The consideration of what might happen — what some refer to as risk — should be part of the strategic planning process.
Businesses should set objectives and strategies only after thinking carefully about where you are, what is happening around you, and what may happen in the future. These objectives and strategies should then be executed on, with an eye kept on what is happening as you progress on that may affect the success of your journey.
I much prefer talking about "what might happen" than "risk management," because while the terms should be synonymous, the word risk has a negative connotation. Indeed, the practice of risk management is far too often limited to identifying all — and only — the things that might go wrong and putting them in a list or heat map.
Neither of those (a list of risks or a heat map) helps executives make decisions, including deciding on objectives and strategies and then executing on them.
Alex Sidorenko, an expert in strategic risk analysis and a good friend, tells a story I love. He worked with senior executives to develop a list of the top risks facing a major organization where he was CRO. He took it to the CEO for a discussion. The CEO turned his nose up and told Alex the list wouldn’t change anything he was doing, that it wouldn’t help him make decisions and run the company.
Alex returned from this with a resolution to stop focusing on a list of risks (except where required for compliance purposes, when he would do it as cheaply as possible) and focus on what I would call decision support. He works to help people make informed and intelligent decisions.
Related Article: A Risk Manager's Most Powerful Tool: The Word 'Why'
Only Considering the Glass Is Half Empty Scenario
Mike Skorupski, corporate head of ERM at Siemens Games, a renewable energy company in Denmark, wrote an interesting article on this topic. Uniting risk management with strategic planning urges risk practitioners to get more involved in and add more value to the strategy-setting process.
Skorupski sees more in the COSO ERM guidance than I do when it comes to strategy setting. While I can see that COSO suggests identifying risks to strategies after objectives and strategies have been established, he reads COSO ERM the way it should have been written: you consider where you are, what is happening, and what might happen before establishing enterprise objectives.
Where I differ from Skorupski is in the focus on the negative.
Objectives and strategies should be set and then managed with an eye on all the things that might happen, both the positive and the negative. Expert practitioners have tools, like Monte Carlo simulations, that help assess the range of possible future situations and their effects on objectives, and the likelihood of those possible effects. But they are only used to using them on calamity management, not on the range of rewards and opportunities.
Do you make decisions by considering only what might go wrong? Or do you also consider what might go well? Don’t you make decisions after thinking through all the possibilities?
What will management and the board think if the CRO is only telling them about the likelihood of the sky falling?
Why not help management assess the possibilities of favorable trends in customer spending, an uptick in the economy, or improved pricing by major vendors — using the same methods as they do for potential harms?
I welcome your thoughts.