Modern organizations operate in a highly complex environment. New technologies, increasing digitization, and evolving customer demands create risks that can disrupt operations, weaken cybersecurity, and harm the organization’s reputation or financial position – and above all, leave the organization unable to achieve its business objectives.
Understanding these risks can improve business practices and decision-making, and allow risk managers to implement wise risk mitigation and management controls. On the other hand, confusion about risks – and especially about strategic and operational risks – undermines an organization’s ability to manage risk well.
This article addresses common questions about strategic and operational risk, such as:
- What are strategic risks and operational risks?
- How are they different?
- What are some examples of each?
Strategic and Operational Risk: A Brief Intro
Strategic risks are those that threaten an organization’s ability to deliver expected outcomes, which can harm the organization’s ability to grow and prosper. Such risks can arise from technological change, an evolving competitive landscape, or changes in customer demands.
Operational risks stem from inadequate or failed internal procedures, employee errors, cybersecurity events, or external events such as a weather disaster. A comprehensive operational risk management (ORM) plan is critical to identify these risks and implement practical steps to manage them.
Risk assessments are essential to understand the different types of risks, possible risk events, and potential harm, so that an organization can optimize company performance while mitigating unnecessary risks.
Enterprise Risk Management (ERM)
Strategic and operational risk management is part of the larger effort known as enterprise risk management (ERM). ERM also includes financial, reputation, and compliance risk management as well.
ERM is a holistic approach that looks at risk management from the perspective of the entire organization, not just specific functional groups or business units trying to mind their own issues.
It requires firm-wide visibility and management-level decision-making that may not make sense for individual business units, but does make sense for the broader organization. As a result, organizations leveraging ERM are better prepared for risk control and know which risks can be mitigated or accepted.
What Is Operational Risk?
Operational risk refers to the potential for losses that may result from disruptions to day-to-day business operations. These risks can have a financial impact, affect business continuity, damage the organization’s reputation, and weaken its compliance. To minimize that harm, ongoing operational risk management is essential.
Examples of Operational Risk
Some common examples of operational risk include:
- Inadequate or failed internal processes
- Human error
- System failures and downtime
- Inadequately trained staff
- Breakdown of business process controls
- Cybersecurity events, such as data breaches
- External events, such as natural disasters or pandemics
In general, operational risk can be created by:
- Other stakeholders
- Regulatory and compliance
Operational Risk Management (ORM)
ORM helps an organization to complete risk assessments, make better decisions, and implement robust internal controls for operational risk. An effective ORM program happens in several stages, to help reduce and mitigate critical risks:
- Risk identification
- Risk assessment
- Risk measurement and mitigation
- Controls implementation
- Risk monitoring and risk data reporting
Since operational risks are constant, varied, and increasingly complex, ORM is an ongoing activity. It is guided by four fundamental principles:
- Accept no unnecessary risk
- Accept risk when benefits outweigh costs
- Make risk decisions at the appropriate level
- Anticipate and manage risk with planning
What Is Strategic Risk?
Strategic risk is that which threatens your organization’s plans to achieve its business objectives. Put another way, strategic risk jeopardizes the possible paths your company can take to achieve its goals. We can divide strategic risk into two sub-categories: business risks, or non-business risks.
Any risk that arises from business decisions made by senior management constitutes a business risk. For example:
- The management team might make poor decisions about expanding into new markets or developing new products.
- The company might price its offerings too high, and lose market share; or too low, and miss profit goals.
- The company might use a technology that curtails its operating flexibility, such as on-premises IT rather than cloud-based services.
These risks don’t arise from poor management decisions. Rather, they happen in the external environment, but have implications for your own company’s strategic plans. For example:
- A competitor might unveil a radically new business model that appeals to your customer base (such as AirBnB threatening the hotel industry).
- Economic conditions might make your product less palatable; think of the decline in cryptocurrency values disrupting online trading apps.
- Consumer tastes might move in a new direction that threatens your product offerings and value proposition.
Other examples of Strategic Risk
The list of possible strategic risks is long. Among them:
- Business decisions that are unclear or poorly communicated
- The introduction of new products or services
- Changes in senior management
- Unsuccessful mergers or acquisitions
- Changes to customer demands or expectations
- Damage to the company’s reputation
- Financial challenges (such as poor cash flow)
- Entry of new competitors
- Problems with suppliers, vendors, or other stakeholders
Strategic Risk Management
Strategic risk management (SRM) is essential to identify, assess, and manage strategic risks. It focuses on internal and external scenarios that introduce risk into the enterprise, and its goal is to help the organization to achieve its strategic objectives.
