Analysing Strategic Risks

I have previously written on the difference between strategic and operational risks.

In that blog I highlighted the difference between the two as shown in the diagram below:

Strategic Risks and Operational Risks

I have been thinking recently whether, based on the difference between the two types of risk, we might also need a different approach to the analysis of the risks.

Having thought this through and following a bit of trial and error, I have developed a separate set of criteria for strategic risks, as described below.

Likelihood Criteria

The level of control surrounding strategic risks is extremely limited (if there is any at all), so the likelihood needs to be based on the level of visibility/discussion of the issue in the public domain and/or the government policy considerations.  To that end, the following is an example of the spectrum of likelihood criteria for strategic risks within a university:

Likelyhood criteria

As an illustration:

Currently the issue of deregulation of university funding has not been raised for some considerable time, given the previous backlash.  The current likelihood could, therefore, be assessed as Unlikely.

Let’s move forward two years and the government of the time commissions a report to fully investigate the current funding model for universities, including reviewing a possible means test based on funds held, assets, income producing IP etc.  On the basis of this report, and the fact that the media is reporting it, the likelihood has increased to Possible.

The report is delivered to the Government and it recommends a tiered level of funding based on a means test and it has accepted the recommendations. There will, obviously, be some further consultation with the sector to determine potential impacts, however, at this stage, the likelihood would need to change to Likely.

Consequence Criteria

As stated previously, the consequence level for each strategic risk needs to be assessed on the level of change/disruption that arises as a result.

To that end, the following is the matrix used for determining the consequence of strategic risks within the University:

Consequences of risk

In the risk previously discussed, it is most likely that the consequence would be Significant.

Risk Matrix

As we have three consequence ratings and three likelihood ratings, we obviously require a 3×3 risk matrix.  The following is the risk matrix used to determine the level of strategic risk for a university:

Risk Matrix

The risk level, therefore, for our identified risk is Medium then High and then Extreme.  There will be different actions that need to occur as the risk level rises, as shown in the table in the next section.

Actions to be taken

The table below identifies the actions required for each of the squares in the risk matrix:

Actions to be taken

As can be seen, the linking of the actions to the risk level allows for forward, proactive planning, rather than reactive planning if the risk does materialise.

Summary

The simple fact is that strategic and operational risks are different, and, therefore, it follows that they must be analysed in a different manner.

Recently, in the risk management frameworks developed for organisations, I have included both.

Learn more about risk management – find a course to suit you!

SUBSCRIBE TO OUR NEWSLETTER
Unleash your inner risk gladiator! Join our mailing list for all the latest news, tips, and special offers.
FREE RISK MANAGEMENT E-BOOK
This free E-book dives into risk management, exploring the issues and concepts involved in effectively managing risks in an accessible and comprehensive manner applicable to organisations of all shapes and sizes.
{Download-submit}