People sometimes ask how we should define “strategic risk”. Fortunately this simple question has a simple answer. But answering this question can also help us to define any other type of risk. First let’s consider “strategic risk”:
- One basic definition of risk is “uncertainty that matters”. We can expand this into a more formal definition such as “any uncertainty that if it occurs will affect achievement of objectives”. Or we can keep it simple, like the definition in the international risk standard ISO31000:2009, where risk is “effect of uncertainty on objectives”.
- So risk always involves uncertainty. But risk matters because it has the potential to affect objectives.
- This means that each risk must be linked to at least one objective. Risk cannot be defined in a vacuum or without a context. Wherever we find a risk, we will also find something that is “at risk”, which is our ability to achieve our objectives.
- Organisations have different types of objectives, ranging from high-level corporate objectives down to detailed technical or operational objectives. Each type of objective can be affected by uncertainty. So where there are multiple levels of objectives, there are also multiple levels of risk.
- People who are interested in strategic objectives need to know about any uncertainty that could affect their ability to achieve those objectives. So now we can define strategic risk. It is “any uncertainty that if it occurs will affect achievement of strategic objectives”.
And there you have it – simple!
We can use the same thinking to distinguish a variety of risks, by linking them to a range of different objectives. For example:
- Project risks are uncertainties that would affect achievement of project objectives
- Technical risks affect achievement of technical objectives
- Environmental risks affect environmental objectives
- Reputation risks affect reputational objectives
- Safety risks affect safety objectives
- Personal risks affect personal objectives
- and so on
The distinctive characteristic of strategic risks is that they are linked to strategic objectives. This is also important when we consider risk ownership. Each risk should be owned by the person who owns the objective that would be affected. So strategic risks usually have senior management owners, since these are the people who are responsible for achievement of strategic objectives. In the same way, project risks are usually owned by people at the project level, most technical risks are owned by technical staff, and each one of us has to take responsibility for managing our own personal risks.
Defining risk at different levels is easy. Start with the objectives at that level, and look for the uncertainties that matter. Only then we can manage risk wherever we encounter it.
[© Copyright April 2012, David Hillson/Risk Doctor & Partners]