Let me first start by saying integrating risk management into strategic planning is NOT doing a startegic risk assessment or even having a risk conversation at the strategy setting meeting, it is so much more. You will also find it difficult to relate if the objectives have not been defined or documented in your company or if the objectives are not measurable.
Kevin W Knight, during his first visit to Russia a few years ago, said ‘risk management is a journey… not a destination’. Risk practitioners are free to start their integration journey at any process or point in time, however I believe that evaluating strategic objectives@risk can be considered a good starting point. The reason why I think this is a good starting point is because it is relatively simple to implement, yet has an immediate and a significant impact on senior management decision making.
STEP 1 – STRATEGIC OBJECTIVES DECOMPOSITION
Any kind of risk analysis should start by taking a high-level objective and breaking it down into more tactical, operational key performance indicators (KPIs) and targets. When breaking down any objectives it is important to follow the McKinsey MECE principle (ME – Mutually Exclusive, CE – Collectively Exhaustive) to avoid unnecessary duplication and overlapping. Most of the time strategic objectives are already broken down into more tactical KPIs and targets by the strategy department or HR, so this saves the risk manager a lot of time.
This is a critical step to make sure risk managers understand the business logic behind each objective and helps make risk analysis more focused.
Important note, while it should be management’s responsibility to identify and assess risks, the business reality in your company may be that sometimes the risk manager should take the responsibility for performing risk assessment on strategic objectives and take the lead.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
EXAMPLE: RISK MANAGEMENT IMPLIMENTATION
VMZ – is an airline engine manufacturing business in Russia. Their product line consists of relatively old engines, DV30, which are used for the medium-haul airplanes Airliner 100. The production facility is in Samara, Russia. In 2012 a controlling stake (75%) was bought by an investment company AVIARUS.
During the last strategic Board meeting AVIARUS decided to maintain the production of the somewhat outdated DV30, although at a reduced volume due to plummeting sales and, more importantly, to launch a new engine, DV40, for its promising medium-haul aircraft Superliner 300.
The Board signed off on a strategic objective to reach an EBT (earnings before tax) of 3000 mln. rub. by the year 2018.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
STEP 2 – IDENTIFYING FACTORS, ASSOCIATED WITH UNCERTAINTY
Once the strategic objectives have been broken down into more tactical, manageable pieces, risk managers need to use the strategy document, financial model, business plan or the budgeting model to determine key assumptions made by the management.
Most assumptions are associated with some form of uncertainty and hence require risk analysis. Risk analysis helps to put unrealistic management assumptions under the spotlight. Common criteria for selecting management assumptions for further risk analysis include:
- The assumption is associated with high uncertainty.
- The assumption impact is properly reflected in the financial model (for example, it makes no sense to assess foreign exchange risk if in the financial model all foreign currency costs are fixed in local currency and a change in currency insignificantly affects the calculation).
- The organisation has reliable statistics or experts to determine the possible range of values and the possible distribution of values.
- There are reliable external sources of information to determine the possible range of values and the possible distribution of values.
For example, a large investment company may have the following risky assumptions: the expected rate of return for different types of investment, an asset sale timeframe, timing and the cost of external financing, rate of expected co-investment, exchange rates and so on.
Concurrently, risk managers should perform a classic risk assessment to determine whether all significant risks were captured in the management assumptions analysis. The risk assessment should include a review of existing management and financial reports, industry research, auditors’ reports, insurance and third party inspections, as well as interviews with key employees.
By the end of this step risk managers should have a list of management assumptions. For every management assumption identified, risk managers should work with the process owners, internal auditors and utilise internal and external information sources to determine the ranges of possible values and their likely distribution shape.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
EXAMPLE: RISK MANAGEMENT IMPLIMENTATION (CONTINUED)
Macroeconomic assumptions
- Foreign exchange
- Inflation
- Interest rates (RUB)
- Interest rates (USD)
Materials
- DV30 materials
- DV40 materials
Debt
- Current debt
- New debt
Engines sales
- New DV30 sales volume
- New DV40 sales volume
- DV30 repairs volume
- DV40 repairs volume
- DV30 price
- DV40 price
Other expenses
- Current equipment and investments into new one
- Operating personnel
- General and administrative costs
Based on the management assumptions above, VMZ will significantly increase revenue and profitability by 2018. Expected EBT in 2018 is 3013 mln. rub., which means the strategic objective will be achieved.
We will review what will happen to management projections after the risk analysis is performed in the next section.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
STEP 3 – PERFORMING RISK ANALYSIS
The next step includes performing a scenario analysis or the Monte-Carlo simulation to assess the effect of uncertainty on the company’s strategic objectives. Risk modelling may be performed in a dedicated risk model or within the existing financial or budget model. There is a variety of different software options that can be used for risk modelling. All examples in this guide were performed using the Palisade @Risk software package, which extends the basic functionality of MS Excel or MS Project to perform powerful, visual, yet simple risk modelling.
