Modern organizations operate in a highly complex environment. New technologies, increasing digitization, and evolving customer demands create all kinds of risks that can potentially disrupt operations, weaken cybersecurity, and also affect their reputation or financial position.

The failure to effectively recognize, manage and mitigate risks can also lead to business failure. Two such types of risks are strategic and operational risks.

Understanding these risks can improve business decision-making and enable risk managers to implement the proper controls for risk mitigation and management. However, confusion around these two risk types limits the ability of organizations to manage them effectively.

This article addresses common questions about strategic and operational risk:

  • What is strategic risk and operational risk?
  • How are they different?
  • What are some examples of each?

Strategic and Operational Risk: A Brief Intro

Strategic risks arise when a business strategy fails to deliver the expected outcomes, affecting the firm’s development and growth. Such risks can be created due to a technological change, an evolving competitive landscape, or changes in customer demands.

Operational risks can arise from inadequate or failed internal procedures, employee errors, cybersecurity events, or external events.

Operational risk management (ORM) is critical to remove roadblocks to the execution of strategic plans. Risk assessments are often performed as part of ORM to get a better idea of how the ORM program is performing.

Enterprise Risk management (ERM)

Strategic and operational risk management is part of Enterprise Risk management (ERM). ERM also includes two other types of risk:

  • Financial Risk management (FRM)
  • Compliance Risk management (CRM)

ERM is a holistic approach to look at risk management from the perspective of the entire organization, not just specific functional or business units.

It requires firm-wide visibility and management-level decision-making that may not make sense for individual business units but make perfect sense for the broader organization. Organizations leveraging ERM are better prepared for risk and know which risks can be mitigated or accepted.

Strategic Risk

Strategic risk represents a possible source of loss often determined by business plan performance, business objectives, and overall business strategy. Such risks can be either:

Business Risks

Any risk that arises from decisions taken by business leaders constitutes a business risk. This includes risks related to:

  • The development and marketing of new products or services
  • Economic risks affecting costs, sales, revenues, and profits
  • Changes in the technological environment that may affect production or sales

Non-business Risks

These risks are not created by decisions taken within the organization but by its position in relation to its environment. They may arise from using specific long-term finance sources, competitor actions, or technological advancements that lead to product obsolescence.

Examples of Strategic Risk

Examples of risks that may impair an organization’s ability to meet its strategic objectives include:

  • Strategic decisions that are unclear or poorly communicated
  • The introduction of new products or services
  • Changes in senior management
  • Unsuccessful mergers or acquisitions
  • Changes to customer demands or expectations
  • Damage to the company’s reputation
  • Financial challenges (e.g., poor cash flow)
  • Entry of new competitors
  • Problems with suppliers, vendors, or other stakeholders

Strategic Risk Management

Strategic risk management (SRM) is essential to identify, assess, and manage strategic risks. It focuses on both internal and external scenarios that introduce risk into the enterprise, and its goal is to enable the organization to achieve its strategic objectives.

The organization may accept some strategic risks in the short term but take action to eliminate or reduce them in the long term. For instance, it may accept the risk of supply fluctuations of raw material since it cannot operate without it.

But in the longer term, it may redesign its production processes to minimize (or eliminate) its dependence on that material and thus eliminate this risk.

For maximum effectiveness, the SRM program must account for all risks related to:

  • Shifts in customer demand
  • New competitive pressures
  • Technological changes such as the evolution of Big Data, Artificial Intelligence, Machine Learning, etc.
  • Increasing performance pressures from stakeholders

It must also clarify when a particular risk is to be avoided, either because pursuing some business opportunities may be harmful or because potential losses (risks) are likely to exceed potential returns (rewards).

Operational Risk

Operational risk refers to the risk of losses that may result from disruptions to day-to-day business operations. These risks can have a financial impact, affect business continuity, damage the organization’s reputation, and weaken its compliance position. To minimize their impact, ongoing Operational risk management is essential.

Examples of Operational Risk

Some common examples of operational risk include:

  • Inadequate or failed internal processes
  • Human error
  • System downtime or failure
  • Inadequately-trained staff
  • Breakdown of process controls
  • Fraud
  • Cybersecurity events (e.g., data breaches)
  • External events (e.g., earthquakes or pandemics)

In general, operational risk can be created by:

  • Technology

    • Hardware
    • Software
    • Cybersecurity
    • Privacy
  • People

    • Employees
    • Vendors
    • Customers
    • Other stakeholders
  • Regulatory and Compliance

Operational Risk Management (ORM)

ORM enables organizations to complete risk assessments, take better risk decisions, and implement effective and robust controls for operational risk. An effective ORM program includes multiple stages to help reduce and mitigate critical risks:

  • Risk identification
  • Risk assessment
  • Risk Measurement and Mitigation
  • Controls Implementation
  • Risk Monitoring and Reporting

Since operational risks are constant, varied, and increasingly complex, ORM is an ongoing activity. Moreover, it is guided by four key principles that help strengthen the organization’s ability to identify and deal with operational risks correctly:

  • Accept no unnecessary risk
  • Accept risk when benefits outweigh costs
  • Make risk decisions at the appropriate level
  • Anticipate and manage risk by planning

The Difference Between Strategic and Operational Risk

Strategic and operational risks are both parts of ERM. However, strategic risk management is a “high level” look at the risk that considers the firm’s objectives and overall strategy. SRM decisions have a long-term focus and must be carefully considered since they can impact the organization’s future.

Operational risk brings a more tactical, “ground level” view of an enterprise’s risk profile. These broad and short-term risks relate to systems, people, and processes – basically anything that can affect its ongoing operational capabilities.

Many organizations tend to focus more on operational risk remediation since such risks affect day-to-day operations and business continuity. Instead, companies must focus on both strategic and operational risks.

By doing so, they can create a more comprehensive picture of their risk position and take appropriate action to strengthen it.

They must also evolve their thinking about strategic risk and look at it from quantitative and qualitative perspectives. Finally, they must create a structured risk management process to guide decisions about risky investments.

Strengthen Strategic and Operational risk management with ZenGRC

Better manage your strategic and operational risk, and stay ahead of the curve with ZenGRC.

This comprehensive platform includes capabilities for risk management, compliance, audit, and policy management so that you can manage all these critical tasks with ease.

Our centralized dashboard gives you a holistic view of risk across the organization, showing you where your gaps are, and how to address them. Additionally, with universal control mapping, ZenGRC can tie a single control to multiple risk management frameworks so you can avoid duplicate work and documentation.

Get better visibility into risks, see where they’re changing across your organization, and operationalize risk management. Click here for a free demo of ZenGRC.