Learn how to harness strategic risk and improve your operations

Types of strategic risk

Strategic risks typically fall into nine distinct categories. Identifying and safeguarding the business against each risk is a group effort that involves senior managers from different business departments. Typical strategic risks include:

• Change. Technologies and infrastructures constantly evolve -- often creating new problems and opportunities. Consider the impact the public cloud has had on the opportunities and costs of IT infrastructure management. Similarly, ML and AI systems are changing how organizations make decisions and operate. Change can place unexpected pressure on strategic plans, requiring organizations to reconsider and adapt their policies over time.
• Competition. Businesses rarely exist alone in an industry. Fierce financial and technological competition can erode competitors' sales or market shares. Understanding competitive risks requires keen knowledge of competitor activities, goals, innovations and capabilities.
• Demand. Users are always looking for something newer, better and cheaper. Buying habits shift over time -- often unexpectedly. Meeting demand requires command of the marketplace and user expectations to ensure products and services continue to meet user demands.
• Economy. Changing economic forces -- perhaps politically fueled -- influence the organization's ability to market goods and services. A recession or faltering domestic economy can make goods and services less desirable as consumers seek to cut spending.
• Financial. The long-term health of any business is often measured by metrics such as revenue and debt. The availability of funds can affect the organization's ability to innovate new products or expand its sales efforts. If funds are curtailed by lawsuits and onerous judgments, misjudged sales predictions or poor ongoing management, the business may not be able to meet its strategic goals.
• Operations. Operational risks affect the organization's ability to function. Using aging or unreliable equipment raises the possibility of mechanical disruption as well as quality problems. Poor IT infrastructure -- such as cybersecurity preparedness -- might increase the chance that the company will be hacked or suffer from malicious incidents. A data breach due to poor cybersecurity also opens up the company to fines and penalties from regulatory authorities.
• Political. Political decisions can influence the supply chain, shift the pricing of parts and raw materials and even change the market acceptance of the organization's products and services. Paying careful attention to governmental activity and participating in industry lobby groups can help a business navigate the political landscape.
• Regulations. Regulations and legislation are always evolving and these changes place a greater burden on the organization and its ability to generate revenue. Consider the weight of governance factors such as data sovereignty or the demands of data regulations like GDPR. Emerging regulations can disrupt the business, shift personnel responsibilities, require new technologies or infrastructure and require new governance. Foreseeing and meeting regulatory requirements often requires dedicated and knowledgeable staff.
• Reputation. Businesses can make mistakes. Incidents such as data -- or other regulatory -- breaches or major lawsuits targeting product design or manufacturing defects can all result in damage to the organization's reputation and business valuation. Integrity and transparency in both management and operation helps a business weather reputational risks.

Strategic risk vs. operational risk

The terms strategic and operational are often used interchangeably. While the two terms are interrelated, they represent significantly different timeframes. Strategic risk is long-term and emphasizes the organization's ability to meet its goals. Operational risk focuses on immediate or short-term impacts caused by incidents or events. Operational risks can affect strategic outcomes.

Common risk assessment methodologies

Risk is assessed in various ways. The actual methodology is often based on the amount of factual versus anecdotal information that the business possesses as well as the demands of the business and its related industry vertical. General risk assessment methodologies primarily fall into the following seven categories.

1. Asset-based. An asset-based risk assessment methodology protects the organization's assets based on their value to the business and the potential damage if lost or compromised. Common assets include business data, infrastructure and applications and intellectual property. These assessments involve creating an asset inventory, identifying the main risks to those assets, finding potential vulnerabilities that could jeopardize those assets and assessing the likelihood and severity of each risk. This is an extensive and exhaustive analysis that may not be suited for all cases.
2. Dynamic. This is used to quickly address new or unforeseen risks previously unidentified. The goal is to develop ad-hoc answers to sudden risks attributable to human error, system failures or environmental issues. Dynamic methodologies are not used alone, but are often employed as a fallback approach when new issues occur that aren't covered by an existing risk management strategy.
3. Qualitative. Qualitative methodologies use classifications rather than specific numerical ratings to detail the probability of risks. Qualitative approaches help the business explore a range of scenarios. Keep in mind that qualitative assessments are not measurable. Any responses -- such as yes or no, or high or low -- are often subjective based on the experience of the individuals performing the risk assessment.
4. Quantitative. Quantitative methodologies use a numerical scale to objectively measure risk probability and severity. Typical quantitative methodologies include Monte Carlo analysis or failure mode and effects analysis. In practice, numerical probabilities of likelihood and impact can be multiplied to yield a severity score plotted to form a matrix that helps prioritize potential risks. Not all risks, however, are readily quantifiable. Inaccurate estimates can be costly, and the methodology requires extensive data and expertise to perform properly.
5. Semi-quantitative. This offers a hybrid blend of quantitative and qualitative analysis, using both a numerical scale and categories to build a clearer understanding of potential risks. This methodology provides a more comprehensive risk assessment, with a high level of objectivity. It's often preferred when a fully quantitative analysis can't be performed. Some amount of subjectivity can complicate results or require more discussion before making decisions.
6. Threat-based. A threat-based methodology is often used within IT and cybersecurity. It's intended to identify both risks and contributing conditions. If hacking is a risk, leadership will use threat-based risk assessment to predict -- and prevent -- potential vectors of attack. Although this methodology is detailed, it offers limited scope and requires great technical expertise. This approach is often combined with other methodologies.
7. Vulnerability-based. Vulnerability-based risk assessments first focus on internal or known vulnerabilities and systematically extend the assessment into external risks. This is the reverse of other methodologies, which start externally and then seek to address each risk internally. Vulnerability assessments offer detailed and actionable results, but their scope is narrow because they can only deal with known vulnerabilities. Incomplete knowledge will significantly limit the usefulness of this novel approach.

