Preventable, Strategic and External Risk – What is the Difference and Why Should You Care?
Have you ever felt your risk management endeavors are an overwhelming task, producing little value?
The root of this problem is what appears to be a crushing number of risks with no clear link to your strategic objectives and/or lack of alignment as to where the primary responsibility to manage various risks should lie.
A paper produced by Robert Kaplan and Anette Mikes from the Harvard Business School offers some useful insight to address these types of challenges.
Kaplan and Mikes suggest that risks can be grouped into three broad categories:
Preventable risks are typically operational in nature and efforts should be made to manage exposure to these risks, reducing them to a very low level or eliminating them if possible. Examples of these risks include unauthorized access to your premises or a lack of tested backups of critical information holdings.
Strategic risks include risks that are relevant to your strategic objectives. Strategic risks are not necessarily undesirable because it is necessary to take some risk to achieve your objectives. The goal with strategic risks should be risk mitigation – measures reducing their potential impact and probability of occurrence to an acceptably low level.
External risks arise from outside of your organization and you have generally no control over them. An example for many not-for-profit organizations is the impact of the Phoenix payroll system, which has contributed to reduced charitable giving. Impacted organizations cannot do anything to directly address this risk, but they need to be aware of it to mitigate the impact on their organization.
So where should attention to risk management be directed?
- For the most part, preventable/operational risks should be addressed by management.
- The board should direct the bulk of its attention toward strategic risks.
- Both management and the board should direct attention toward external risks because doing so effectively requires strategic awareness of what external risks might impact your organization, and the broader the perspective, the better.
Adopting the risk management perspective shared by Kaplan and Mikes to your organization can help you get a handle on what might seem to be a never-ending collection of identified risks. This approach can help you determine what types of risks should be managed by whom in your organization. Over time risk management should feel less overwhelming and you should see greater value from your investment in the area.