As Project Managers, we are familiar with the basics of Risk Management. However, at an organizational level, leaders need a focus on strategic risks. So, how does this affect us, and what do we need to know about Strategic Risk Management? In this article, I’ll tell you.
I will cover four obvious questions. And, in doing so, I plan to identify the 10 most important things that Project Managers need to know about Strategic Risk Management (SRM). These are the talking points, if you will, for when the topic comes up and meetings, conferences, or (dare I say?) interviews!
- Why is Strategic Risk Management Important for Project Managers?
- What is Strategic Risk Management?
- What are the Sources of Strategic Risks
- How Do We Do SRM? A Basic Strategic Risk Management Process
Are you ready? Let’s go…
Why is Strategic Risk Management Important for Project Managers?
On the face of it, we have our project risks to manage: why should we worry about bigger, organization-level strategic risks? To me, the answer is simple… It’s our work, and the work of our teams, that delivers the strategic changes that the organization needs.
We must therefore integrate our project-level risk management with organization-level strategic risk management.
Let’s go one step further, though: we have this as a skill set and so are well-placed to influence the mindset of the organization towards a more robust risk-aware culture. We can help managers and leaders at all levels (right up to the C-suite and the Board) to sharpen their risk management practices
Critical Insight Number 1:
Projects Deliver Organizational Strategy
SRM on the Agenda: PMI’s 2023 Report, ‘Building Resilience Through Strategic Risk Management’
As it often does, PMI has released a timely report on an important topic: Strategic Risk Management. It’s called ‘Building Resilience Through Strategic Risk Management’ and you can download it from the PMI’s website.
As is the case with so many recent PMI reports, this combines:
- An easy read about an important topic, with
- A superficiality that left me wanting more depth
However, it does:
- Put Strategic Risk Management on the agenda for many Project Managers
- Present some interesting statistics
– although these seem to come from other organizations’ reports - Raise some interesting insights
– I’ll focus on two below
PMI’s Insights about Technology
The first insight concerns technology. The rise of Big Data, Data Analytics and, more recently, Artificial Intelligence (AI), has been disruptive. In particular, AI could be a major threat to may organizations. And yet it also offers substantial opportunities. This is not the place to go into this, but I do refer you to my coverage of Artificial Intelligence here and on my YouTube channel.
Ut these same tools provide us with a new set of capabilities that can enhance our ability to predict, evaluate, monitor, and perhaps even mitigate strategic risks.
Critical Insight Number 2:
The rise of Big Data, Data Analytics, and Artificial Intelligence have created both strategic threats and opportunities for enhanced SRM.
PMI’s Insights about Resilience
The main thrust of the PMI’s report is simple. A strong risk management culture in an organization can lend it a greater level of resilience to shocks – both internal and external. And that, in turn, can support long-term value delivery and growth.
Critical Insight Number 3:
Building a Strategic Risk Management culture throughout your organization can be a source of lasting resilience and managed growth.
What is Strategic Risk Management?
So, having made the case for Strategic Risk Management, let’s answer the basic question, ‘What is it?’
Strategic risks are risks to the current strategy your organization is pursuing. These risks arise from future trends or possibilities.
This means that strategic risks refer to either:
- Not achieving your chosen business strategy, or
- Achieving it and then finding it was the wrong strategy!
Critical Insight Number 4:
Strategic Risk Management addresses risks to the future of the organization.
However, we can turn this perspective around and look at it from an alternative angle. There is the possibility of one or more major risk events that can have an impact on our overall business objectives and the value of our organization. That value can, of course, be measured in many ways – not just financial.
What is the Goal of Strategic Risk Management?
This all leads us to a simple statement of what Strategic Risk Management is for, its goal or purpose. I do not need to do more than state it…
Critical Insight Number 5:
The goal of SRM is to protect the value of the organization to its stakeholders: shareholders, customers, clients, supply chain, and community.
SRM and ERM: How does Strategic Risk Management differ from Enterprise Risk Management?
If you are familiar with the concept of ERM: Enterprise Risk Management, you may be wondering: ‘What’s the difference?’ How does Strategic Risk Management differ from Enterprise Risk Management?
Enterprise Risk Management is the discipline of overseeing and managing all the risks that an organization faces. These can arise from threats or opportunities:
- To its strategy
- In its day-to-day operations
- From its change initiatives
So, we can illustrate this relationship as a breakdown of enterprise risk…
Critical Insight Number 6:
SRM is just one part of ERM. So too are portfolio, program, and project risk management.
