Risk management is often seen as a compliance exercise: an administrative necessity to tick the right boxes. But when done well, it’s much more than that. Risk management should be a driver of strategic success, aligning with your organisation’s objectives to deliver real business value.
In our recent From risks to outcomes: Putting strategy and objectives at the heart of risk management webinar, we explored how shifting from a process-driven to an outcome-driven risk approach can help risk managers, executives, and governance leaders engage their organisations at all levels. David Tattam and I shared insights on integrating risk into strategic planning, setting meaningful KPIs, and reporting on risk in a way that resonates with decision-makers.
We received a number of insightful questions from attendees, which we address in this blog. If you missed the live session, you can watch it on demand here:
Questions
Strategy and objectives
Q1: Why would you differentiate between operational and strategic objectives? For example, if there's a goal for customer experience transformation, where does that sit? The transformation could provide strategic advantages but someone could argue that it sits under operational. I'd prefer to keep it simple and just call them 'objectives'.
While it will differ across organisations, there can be different audiences for different reports or the cadence of progress. The board, CEO and members of the project steering committee may be much more focused on the strategic objectives and their associated risks more than the operational objectives.
If differentiating between the two doesn’t add value, then there isn’t a particular downside. We like to keep them separate as strategic objectives typically require projects to achieve them, and are then transitioned to operational objectives (or modify existing operational objectives). The customer experience transformation implies significant change to the organisation (which could be changes to technology, products, services etc), which may also change operational risks or introduce new ones once delivered.
An alternate definition of strategic risks we see occasionally are risks that would cause us to change our strategy if they occur. Following this definition, a previously accepted operational risk might change significantly enough that it forces a change to strategy – i.e. an operational risk can become a strategic risk if it’s big enough.
Q2: I am working for an organisation that focuses solely on operational objectives, and the executive does not understand strategy or have a strategic view. I have great difficulty in linking our risks to operational objectives - any suggestions?
While rare, we have come across a few organisations who only have operational objectives, and just ran a steady ship. However, I’m assuming this isn’t your organisation. Without context, I’d say start with the vision. What do they want the organisation to look like in 5-10 years? What actions might they need to take to get there? Often it is a failure of strategy rather than operational incidents that causes the most impact to organisations – one study found that 61% of major stock losses were due to strategic failures, rather than operational or financial. Think Blockbuster and Kodak.
As a shameless plug, we do have a strategic and project risk management course as part of our Protecht Academy which might help.
Q3: In your experience, is it more challenging for strategic objectives to be SMART?
Sometimes strategic objectives are not well articulated. This can perhaps lead to ineffective or at least sub-optimal allocation of resources, or rehashing similar discussions. The conversation to set SMART objectives can be challenging, but it also rallies the team around a common view of those objectives. It can uncover differing opinions about what success looks like, and then resolve them. We think it’s worth any potential discomfort as long as you are focusing on improving the process.
Q4: Is the term 'strategic plan' an issue in itself? Reducing strategy to planning alone could be problematic.
Sometimes I’m a stickler for a definition, but I’m not wedded to particular wording here. I can see a distinction between the strategy and the plan to achieve the strategy, but these activities are often combined in practice. As long as the definition doesn’t get in the way of pursuing the strategy, I wouldn’t be worried. If needed, make sure everyone is on the same page on definitions and what is to be achieved.
Risk appetite
Q5: What is your opinion on the difference between 'risk appetite' and 'risk tolerance'? Are they just different ways of describing the same thing or is one a subset of the other (and if so, which one)? Also can you show how KRIs and risk appetite link?
We typically consider risk appetite to be a qualitative assessment. When applied to different risk categories or types, it can give a quick sense of how the organisation perceives those risks. But having a ‘moderate’ cyber risk appetite isn’t very operational. Risk tolerance is the level of risk, expressed in quantitative terms, beyond which you will not accept. This makes the concept of risk appetite easier to implement, as you’ve agreed on a more objective measure of when the risk is unacceptable. This is the link between risk appetite and KRIs.
