When you hear the word “risk,” you probably think of either something dangerous (“don’t do that, you could get hurt!”), or an action that is likely to fail (“if this works out, we’ll be rich; if not, we could lose everything”). But risks are actually neutral; they’re neither good nor bad, but simply describe a degree of uncertainty.
We tend to say that risks are either “positive” or “negative.” But what we’re actually describing is the outcome. If a risk brings a positive outcome, we might enjoy new opportunities and pleasant surprises. If a risk brings a negative outcome, we could experience damage, injury, liability, or loss.
The factors that contribute to outcomes are called threats. Although most threats can’t be eliminated (such as consumer purchase habits, economic instability, and increasing reliance on technology), we can definitely reduce the chance that we will suffer from a negative outcome.
I’m passionate about helping leaders to recognize vulnerabilities in their organization: areas where an attack or loss is likely to occur. In this article, I explain the importance of developing your awareness of risks in a strategic context, the “perfect blend” of strategy and risk, and suggestions for managing them.
Strategic Risk Intelligence
Every leader has the ability to effectively distinguish vulnerabilities and untapped opportunities in developing their organization’s goals. Unfortunately, many of us get hyper-focused on day-to-day tasks. We become overwhelmed by an enormous workload, or just plain burned out. So instead of seeing the big picture and avoiding potential problems, we ignore issues until things start to fall apart.
Over the years, I’ve seen hundreds of smart leaders take huge risks. Sometimes the risk pays off, but often their organization suffers from lingering effects. We are fond of saying “hindsight is 20/20,” but in many cases the root problems of decision-making are never properly identified. Most of us don’t take the time to evaluate where we’re going, how we’ll get there, and what will happen unless we make a change.
That’s why strategic risk is so important: it provides us with the opportunity to review the overall plan while also recognizing errors and potential pitfalls. One tool that is particularly useful is the “Post-Mortem Evaluation” (or as Project Managers like to call it, “Lessons Learned”), which simply involves asking the team these questions:
- What happened?
- What went well?
- What didn’t go well?
- How we can adjust for the future?
Although Post-Mortems are amazing, very few leaders actually use them. Why is that? Perhaps learning from our mistakes is too uncomfortable. Or we might all be suffering from a massive case of Overconfidence Bias, in which we downplay negative outcomes and only focus on the “wins.” Rather than relying on an overly optimistic mindset, I recommend welcoming the input of Devil’s Advocates, individuals who are not afraid to “give it to you straight” (one of the 10 reasons clients hire me).
The Perfect Blend: Strategy and Risk
Have you ever counted all the job roles you’ve had since you were 14 years old? My past jobs include food service worker, patient transportation aide, data analyst, medical transcriptionist, department director, and privacy officer. I have seen organizations from the ground up: in Foundational jobs (essential yet unappreciated job roles in Housekeeping, Direct Customer/Patient Care, Food Service, and Maintenance) and top leadership roles. In my experience, one thing is clear. Very few organizations have a good blend of long-range planning and avoiding danger. In fact, most swing to an extreme:
- They’re Overconfident (“We’re moving forward, and everything will be fine.”)
- They’re Underconfident (“We can’t move forward, because there’s too much uncertainty”)
- They’re Ambivalent (“We’re moving forward, but it will end badly.”
Strategic planning is primarily concerned about envisioning the future and continued growth. But we cannot envision the future without also thinking about the potential for things to go wrong.
Risk management is tasked with keeping the company safe from harm. And we can’t identify threats unless we have a growth trajectory from which to evaluate those risks.
When used in combination, these two disciplines can help your organization to become an unstoppable force. But if we favor one area over the other, problems arise.
Traditional risk management focuses on the probability and impact of every type of decision (such as those discussed in the Global Risks Report). Risk managers have, I believe, one of the most important roles in any organization: to protect and safeguard it from harm.
Having served as a Risk Officer at a healthcare facility, I can tell you that carrying this responsibility comes at a steep cost. When employees see a Risk Manager walking down the hall, they practically leap out of the way. It’s not a very popular role in most organizations, because risk is typically equated with “errors” and “blame.” The very idea that someone’s job is to seek out problems often means that you’re treated like a Debbie Downer: “Wah, wah, wahhh…”
So what’s the answer? How can we have a future-focused perspective (strategic planning) and also recognize vulnerabilities (risk management)? Here are some suggestions.
- Establish Context
- What is your current situation in terms of future goals and organizational vulnerabilities?
- Do you have low Customer Churn and Employee Attrition, or are those areas of concern?
- How engaged are your staff?
- What will happen if nothing changes with the way things are going?
- Identify Risk
- Take a quick inventory of the risk management methods you are using right now.
- Are you conducting regular risk assessments?
- Who is responsible for managing risk, and how is risk data being collected?
- What are the sources of your risk data?
- Once problems are identified, how are they controlled?
- Do vulnerabilities circle back to the strategic planning process? (If your team is identifying potential issues but there is no feedback loop, then you might have a broken process.)
- Assess Risk
- Are you calculating impact (Severity x Likelihood) of all potential vulnerabilities?
- Is your strategic plan in SHAPE?
- Has a defined framework (Structured)
- Enhances trust in leaders (Honest)
- Contains a realistic vision for the future (Accurate)
- Extends the planning process past the exec level (Participatory)
- Provides a compelling vision and direction (Energizing)
- Control Risk
Once vulnerabilities are identified and assessed, you must take action in one of these ways. How effectively are these being managed?
- Avoid (eliminate)
- Reduce (mitigate)
- Retain (accept)
- Transfer (insure)
As you can probably tell, I really enjoy the topic of identifying and properly managing vulnerabilities. I’d love to hear your thoughts about strategic risk, planning, organizational management, and other related topics. Leave a comment below. Or if you’re interested in discussing your organization’s situation, fill out a questionnaire to get started.
Grace LaConte is a Strategic Risk Expert who helps executive leaders find and fix organizational vulnerabilities. Using her experience as a Risk Officer and Director in healthcare and technology companies, Grace shares a refreshingly honest approach to uncovering hidden risk opportunities. Learn more at http://laconteconsulting.com, or connect with her on Twitter @lacontestrategy.
Cross-published on Medium: https://medium.com/@lacontestrategy/what-is-strategic-risk-and-why-does-it-matter-b40f8ed03cf2