What are the Sources of Strategic Risks
In simple terms, strategic risks can emerge from inside or outside of the organization. Yes, of course they can arise, in part, from both. But by logical necessity, these cover all the options! So, let’s look at them in turn.
Internal Sources of Strategic Risk
The first set of risks arises from within the organization. In no particular order, these include:
- Board miscalculation
- Political manipulation
- Managerial or employee interference
- Operational failings
- Mismanagement
- Project or Program failures
- Poor governance
- Financial inadequacy
- Technology failures
Critical Insight Number 7:
Strategic risks can arise in many ways, from within the organization.
External Sources of Strategic Risk
The second set of risks arises from outside the organization. In no particular order, these include:
- Market shifts
- Transformational technology
- Political, legislative, or regulatory changes
- Natural or human-made disasters
- Societal shifts
- Security and cybersecurity breaches
- Economic shocks
- Epidemics or pandemics
- Reputational damage
Critical Insight Number 8:
Strategic risks can arise in many ways, from outside the organization.
How Do We Do SRM? A Basic Strategic Risk Management Process
Let’s cut to the chase. Strategic Risk Management is important and strategic risks will occur. So we need to be able to carry out SRM. I will cast my articulation of the Strategic Risk Management process in terms of my usual five risk management stages:
- Identify
- Analyze
- Plan
- Implement
- Monitor and Review
However, I’ll add a few notes to each!
Critical Insight Number 9:
There is a straightforward process for carrying out Strategic Risk Management.
Strategic Risk Management: Identification
You can think of identifying strategic risks as a series of steps:
- Start with the organization’s strategy
Understand the elements of the organizational strategy and the KPIs (Key Performance Indicators) that go with it. Many organizations now use OKRs: Objectives and Key Results. I do like the idea of OrKRs, articulated by Hélio Costa as part of his FLEKS Method. These are Objectives, Risks, and Key results. - Identify core strategic assumptions
What are the assumptions on which your organizational strategy is based? You’ll need to test these under the scenarios you identify at Step 5. - Understand your organization’s Risk Tolerance
How much risk is your organization prepared to bear? This is risk tolerance and it will have an impact on how you respond to different strategic risks. - Assess potential futures
Use tools like vision roadmaps and horizon scanning to identify the trends and changes that are likely to impact your organization. PESTLE Analysis and my SPECTRES framework are particularly powerful. You’ll also find my video: How to Survey Changes to Your External Business Environment useful here. - Build a representative set of scenarios
Find a few scenarios that re[resent the range of possible futures. - Examine each core assumption in the context of each scenario
It’s time for the hard work of assessing what the risks are, to each of your core strategic assumptions.
Strategic Risk Management: Analysis
Now you can analyze the strategic risks your organization faces. In particular:
- Likelihoods for each risk
- Impacts, should the risk manifest
- Proximity – if they do occur, when are they likely to impact?
From these, you can prioritize your strategic risks.
Strategic Risk Management: Planning
When you have a prioritized list of risks, the next step is to build risk management plans. These must include:
- What mitigations will reduce the likelihoods and impacts of the risks
- The contingency plans, or fallbacks, should they occur
- How you could transfer some element of the risk
- A plan for communicating the risk and your plan
- Allocation of responsibilities for risk management
You would also include in your strategic risk management plan and process for reviewing the strategy development process, to ensure it follows good practice for considering strategic risk.
Involving Others in Your SRM Process
At this point, I’d like to highlight the value of involving outsiders in your strategic risk management process, upto this stage. These can be relevant experts, of course. You can expect that they can add a lot of value.
But don’t overlook the benefits of a wider diversity of thinking. Non-experts can deliver great value too. Indeed, In the PMI’s report, Carlos Carnelós, of IBM Brazil, says: ‘Taking different people’s perspectives with respect and appreciation fosters the willingness to participate and share’. PMI cites the statistic that 70% of organizations are prioritizing diversity in risk teams. This is excellent news. It also makes a compelling case for using machine learning AI tools in the collection and analysis of risk data.
Critical Insight Number 10:
Strategic Risk Management benefits enormously from a diverse team.
Strategic Risk Management: Implementation
There is a lot to do, but little that needs saying, when it comes to implementing your strategic risk management plans. Be systematic and diligent. Never let up, and constantly revert to step 5…
Strategic Risk Management: Monitoring and Review
Strategic Risk Management is never done – and never good enough. So, keep your processes and outcomes under constant review and improve wherever you can. But, critically, also recognize and celebrate the hard work of the people involved in the process. If they do their job well, nobody outside the process will ever notice. So, you must!
Your Thoughts on Strategic Risk Management
What are your thoughts on Strategic Risk Management? Please do let us know in the comments below.
