“Teamwork makes the dream work.”
This famous saying first coined by clergyman John C. Maxwell is one of my personal favorites and highly relevant in business, sports, family life, and much more.
It’s also highly relevant to the success of any organization, including its risk management.
And by teamwork, I’m not necessarily referring to the people aspect, although that’s certainly a part of it. What I’m referring to is the disparate types of risk and the necessary steps to integrate or harmonize them.
We’ve explored the topic of integrating operational, strategic, and enterprise risk management in the past, but following a recent internal conversation, we decided the original article could use some more details and guidance.
Before diving into the one key component that harmonizes these disparate types of risk, let’s first gain a thorough understanding of what each one is.
In spite of attempts to lump them all together, each of the following have different purposes, and thus, different needs, perspectives, and audiences.
Operational Risks – Consists of process or functional issues within a particular business unit.
Similar to our recent article on risk culture vs. culture risk, an executive I spoke with said they were searching for an enterprise risk management solution to their challenge. After continuing to listen closely, it became clear they were referring to operational risk(s).
This bucket consists of risks that occur within a single department and are typically related to a process or function. Some “operational” risks can be seemingly minor and can either be left as-is or handled quickly.
Using the example of a roof collapse triggered by excessive snowfall, the book Strategic Risk Management: New Tools for Competitive Advantage in an Uncertain Age explains it like this:
Operational risks, like excessive snowfall and the attendant damages, follow a known probability distribution. Storms of varying intensity occur annually, which enables actuaries to estimate the likelihood of excessive snow events and to price hazard coverage accordingly. Likewise, executives can choose from a menu of well-known options to control weather-related risk and to minimize or mitigate its effects.
An operational risk is based on predictable events whose impacts are short-term and only measured in dollars. Insurance coverages can be purchased, or other measures can be taken to reduce or eliminate the impacts.
The main impact of an operational risk, like the roof collapse example, are financial and temporary in nature. The teams who played at the arena where this event occurred were able to play elsewhere until their home facility could be repaired.
Strategic Risk(s) – High-level risks that affect a company’s competitive advantage.
Although many companies don’t, every organization should have a strategic plan with very specific goal(s). Inevitably, there are risk(s) to achieving said goal(s) that must be understood.
On the other end of the risk spectrum from operational risk, Strategic Risk Management describes strategic risks as follows:
Strategic risks are actions or events and the uncertainty they generate that foundationally threaten or enhance a company’s competitive advantage, its pursuit of strategic aspirations, or its viability as a going concern.” [emphasis added]
Understanding and taking action to prevent these events from occurring or reducing their impacts require a bit more effort, especially when you consider they are uninsurable and impact intangible assets like reputation.
Enterprise Risk(s) – Spanning the entire organization at varying levels.
As we illustrated in the original article, enterprise risks are sandwiched in between operational and strategic risks.
Whereas an operational risk will be confined within one department, an enterprise risk spans multiple. If you’re hearing something consistently across multiple departments, then it’s an enterprise risk. Now you are talking about pervasiveness, which is defined by Merriam-Webster as “existing in or spreading through every part of something”. In this case, the risk is spreading through every part of the organization and can also spillover into operations or strategy.
One example of this we’ve been hearing a lot about lately is talent acquisition. Companies are having a tough time finding the right people at a price they are willing to pay, but the departments can’t handle an enterprise risk on their own, because when they do, even bigger problems can arise.
Therefore, to ensure consistency and efficiency, and break down silos, any treatment(s) for enterprise risks need to be handled as one enterprise-wide action.
The secret ingredient to harmonizing these types of risk boils down to one thing – sharing information.
Managing risks in their own silo without any coordination or teamwork can lead to even bigger consequences like a simple operational risk blowing up into a strategic or enterprise risk.
So how can information flow from an operational risk to impact how enterprise or strategic risks are handled?
Answers to a question like this really boil down to your company’s tolerance for said risk and/or your capacity to handle it.
Let’s say a particular operational risk has a financial impact beyond the company’s willingness or capacity to withstand. In this case, it should be escalated to executive decision-makers, as the financial consequences could result in fewer resources for another major project or could morph into a strategic risk if bad enough.
Conversely, if there’s a strategic risk with an operational component, the information will need to flow down or be shared with the business area, so they can take the appropriate action on their end. In some cases, how a particular department operates needs to change to reduce a strategic risk. To succeed at correcting this, the department or business unit has to certainly be involved.
As we explained earlier, enterprise risks have to be handled as one action. If different departments go their own way, the risk could be made worse and/or new ones be created.
In some cases, information from an enterprise risk need to flow into strategy, especially in cases where an enterprise risk needs to be incorporated into strategic discussions.
As you can see, there are huge differences between operational, strategic, and enterprise risks. Handling these risks in isolation can be even more disastrous for the organization, and if we are always talking about breaking down silos within the business, maybe we should think about breaking down the silos within the risk space too.
Therefore, harmonizing or integrating them through information sharing and teamwork is critical for ensuring the risk unit(s) can ultimately help the company succeed in today’s turbulent world.
What other ways can a company harmonize the management of disparate types of risk?
To share your perspective or thoughts on this subject, please don’t hesitate to leave a comment below or join the conversation on LinkedIn.
And if your company is still lumping these risks into one bucket and can’t seem to understand why things keep slipping through the cracks, feel free to reach out to me directly to begin discussing your company’s specific challenges and potential paths forward.
Featured image courtesy of Fauxels via Pexels.com