How to align risks to strategy

In this class, Alejandro Orrego, CEO at Pirani, teaches us about risk management, why you need to manage risk, how to align risk to strategy, risk treatment, and indicators. 

Try Pirani for FREE:     

What Is Strategy?

Michael E. Porter defines strategy as a unique and valuable position involving different activities. According to Porter, strategy is not just about operational effectiveness or performing similar activities better than competitors but is rather the choice to perform different activities or the same activities in different ways.

He emphasizes the importance of making trade-offs and choosing a distinct market positioning to create a sustainable competitive advantage.

What Is Risk?

Risk is defined as the effect of uncertainty on objectives. It is the possibility of an event or situation that could impact an organization's achievement of its goals and objectives.

Risk can be seen as a threat or opportunity's likelihood and potential consequences.

What Is Risk Management?

Risk management is a systematic and structured process of identifying, assessing, prioritizing, and mitigating risks to achieve organizational objectives.

It involves recognizing potential events or circumstances that may hinder goal achievement and developing strategies to manage and control those risks.

The primary goal of risk management is to enhance the likelihood of success and minimize the impact of adverse events on an organization.

Why are you doing risk management?

Defensive Perspective

1. Protecting Assets and Investments
   One primary reason companies engage in risk management is to safeguard their assets and investments. Risks such as financial losses, operational disruptions, and reputational damage can pose significant threats to a company's resources and capital.
2. Compliance and Legal Requirements
   Regulatory requirements often mandate companies to have effective risk management processes in place. Adhering to these regulations helps organizations avoid legal consequences and ensures that they operate within the boundaries of the law.
3. Preserving Reputation
   Reputational risk is a critical concern for businesses. Negative events, such as product recalls, ethical misconduct, or environmental incidents, can harm a company's image and erode customer trust. Effective risk management helps prevent or mitigate these risks.
4. Financial Stability
   Companies need to maintain financial stability to ensure their continued existence. Organizations can avoid financial crises and insolvency by identifying and managing financial risks, such as market fluctuations, interest rate changes, and currency exchange rate risks.
5. Insurance and Cost Reduction
   Implementing risk management strategies allows companies to identify insurable risks. By transferring some risks through insurance, businesses can mitigate the financial impact of certain events. Also, effective risk management can reduce costs by avoiding unnecessary expenditures resulting from unforeseen events.

Proactive Perspective

1. Strategic Decision-Making
   Proactive risk management allows organizations to align risk considerations with strategic decision-making. By understanding potential risks and opportunities, companies can make informed choices that contribute to achieving their objectives.
2. Innovation and Growth
   Proactive risk management can foster a culture of innovation and entrepreneurship within a company. Organizations willing to take calculated risks are more likely to identify new opportunities for growth and market expansion.
3. Enhanced Resilience
   Proactive risk management contributes to organizational resilience. Companies anticipating and preparing for potential challenges are better equipped to navigate uncertainties and disruptions, ensuring continuity and sustainability.
4. Competitive Advantage
   Proactively managing risks can provide a competitive advantage. Companies that are resilient and adaptive to changing environments are more likely to outperform competitors and maintain their market position.
5. Stakeholder Confidence
   Demonstrating a commitment to risk management practices enhances stakeholder confidence. Customers, investors, and partners are more likely to trust and engage with organizations with robust risk management processes.

How to align risk to strategy

• Assess your strategic context
• Define your risk appetite and tolerance
• Integrate risk into your strategy execution
• Align your risk culture and capabilities

1. Assess your strategic context

The first step is understanding your internal and external environment and how it influences your strategic direction and priorities. You must identify the key drivers, trends, uncertainties, and scenarios affecting your industry, market, customers, competitors, and regulators. You must also evaluate your strengths, weaknesses, opportunities, and threats (SWOT).

This will help you define your strategic context and the critical factors that shape your risk profile.

2. Define your risk appetite and tolerance

The next step is establishing your risk appetite and tolerance based on your strategic context and stakeholders' expectations. You need to articulate the amount and type of risk you are willing to take or accept in your strategic areas, such as growth, innovation, quality, reputation, compliance, and sustainability. You also need to specify the level of variation from your expected outcomes that you can withstand in each area and the indicators and thresholds that will trigger actions or escalation. This will help you communicate your risk preferences and boundaries to your team and partners.

3. Integrate risk into your strategy execution

The third step is integrating risk into your strategy execution by embedding it into your planning, budgeting, performance management, and reporting processes. You must identify and assess the risks affecting your strategic objectives and prioritize them according to their likelihood and impact. You must also develop and implement risk responses, such as avoiding, reducing, transferring, or exploiting the risks, and monitor and review their effectiveness and efficiency. This will help you manage the risks hindering or enhancing your strategy execution and adjust your plans and actions accordingly.

4. Align your risk culture and capabilities

The final step is to align your risk culture and capabilities by fostering a positive and proactive attitude towards risk among your people and your organization. You must promote a risk awareness, ownership, accountability, and learning culture and encourage constructive dialogue and feedback on risk issues and opportunities. You must also develop and enhance your risk capabilities, such as skills, knowledge, tools, and systems, and ensure they align with your risk appetite and tolerance. This will help you create a risk-savvy, resilient organization that can adapt to changing circumstances and perform better.

Risk Treatment

• Avoidance
  This involves taking steps to eliminate the risk altogether. For example, if a company decides to avoid the risk of a certain product line, it may discontinue it entirely.
  
  
• Mitigation
  This involves taking steps to reduce the likelihood or impact of the risk. For example, if a company identifies a cybersecurity risk, it may implement additional security measures to reduce the likelihood of a cyber attack.
  
  
• Transfer
  This involves transferring the risk to another party, such as an insurance company. For example, a company may purchase insurance to transfer the risk of a natural disaster or other event that could result in financial losses.
  
  
• Acceptance
  This involves accepting the risk without taking any further action. This may be appropriate if the risk's likelihood and impact are deemed low or if the cost of mitigating the risk is greater than the potential impact.

Indicators

• Key Risk Indicators (KRIs):

Purpose: KRIs monitor and signal the potential occurrence of risks. They provide early warnings or indications that specific risks might be materializing.

Nature: KRIs are typically quantitative or qualitative metrics directly associated with specific risks. They help organizations proactively manage and respond to emerging risks before they escalate

• Key Control Indicators (KCIs):

Purpose: KCIs are used to assess the effectiveness of internal controls implemented to manage risks. They indicate whether the controls are operating as intended to mitigate the identified risks.

Nature: KCIs are often linked to specific control activities. Monitoring KCIs helps ensure the controls designed to manage risks are in place and functioning effectively

• Key Performance Indicators (KPIs):

Purpose: KPIs are broader performance metrics that measure an organization's overall performance and success in achieving its objectives. While not exclusively focused on risk, KPIs can indirectly reflect the impact of risks on performance.

Nature: KPIs can be financial or non-financial metrics aligned with organizational goals. They provide insights into how well the organization performs and can be influenced by internal and external factors, including risks.

In summary:

• KRIs focus on indicating the potential emergence of risks.
• KCIs focus on evaluating the effectiveness of internal controls in managing risks.
• KPIs are broader metrics that assess overall organizational performance, including the impact of risks.