When I ask people how they manage risk, most respond by explaining how they list the risks they have identified, rank them for probability and impact, and then come up with ways they can reduce the risk to the organisation. I have seen many variations on this approach, and it might improve people’s awareness and create a good opportunity for a conversation about risk. But listing risks does not equip organisations with the means to manage significant strategic risks.
An area of risk that is often neglected is the set of risks that arise from the strategy itself. Typically, a strategy is based on a theory of change or at least a set of assumptions. We easily become accustomed to the logic of our plans and we start to forget that the plans are really hypotheses. For example, we assume that if we plan to grow our services we will be able to do that, providing the funding is available. In fact, funding is not the only constraint on growth in most organisations – often it is hard to recruit enough suitably qualified staff or volunteers.
Once the strategy has been agreed, it is useful to pause and consider the risks inherent in the strategy. What assumptions are we making? Where are the points of uncertainty? There might be dependencies on others that are critical to the success of the strategy. For example, organisations delivering services under payment-by-results contracts might be relying on another agency to provide referrals. If the clients are not referred at the anticipated levels, the planned performance cannot be achieved. This is a significant financial risk, so the payment-by-results contractor needs to make the notification of referrals a key performance indicator. Monitoring the performance at the earliest possible point might enable the contractor to respond to lower levels of referrals. Perhaps the contractor can be more pro-active with the agencies that are referring clients, building the relationships with the staff there and thus improving the flow of referrals. Having made the number of referrals a key performance indicator, the manager and staff should be focused on improvement or response.
This is a more positive way to view risk management as asking managers to think about the plans, the inherent risks in the strategy and the assumptions being made. The focus is on the key points in the plan where the organisation needs to monitor, respond and adjust the plans as necessary. Such an approach enables the organisation to respond to change in the external environment more readily. It enables organisations to be more adaptive as the strategy and plans are not right or wrong – they were our best attempt at a plan at the time and can be adapted as we gain feedback and learning from monitoring the KPIs.
Instead of thinking about risk management as a list of bad things to be avoided, strategic risk management is focusing on the things you need to get right to achieve your strategic objectives.
Kate Sayer is senior consultant at specialist auditors Sayer Vincent