Best practices to tackle strategic risk

Every business is different and each industry vertical presents its own set of unique demands or challenges. As a result, there is no single approach to master strategic risk. Yet, there are several best practices that can help an organization and its leadership get ahead of challenges, including:

• Set a business strategy and objectives. Risk management is worthless unless it's guided by a sound business strategy -- goals that the business seeks to accomplish. Without goals, it's difficult (even impossible) to evaluate the risks associated with attaining those benchmarks.
• Select a methodology. Businesses have an array of tools designed to help identify internal and external risks. These can range from traditional SWOT analyses to holistic balanced scorecards, risk assessment matrices and even detailed risk management frameworks incorporating advanced ML and AI. The key here is not only to identify risks but also define them according to their likelihood. A methodology helps ensure that management uses a common approach and can keep key stakeholders aware of risk profiles.
• Collaborate, collaborate, collaborate. A business may be led by a single person, but strategic risk assessment and management is a team sport. Wise leaders will collaborate with stakeholders and experts across the organization to craft a risk assessment framework that allows participants to share their risk management insights.
• Adopt KPIs. KPIs provide quantifiable metrics that measure an organization's ability to identify, evaluate and mitigate risks. There are many potential KPIs, among them the number of risks identified, percentage of risks monitored, percentage of risks mitigated, time-to-resolution of an identified risk incident, severity of risks and frequency of risks. The idea is to adopt KPIs that meet business needs while allowing the organization to drill down to discover more information about why risks lead to incidents and how risk planning and incident response can be improved.
• Adopt key risk indicators (KRIs). KRIs are forward-looking indicators that help organizations examine and indicate potential risks. Among other benefits, KRIs let a business foresee changes that could alter the risk landscape, establish the organization's tolerance for those indicators and set action triggers -- such as updating the risk assessment or implementing a new technology.
• Use comprehensive monitoring and reporting. Review risks, monitor KPIs and KRIs and implement a comprehensive reporting process that conveys updated strategic risk information to leadership and key stakeholders. Frequent review can help a business manage risk, shift strategies in a timely manner and maintain preparedness to address incidents when they occur.

Approaching strategic risks in your organization

Strategic risk management encompasses a wide range of considerations and domains. It requires a comprehensive, systematic and collaborative approach to govern risks both inside and outside of the organization's direct control. The most widely used approach involves four iterative phases:

1. Identification. What are the risks? Gather input from stakeholders across the business, including sales, finance, technology, product development, manufacturing, legal and regulatory. Consider the varied risks -- list them all -- and arrange them in order of importance or impact.
2. Probability. What is the likelihood that a particular risk emerges as an event or incident? Weigh risks by their probability and rank the risks accordingly. An earthquake might be a catastrophic risk to a data center and the organization's ability to function, but a business unit based in a region where temblors rarely occur means that risk can be reduced. Conversely, a cyberattack can carry profound impacts on the business, but an organization without sound cybersecurity postures or data security policies might flag such risks as a far higher probability. Be pragmatic.
3. Strategize. Develop and implement risk mitigation strategies that highlight risks with the highest probability and carry the greatest impact. Each risk requires its own strategy and response. Cybersecurity, for example, might need a mitigation plan that involves upgrading hardware and software, implementing identity and access management, better monitoring and alerting and issuing acceptable use policies for employees.
4. Monitor. Strategic risk management is not a one-time effort. Monitor risks and adjust or update strategies as business conditions change or new risks emerge. Perform objective post-mortems when risks become incidents. Consider the effectiveness of those strategies and allow experience to guide your strategic decisions.

Stephen J. Bigelow, senior technology editor at Informa TechTarget, has more than 30 years of technical writing experience in the PC and technology industry.