Q6: What is the high/medium/low/zero appetite based on for the objectives? For risk, the measure can be linked back to impact – but for objective appetite?
This expresses the variation around the objective itself. Organisations have multiple objectives, and some of them are more important than others. Articulating this explicitly (whether via risk appetite or even a simple ranking) helps decision makers make trade-offs between objectives with limited resources if they cannot all be achieved. KPIs and associated thresholds represent this in more measurable terms.
Q7: Wouldn't the ‘max’ be risk capacity? I thought risk appetite sits within risk capacity.
I personally don’t find risk capacity to be that useful in practice. It is typically expressed as the maximum amount an organisation can possibly take before it is likely to fail and not recover from the amount of risk that it has taken. This is easier to apply in a financial context and the organisation’s balance sheet, but has less use when incorporated into strategic and operational objectives discussions.
Risk metrics
Q8: You mentioned KRIs (vs KPIs or KCIs) - if we are trying to monitor our key risks, how 'purist' do we need to be to focus and report on risk indicators vs performance/control indicators?
I assume you mean in the context of a risk/reward report, should we only report on KPIs for objectives, and only report on KRIs/ KCIs for risks. This links back to the lifecycle of risk – the final impact of a risk is on the objectives, so this could be seen as overlap. However, the KPI in a risk setting is often framed as a negative of the KPI. Customer satisfaction might be measured by an overall Net Promoter Score (NPS); a related risk event might measure the total number of complaints, which would influence that NPS. Objectives and risks can have many-to-many relationships, and each might have different measures related to the same objective.
Q9: Once risk managers get into strategic conversations we need to understand our audience won't always be at this level of detail (KPI, KCI, KRI, etc). How can we balance this for stakeholders?
You don’t need to include everything we covered if your team aren’t ready for it. If I was to roughly order the key information to bring to the process:
- Start with what those stakeholders care about, which is objectives. It’s extremely likely there are already KPIs or performance measures for those objectives, perhaps even with a ‘traffic light’ approach on how they are tracking
- Highlight the risks that can influence those objectives. Early on this might be narrative supported by a measure of the risk
- Risk metrics aren’t needed straight away, you can introduce them later
If you aren’t currently using KRI/KPI/KCI, you can call them collectively risk metrics to start with. Present them as primarily leading indicators that can influence future performance, while KPIs are current performance. If you present them on the same report, try and make them look similar to support the current state versus potential future performance paradigm.
More broadly, use everyday language. What are you trying to achieve? What might get in the way? How bad could that be? What do we need to monitor?
Q10: How are KRIs formulated for strategic-focused risks from a program risk management perspective?
We break down strategic risk into two main categories, decision risk and execution risk. The first is about whether you made a good decision in the first place, the second are risks that prevent you from executing on that strategy (i.e. project risks). Adopting KRIs for program risks isn’t much different from an individual project. At a high level:
- Identify the risks to the program/collection of projects
- Analyse the risk to understand how the risk could occur
- Identify measurable parts of the risk that give off ‘puffs of smoke’ that would indicate the risk is in motion or is changing
- Set a threshold for the KRI and then monitor that measure
For example, if all of your projects require a certain commodity that have not yet been purchased, you could monitor the price of that commodity. If you can identify leading indicators for that commodity, that is even better.
If you apply a slightly different definition of strategic risks for programs (perhaps regarding the effectiveness of project or program management itself), the principle remains the same – identify leading indicators you can measure so you can respond as early as possible to change direction or minimise impact.
Management and risk culture
Q11: Aren't all managers 'outcome managers'?
They should be. The disconnect is that sometimes risk managers or those in the risk field in particular are not seen as helping with those outcomes, and that they focus on the negative. Our aim was to highlight that when framed well, risk management should be seen as an enabler of sustainable outcomes, not the ‘fun police’.
Q12: Working within an organisation and not as a consultancy, what advice would you have to better influence the senior leadership in setting and elevating enterprise-wide risks to similar strategic risk levels for visibility and focus?
