Strategic v Operational Risk

Hello, and welcome to this session.

What I’m going to talk about here is the difference between strategic and operational risk. This is an area that I’m often asked the difference between the two.

When I look at a lot of strategic risk registers maintained by boards and senior executives in organisations, what I tend to find is there are a lot of operational risks being pushed off as strategic risk. Now for me strategic risk is something that is outside the control of the organisation, that is out in the environment within which you are operating.

So, things like the legislative environment, regulatory environment, competitive environment are looking at strategic risk. Let’s say a government organisation reduces funding without any commensurate reduction in responsibilities – that is strategic risk to the organisation. For a council, an amalgamation of a number of councils is a strategic risk. But what I’m finding in these strategic risk registers are things like a major fraud event or somebody dies – they are operational risks.

Yes, they might have strategic consequences or consequences that affect the enterprise, but they still need to be managed down at the lower levels of the organisation. They need to be managed at the lower levels of the organisation but operated up to the board; it is not the remit of the board to actually manage those types of risk. They need to be focusing out.


Because they’re setting the strategic direction of the organisation so they need to be aware of the environment so they can adjust strategic direction if necessitated by a change in that environment.

If they are continually focused down in the operational area then they might miss those triggers that would mean they need to change their strategic direction. So the lesson out of all of that is for the board and senior management in terms of strategic risk – look out. For those underneath, your CEO and managers are focused on operational risks in terms of making sure they are managed so we can achieve the strategic direction that is being set by the board.

As a board you cannot focus on those operational risks you are going to become mired down in managing those and not only that it’s not your responsibility, you have given charge to the CEO to do that.

So have a look at your strategic risk registers and actually ask yourself how many of those are strategic.

That’s all I have for this session. As always let’s be careful out there.

Unleash your inner risk gladiator! Join our mailing list for all the latest news, tips, and special offers.
This free E-book dives into risk management, exploring the issues and concepts involved in effectively managing risks in an accessible and comprehensive manner applicable to organisations of all shapes and sizes.