When modelling risks it is critical to consider the correlations between different assumptions. One of the useful tools for an in-depth risk analysis and identification of interdependencies is a bow-tie diagram. Bow-tie diagrams can be done manually or using the Palisade Big Picture software. Such analysis helps to determine the causes and consequences of each risk, improves the modelling of them as well as identifying the correlations between different management assumptions and events.
The outcome of risk analysis helps to determine the risk-adjusted probability of achieving strategic objectives and the key risks that may negatively or positively affect the achievement of these strategic objectives. The result is strategy@risk.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
EXAMPLE: RISK MANAGEMENT IMPLEMENTATION (CONTINUED)
The risk analysis shows that while the EBT in 2018 is likely to be positive, the probability of achieving or exceeding the strategic objective of 3000 mln. rub. is 4.6%. This analysis means:
- The risks to achieving the strategy are significant and need to be managed
- Strategic objectives may need to change unless most significant risks can be managed effectively
Further analysis shows that the volatility associated with the price of materials and the uncertainty surrounding the on-time delivery of new equipment have the most impact on the strategic objective.
Management should focus on mitigating these and other risks to improve the likelihood of strategic objective being achieved.
Tornado diagrams and result distributions will soon replace risk maps and risk profiles as they much better show the impact risks have on objectives.
This simple example shows how management decision making process will change with the introduction of basic risk modelling.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
STEP 4 – TURNING RISK ANALYSIS INTO ACTIONS
Risk managers should discuss the outcomes of risk analysis with the executive team to see whether the results are reasonable, realistic and actionable. If indeed the results of risk analysis are significant, then the management with the help from the risk manager may need to:
- Revise the assumptions used in the strategy.
- Consider sharing some of the risk with third parties by using hedging, outsourcing or insurance mechanisms.
- Consider reducing risk by adopting alternative approaches for achieving the same objective or implementing appropriate risk control measures.
- Accept risk and develop a business continuity / disaster recovery plan to minimise the impact of risks should they eventuate.
- Or, perhaps, change the strategy altogether (the most likely option in our case)
Based on the risk analysis outcomes it may be required for the management to review or update the entire strategy or just elements of it. This is one of the reasons why it is highly recommended to perform risk analysis before the strategy is finalised.
At a later stage the risk manager should work with the internal audit to determine whether the risks identified during the risk analysis are in fact controlled and the agreed risk mitigations are implemented.
JOIN THE FREE WEBINAR TO FIND OUT MORE: https://app.webinarjam.net/register/36759/711260cb04 (click the link to see available dates and times)
READ THE FULL BOOK. IT’S FREE TO DOWNLOAD: https://www.risk-academy.ru/en/download/risk-management-book/
Bio:
lex Sidorenko is an expert with over 13 years of strategic, innovation, risk and performance management experience across Australia, Russia, Poland and Kazakhstan. In 2014 Alex was named the Risk Manager of the Year by the Russian Risk Management Association.
As a Board member of Institute for strategic risk analysis in decision making Alex is responsible for risk management training and certification (including creating exams) across Russia and CIS, running numerous risk management classroom and e-learning training programs. Alex represents Russian risk management community at the ISO Technical Committee 262 responsible for the update of ISO31000:20XX and Guide 73 since 2015.
Alex is the co-author of the global PwC risk management methodology, the author of the risk management guidelines for SME (Russian standardization organization), risk management textbook (Russian Ministry of Finance), risk management guide (Australian Stock Exchange) and the award-winning training course on risk management (best risk education program 2013, 2014 and 2015).
In 2012 Alex created Risk-academy www.risk-academy.ru a web portal dedicated to free risk management training for SME across Russia and CIS.
Alex worked as a Head of Risk Management at RUSNANO, one of the largest private equity funds in Russia, specializing in technology investment. Alex won an award for best ERM implementation at RUSNANO in 2014.
Prior to that Alex worked in senior risk roles at Skolkovo Foundation, Strategy Partners, PwC and Deloitte.
Alex recently published his second risk management book called “Effective Risk Management 2.0”. Alex also regularly presents at risk management conferences in Russia and Europe. In November 2012 Alex short a series of TV programs dedicated to risk management in start-ups. Alex teaches risk management at major Russian business schools including OpUS, Technopark Skolkovo, MIRBIS, MFUA, SKOLKOVO and USIB as well as corporate universities, like Gazprom.
He has successfully completed his double Bachelor degree in Risk Management and Econometrics at Monash University, Australia, achieving the top risk management and statistics student award two years in a row.
More information can be found here: