Strategy does not just happen. It is the result of a systematic process and risk management is at the core.
Strategy is a dynamic process characterized by three distinct stages: formulation, implementation, and evaluation. The first phase creates strategies and plans, the second and third are their execution. The entire process consumes a great deal of information, but it also generates its own information, all of which needs to be described and analyzed. New information is arising constantly and must be gathered and placed back into the process through feedback loops.
These loops should occur along every step if the process is going to yield strategies that are effective and timely. Such feedback allows for strategic adaptation to evolving environments, and drives the dynamics of the process. Among the most important bits will be information about risk.
Strategic information needs can sometimes appear enormous and overwhelming. Inevitably, much of the information will prove to have little strategic value, but it is necessary to collect large volumes to capture the most useful information. Some of the excess information may be discarded, but often it is better to simply set it aside for the moment. It is not easy to know what information might be useful later in the process.
Process over plan
The point is that a disciplined strategic process yields the most effective strategies by organizing, structuring, and analyzing information. This method maximizes the likelihood of finding the most valuable bits of information, those that contribute to the success or failure of a strategic course of action. Important among these is risk information.
The process trumps the plan. There is an entire industry of consultants, software providers, and vendors who offer corporations very expensive strategic planning assistance, but some make the mistake of emphasizing the plan over the process. Some corporations lack the understanding that the real value of planning is not the plan itself, but the disciplined process that gives rise to a plan. In the words of President Eisenhower, “plans are worthless, but planning is everything.”
Central to the process is the development of competitive advantage and the creation of the value chain. Risk management and analysis are essential components of both.
The graphic above shows the three stages of the process, the first of which is formulation. The very first steps are the creation of the vision and mission statement (which includes the value proposition, the antecedent of the value chain and competitive advantage), and the analyses of internal and external factors facing the company. This, of course, is the SWOT.
Robert S. Kaplan and Anette Mikes of the Harvard Business School argue that there are three types of risk: preventable, strategic, and external. Their framework follows the SWOT faithfully. Preventable risks are internal to the company and are controllable. In SWOT parlance, they are Weaknesses. Their opposite, external risks, are outside the company and beyond its control. They are Threats. A company takes strategic risks in order “to generate superior returns.” The competitive advantage is defined, in part, by the returns the value chain generates relative to the industry.
Risk at the center of the process
Obviously, whenever risks are encountered in strategy formulation, they should be analyzed. Risk policies and plans should be developed to manage them. During execution, feedback will include information about all three types of risk, and this should be sorted, analyzed, and integrated back into the process. The company’s risk management system can then go into action and the measures it generates can be evaluated for their effectiveness.
I have previously argued that risk management is integral to the value chain and to competitive advantage. Risk management’s central role derives from the fact that risk is at the core of the process that formulates and executes strategy. The extent to which the process fails to account for and analyze the risks inherent in the formulation and execution of corporate strategy is a good indicator of the likelihood the strategy will fall short of its goals, or fail outright.
Of course, it is not possible to identify and account for all three types of risk when thinking through a strategy. Nor is it necessary to do so. If the process makes use of information feedback loops, shortcomings within the corporation and threats facing it in the external environment will become known to the process and can be analyzed and accounted for then. Adjustments can be made to the value chain and the competitive advantage can be calibrated.
Like strategy, risk management is a dynamic process that must be formulated, implemented, and evaluated. It is a constant process making ongoing demands from management. Just as managers are expected to take continuous measures to improve performance, they must pay constant attention to the risks that make their performance possible, and which can cripple or augment returns.