External risk originate outside of the organization, within
the external environment.
• Planned and Responsive Risk – Planned risk are accepted by the organization as a
result of some planned initiative or venture. Responsive risk are required of the
organization in response to forces that impact upon it.

* Note Combination of Risk Levels and Risk Types – Individual risk can be
characterised
12 by many different combinations of risk levels and types. © Edinburgh Business School
 The Need for an Effective Risk Management
System
It is clear that: -
1. There are many misconceptions about risk
2. The significance of risk in all applications is increasing
3. Risk has to me managed, as not managing risk is a risk in itself
4. There are also numerous different levels of risk

As such: -
• The overall risk profile facing decision-makers is highly complex and variable
• Risk cannot be managed on a tactical or response basis
• There is a need for an effective Risk Management System
• Risk has to be managed at a strategic level, using a strategic approach.
13 © Edinburgh Business School
The Need for an Effective Risk Management
System (Cont’d)
• Most organisations are: -
• Subject to internal change
• Operate within an environment, over which the organization has no
control, and which is also subject to change

• Therefore, the internal and external risk profile changes constantly and as
such there is a need for a formal and structured approach to risk
management.
• The risk management system must also be designed and operated very
carefully with due analysis and evaluation in a range of different
design/operational considerations.
14 © Edinburgh Business School
The Need for an Effective Risk Management
System (Cont’d)
The risk management system must also be designed and operated very
carefully with due analysis and evaluation in a range of different
design/operational considerations: -

• The specification and detailed design of the system depends on the

specific characteristics and needs of the organization
• Risk management operates at different levels
• Risk levels do not operate in isolation
• Organisations operate within a risk universe
• Risk management is possible only up to a point
15 © Edinburgh Business School
The Need for an Effective Risk Management
System (Cont’d)
• Risk management systems are not infallible
• Risk management systems are often complex and expensive
• Risk management systems have to be dynamic
• Risk management systems have to be organisation-wide
• Risk management systems are only as reliable as the people using
them
• New approaches to working practices also generate a need for
effective risk management

16 © Edinburgh Business School

Characteristics of an Effective Risk
Management System
• It must be effective and reliable
• It should have Enterprise-Wide capability
• It should be practical
• It should be realistic
• It should comply with internal and external standards
• It should be cost-effective
• It should have full life-cycle applicability

17 © Edinburgh Business School

Characteristics of an Effective Risk
Management System (Cont’d)
• It should be designed and commissioned as a project
• A formal risk management policy
• A commitment to organization-wide risk management
• Accurate design and implementation planning
• Design, implementation and operation management

18 © Edinburgh Business School

Risk Management System Design
• Traditionally – by individual organisations for their own use and to
meet their own specific needs and requirements.
• The 1st real global standard for Risk Management was Australia and
New Zealand (AS/NZS) 4360 Risk Management. Published in 1995 and
revised in 2004.
• This has since been superseded by ISO 31000:2012 ‘Risk Management
– Principles and Guidelines’

19 © Edinburgh Business School

Risk Management System Design (Cont’d)
Standard elements or components (Refer to PM Module): -
• Risk Management Strategy
• Risk Identification
• Risk Analysis and Classification
• Risk Attitude
• Risk Response
• Short and Long Term Risk Management System Monitoring and
Review (Monitoring and Control)

20 © Edinburgh Business School

Moving towards Enterprise-Wide Risk
Management (EWRM)

• An EWRM approach takes risk

out of the context of control or
transfer functions and elevates it
to the context of a business risk,
effectively integrating risk
managers with the organization’s
performance and its defined
objectives to create value.

21 © Edinburgh Business School

Moving towards Enterprise-Wide Risk
Management (Cont’d)
• Taking an enterprise-wide approach to managing risk enables the
organization to effectively deal with uncertainty and associated risk
and opportunity and thereby attain its objectives and build value.
• It makes the company at managing risk through the collective and
coordinated capabilities of individuals, functions and operations.
• The operation of an effective EWRM generates a basis for increased
competitive advantage.
• Organisations should aim for an EWRMS that supports a risk
management strategy that is comprehensively aligned with the
organization’s strategic objectives.
22 © Edinburgh Business School
Moving towards Enterprise-Wide Risk
Management (Cont’d)
• This is a staged process and involves moving from risk silos, improving
communication, assessing risks across the business and ultimately
aligning the control functions to manage these risk.
• Towards the end of the process risk management becomes an integral
part of the strategic planning process and helps to determine the
nature and extent of the strategic objectives.

23 © Edinburgh Business School

Governance, Risk and Compliance
• Corporate Governance can be defined as the way in which
organizations are directed and controlled.
• As organisations grow and become more complex investment in
governance frameworks have also increased to allow them to respond
to even-increasing streams of externally imposed standards and
requirements
• The need to improve internal controls and demonstrate effective
management has also been driven by the fact that those who manage
public and governmental organisations do so on behalf of others and
can be held accountable for their actions.

24 © Edinburgh Business School

Governance, Risk and Compliance (Cont’d)
• The increase level of scrutiny has resulted in increased stakeholder
empowerment as it becomes easier for organisations and managers of
such organisations to be held accountable.
• Corporate governance also calls for a high degree of transparency and
disclosure to stakeholders.
• Primary governance is set by legislation or the demands of stakeholders.
• Secondary governance or compliance originates from within the
organization, often in response to legislation or code of practice.
• Compliance activities can also arise out of the requirements of
customers or the industry.
25 © Edinburgh Business School
Governance, Risk and Compliance (Cont’d)
• Clearly there is a strong linkage between Governance and
Compliance, both of which can be significantly affected by the
management of risk. As such organisations are now integrating
Governance, Risk and Compliance into a GRC function, within the
EWRMS framework.
• This will allow for: -
• Improve strategic and operational effectiveness
• Eliminate the duplication of effort and waste of resources
• Provide a single source of information and communication

26 © Edinburgh Business School

Questions ?

27 © Edinburgh Business School