Strategic vs Operational Risk

Well hello and welcome to this session.

One of the questions I’m asked the most on my training courses what is the difference between a strategic and operational risk. It’s a really good question and it’s one that isn’t well-defined and I see Boards and other larger organisations in their strategic risk register they’ve actually got a lot of risk in there that are truly operational.

Before we answer that question let’s look at what the responsibilities are, so the Board or the Senior Executive they’re there to draw the strategic direction of the organisation. They pass or they delegate the day-to-day operation of that organisation to the CEO and to management staff. As part of that they are also managing the risk to the day-to-day operations of that organisation.

It’s not the Boards responsibility to manage those risks it’s the Boards responsibility to get assurance from the CEO and the management that those particular risks are being managed effectively. This is how I define strategic versus operational risk.

A strategic risk to me is something that is external to the organisation that if it occurs forces a change in strategic direction of the organisation. There are a couple of things there, first and foremost it’s external to the organisation so things around WH&S and fraud and all those things don’t get a Guernsey there, it’s all external.

It forces a change to strategic direction. Now, what we look at there are things around legislations and regulations. We look at things like the competitive environment, we look at things like the severe weather events or locations. So essentially what we’re aiming at here is looking at those events or those particular risk s that would force us to change a strategic direction. An operational risk on the other hand is an event that’s internal or external to the organisation that will actually impact your ability to achieve the current strategy that you’ve got. Because if you look at the definition of risk and I’ve talked before about what I think about the definition of risk but the effective uncertainty of objectives, well of course, objectives are the lower levels in terms of building block for achievement of your strategy. So if there is a risk or an event that has an impact on your objectives then by definition it will have an impact on the achievement of your strategy.

In summary, we look at two types of risks, the strategic risk, something that emerges from external environment that’s going to have an impact on you, that would force a change to the strategic direction. Whereas your operational risk is something internal or external that would impact on your ability to achieve the current strategy.

So they are very, very different. Have a look at the strategic risk registers you’ve got and ask yourself the question is this external or is it operational or is it purely strategic. I think you’ll find as I have that so many have the risk that I see in strategic risk registers are actually operational risks. Let’s get our Boards, let’s get our senior executives focusing on those things that truly could change the strategic direction of the organisation.

So, that’s all I’ve got for this session and as always let’s be careful out there.