The organization may accept some strategic risks in the short term, but take action to eliminate or reduce them in the long term. For instance, the company might accept the risk of supply fluctuations of particular raw materials to maintain business continuity. But in the longer term, the company may redesign its product to minimize (or eliminate) its dependence on that material.
For maximum effectiveness, the SRM program must account for all risks related to:
- Shifts in customer demand
- New competitive pressures
- Technological changes include the evolution of big data, artificial intelligence (AI), machine learning (ML), and so forth
- Increasing performance pressures from stakeholders
Management must also clarify when a particular risk should be avoided, either because pursuing some business opportunities may be harmful or because potential losses (risks) are likely to exceed potential returns (rewards).
The Difference Between Strategic and Operational Risk
Strategic and operational risks are both parts of ERM. Strategic risk management, however, is a “high level” look at the risk – one that considers the firm’s objectives and overall strategy. SRM decisions have a long-term focus and must be carefully considered since they can affect the organization’s future.
Operational risk brings a more tactical, “ground level” view of an enterprise’s risk profile. These risks relate to systems, people, and business processes – anything that can affect its ongoing business activities.
Many organizations focus on operational risk remediation since such risks drive day-to-day operations and business continuity. But instead, companies must focus on both strategic and operational risks. Doing so creates a more comprehensive and balanced picture of the company’s risk position, so senior management can grow the business while reducing the harm of loss events.
Executives must also consider strategic risk from quantitative and qualitative perspectives. A structured risk management process (complete with metrics) helps to guide decision-making about risky investments and initiatives.
Which Risk Assessment Methodologies Can Be Used?
Organizations can perform risk assessments in several different ways, depending on each organization’s exact needs. Also remember that you can use several types of risk assessments together, to get the complete picture of risk you need.
That said, all risk assessments do follow the same basic steps:
- Determine the dangers
- Determine who could be the most harmed and how
- Make a security risk assessment and a prudent decision
- Keep a record of your discoveries and decisions
- Repeat your risk assessment on a regular basis (say, annually) to see whether any circumstances have changed
For any risk assessment to succeed, the person conducting the assessment should understand the risk being examined: financial, compliance, security, operational, and so forth. The assessor should also be competent in the mechanics of risk assessment.
Qualitative Risk Assessment
Qualitative risk assessments try to gauge risks by their potential severity or disruptive threat, when the organization doesn’t necessarily have hard data to make specific estimates. Typically these risks are graded on a high-medium-low scale. They might evaluate the threat from, say, certain IT systems going off-line, or certain physical locations suddenly not available.
Quantitative Risk Assessment
The quantitative risk assessment uses numbers and data to put dollar estimates on the cost of a risk. For example, if an organization ships $1 million of sales daily, you can calculate the aggregate cost of downtime due to an operational loss event.
Generic Risk Assessment
Generic risk assessments are designed to save paperwork and duplication of effort. They will frequently be applied for similar activities or equipment across several sites, divisions, or business units. It can serve as a template for risk assessments, outlining the dangers and risks often associated with a certain action.
Dynamic Risk Assessment
A dynamic risk assessment is a method for determining risk at the moment. This kind of risk assessment is often used to address unknown dangers or emerging and evolving conditions.
For instance, emergency services or healthcare professionals may employ dynamic risk evaluations. In these risk scenarios, the setting, circumstances, and individuals you are dealing with will vary from case to case, so you must constantly evaluate the risks given the shifting conditions.
When performing this assessment, the assessor should consider whether the initial risk assessment is still valid in the event of substantial changes. That is, should you make an effort to handle the situation, or should it be escalated to more senior management?
Manage Strategic and Operational Risk Seamlessly with Reciprocity ZenRisk
To better manage your strategic and operational risk, rely on technology such as Reciprocity ZenRisk. This comprehensive platform includes risk management, compliance, audit, and policy management capabilities to manage these critical tasks easily.
Our centralized dashboard gives you a holistic view of risk across the organization, showing you where your gaps are and how to address them. Additionally, with universal control mapping and automation, ZenRisk can tie a single control to multiple risk management frameworks so you can avoid duplicate work and documentation.
Get better visibility into risks, see where they’re changing across your organization, and operationalize risk management. Click here to schedule a demo of ZenRisk.