I’ve been there. An option is to use ‘free’ consultancy that supports your (and the organisation’s) goals. What does that mean? Highlight to your audience credible external sources that demonstrate the benefits of taking it to that next level. While it is a little older now, one study found that 61% of major stock losses were due to strategic failures, rather than operational or financial.
Q13: Coming from an organisation that currently does risk management with a risk-led approach, some of us have a desire to change this to an objective-led approach. How would you convince key stakeholders to approve the shift?
It sounds like you are already on your way. Reinforce the message that risk doesn’t exist in a vacuum, there has to be risk to something, and the something is objectives. You might also explain the lifecycle of risk using the risk bow tie, which shows that objectives (the thing the board and executive ultimately care about) are the end of the lifecycle. By making the link more explicit, you can show them that risk management and any leading KRIs give them insights into long term performance and likelihood of achieving specific objectives.
Q14: What have been the most successful strategies that you have seen to incentivise good risk management (or outcomes management)? What is their contribution to a successful risk culture?
The easiest way to incentivise risk management is to align it with what the stakeholders care about. We embed objectives across all of our risk training in Protecht Academy, and start with why risk management is important.
Beyond broader training and awareness, including risk activities in job descriptions or individual KPIs can also incentivise people by highlighting that it is an important part of the organisation’s culture, not something ‘extra’. In Protecht ERM we implement a risk culture dashboard that helps measure engagement with risk processes. This raised awareness can help people focus or show their contribution.
Others
Q15: The five steps, processes, bow tie (e.g. 'preventative controls'), etc, all tend to focus on traditional 'downside risk' - what about opportunities (or upside risk)? How do you identify and assess that?
Focusing on downside is typically the case. I find that the upside or opportunity is often considered in a business case or assumed as variation in the objective itself. Opportunity may be considered more frequently in project risk management, where there may be specific opportunities to execute a project task faster or for lower cost if the right circumstances eventuate.
David Tattam has written a blog about opportunity risk, and I’ve also talked about how you might implement controls for opportunity risk.
Q16: I don't understand how taking 'greater risk' might result in 'lower reward'. Can you give us an example please?
This may have been in relation to one of the graphics that showed the variation in potential reward when you take more risk. Taking lower risk might ‘lock in’ a reward that won’t be too low, but prevents high reward from being achieved. More risk may result in higher reward on average, but open you up to the possibility of losses.
Q17: Do you ever conduct risk assessments centred around objectives, rather than separately identifying risks apart from objectives and then matching them? Could more types of objectives be included?
This is the way it should be done, and is the basis of our training. Before I conduct a risk workshop, I collect information on what objectives are in scope for the risk assessment (or ask upfront at the beginning). This rallies people around those objectives, and shifts the focus from generic downside risks to those that ultimately affect those objectives.
This approach can be applied at the enterprise level, or with objectives at business unit, process level, or whichever level/dimension that helps your organisation manage its risks and achieve objectives.
Q18: I liked your use of the bow-tie model with the concept of pre-emptive opportunities to manage objectives. Have you applied this model to heavily regulated industries where stakeholders include regulatory bodies that are more difficult to measure in terms of setting objectives such as submission turnarounds?
We have a number of regulators around the world who use our Protecht ERM system. The reason we like the bow tie is because it is so versatile and enables communication about risk. It can be applied across many risk types at different levels of the organisation.
It sounds like submitting to regulatory bodies is a sub-set of the typical operational objective ‘to comply’. What risks would cause you not to submit on time, or to the required quality? Work backwards from the objective so that potential events and causes can be addressed, and likelihood of achieving the objective improved.
Conclusions and next steps for your organisation
The key takeaway from this discussion? Risk management isn’t just about preventing bad outcomes: it’s about enabling better ones. By embedding risk into your strategic objectives, you gain a clearer view of how risks impact performance and how you can turn risk management into a value-adding function within your organisation.
If you’re ready to take the next step, explore how Protecht ERM can help you align risks, objectives, and performance with powerful reporting and automation tools. Request a demo to see how Protecht ERM can support your journey to outcome-driven risk management:
