Strategic Planning and Risk Management

In the first blog of this series Strategic Planning as an Organizational Learning Model, I suggested that a strategic plan should represent the best of the collective learning of the organization.

My second post dealt with Strategic Planning and the Quality Imperative and positioned the quality management process as a particularly powerful learning window into an organization’s operational process.

This blog, the third in the series, addresses how effective risk management of firm operations can provide an important source of learning to bolster your strategic plan. Given that risk management is, to a large extent, the flip side of the quality coin, it’s surprising that the two are typically not viewed as naturally reinforcing threads in an organization’s path to maturity.

Risks are omnipresent

The risk challenges facing the modern organization are daunting. Perhaps it was ever so; perhaps it is just the pace of change combined with the reach government and private firms have in our post-modern world that magnifies the implications of risk. Scan the news in any 3-month period and you will find no shortage of stories detailing adverse events:

• Automobile recalls involving deficiencies that have or risk having fatal outcomes.
• Food and beverage recalls on a pretty much a quarterly basis. Not infrequently, the food involved is the source of serious illness and even death.
• Failure of public security agencies to anticipate and or adequately respond to adverse events that are either of natural or deliberate causes.
• Pharmaceutical product recalls due to serious side effects, and sometimes even death.
• Failure of financial due diligence resulting in fraud or imprudent investment to the point of bankruptcy.

These events impact not only the government agency or company itself, but also it’s stakeholders, customers, and the financial bottom line in terms of lost revenues, costs of remediating and managing the adverse events, as well as potential liability assessment.

Systemic problems

Recent research by the Aberdeen Research Group demonstrates that firms with a poor risk management track record have a number of systemic characteristics in common:

1. They are reactive rather than proactive i.e., the focus is on recovery rather than avoidance of risk;
2. They channel resources into projects with high ROI potential displacing risk mitigation investments in tough financial times; and,
3. They focus risk mitigation only on internal segments of the supply chain; of course, an adverse event can originate anywhere in the value chain.

In contrast research shows that better firms are adopting dynamic enterprise-wide approaches aimed at Best-in-Class performance by:

• Establishing a risk-based strategy and providing a harmonized view of risks across operations to the executive team;
• Aligning goals and metrics to foster collaboration across the organization and supply chain partners; and,
• Fostering engagement through role-based visibility and workforce training.

Actions, capabilities and enablers

Here’s a quick summary of actions, capabilities and enablers you’ll need to consider to reduce the impact of operational risks to financial and reputational goals:

Adopt goals

• Create/improve visibility into the top risks impacting operations
• Invest in organizational capabilities and engagement
• Invest in technologies

Build capabilities and engagement

• Established executive sponsorship for risk program
• Cross-functional teams to improve risk & asset performance
• Standardized risk quantification KPIs processes across the enterprise
• Contingency policies and escalation procedures established for response to adverse events

Deploy enablers

• Risk Management
• Incident Management
• Master Data Management
• Risk analytics
• Risk dashboards
• Audit Management

Operational risk-management framework components

Successful implementation of a proactive risk-management capability requires policies and processes that provide a coherent framework:

1. Standardized risk assessment process;
2. Standardized risk quantification process;
3. Standardized risk prioritization processes; and,
4. Contingency policies and escalation procedures for responding to adverse events

This framework requires a number of critical enablers, significant among which are the following:

1. Organization Enablers

Establishing a risk-based culture and getting employee buy-in is critical. To create such a culture, first gain support from senior management on operational risk management initiatives by establishing a C-level executive sponsor for risk programs such as a Chief Risk Officer or VP of Operations and Quality.

A good example of the drive to instill a risk-based culture is BP’s recent naming of a Chief Risk Officer with the authority to shut down operations when risk thresholds are reached.

Second, use cross-functional teams lead by the Chief Risk Officer to design and deliver the risk plan implementation. The team is responsible to implement strategic risk management with balanced production, asset and corporate goals.

Third, establish defined roles and responsibilities across all levels of the organization in the case of an adverse event.

Finally, test the adequacy of your adverse events response capabilities by conducting exercises on a regular basis to build awareness of responsibilities and to build the confidence to act intelligently and promptly.

2. IT & Information Management Enablers

For your risk decisions to be effective, employees must have access to the right data at the right time and in the right form.

This requires collecting the appropriate data for the Risk Management Framework outlined above, and turning that data into actionable information.

Relying on manual processes for managing risk is inherently expensive, time consuming, and unreliable. A Risk Traceability Portal which provides information on the cost of quality, compliance statistics, asset condition and reliability (plants), and health and safety are all critical for making predictive risk-based decisions – both to predict and prevent future events.

Audit reviews are key to understanding what caused the adverse event, and to provide a business case for correction.

The importance of taking decisive action when adverse events occur must be understood in terms of the potential cost to remediate, the damage to the company brand, and the potential legal liabilities. Consequently, it is important to gain access to non-conformance alerts in real-time in order to keep a minor injury or product recall from becoming a catastrophic event. Supply chain visibility, as well as plant quality data, enables employees to minimize high-probability/low-risk events and provides critical information to prevent low-probability/high-risk events with dire consequences.

3. Performance Management

Key Performance Indicators (KPIs) provide a standard set of metrics across the enterprise to measure the performance of programs. Enterprise-wide KPIs reflecting risk exposure and costs allow firms to measure their success in a consistent fashion and identify areas in need of improvement. Also, such data is a useful indicator of best practices that can be migrated across the entire organization.

Use all of the tools in the box

With risk exposure an ever-present fact, a robust risk management framework, supported by disciplined and engaged management and employees, IT and information tools, and an effective set of KPIs, can be a powerful source of learning to inform an organization’s strategic agenda.