Analysing Strategic Risks
I have previously written on the difference between strategic and operational risks.
In that blog I highlighted the difference between the two as shown in the diagram below:
I have been thinking recently whether, based on the difference between the two types of risk, we might also need a different approach to the analysis of the risks.
Having thought this through and following a bit of trial and error, I have developed a separate set of criteria for strategic risks, as described below.
The level of control surrounding strategic risks is extremely limited (if there is any at all), so the likelihood needs to be based on the level of visibility/discussion of the issue in the public domain and/or the government policy considerations. To that end, the following is an example of the spectrum of likelihood criteria for strategic risks within a university:
As an illustration:
Currently the issue of deregulation of university funding has not been raised for some considerable time, given the previous backlash. The current likelihood could, therefore, be assessed as Unlikely.
Let’s move forward two years and the government of the time commissions a report to fully investigate the current funding model for universities, including reviewing a possible means test based on funds held, assets, income producing IP etc. On the basis of this report, and the fact that the media is reporting it, the likelihood has increased to Possible.
The report is delivered to the Government and it recommends a tiered level of funding based on a means test and it has accepted the recommendations. There will, obviously, be some further consultation with the sector to determine potential impacts, however, at this stage, the likelihood would need to change to Likely.
As stated previously, the consequence level for each strategic risk needs to be assessed on the level of change/disruption that arises as a result.
To that end, the following is the matrix used for determining the consequence of strategic risks within the University:
In the risk previously discussed, it is most likely that the consequence would be Significant.
As we have three consequence ratings and three likelihood ratings, we obviously require a 3×3 risk matrix. The following is the risk matrix used to determine the level of strategic risk for a university:
The risk level, therefore, for our identified risk is Medium then High and then Extreme. There will be different actions that need to occur as the risk level rises, as shown in the table in the next section.
Actions to be taken
The table below identifies the actions required for each of the squares in the risk matrix:
As can be seen, the linking of the actions to the risk level allows for forward, proactive planning, rather than reactive planning if the risk does materialise.
The simple fact is that strategic and operational risks are different, and, therefore, it follows that they must be analysed in a different manner.
Recently, in the risk management frameworks developed for organisations, I have included both.
Learn more about risk management – find a course to suit you!