The quality strategy is about making the right decision at the right time which requires quality information.
From Wikipedia: “Strategy is a general, undetailed plan of action, encompassing a long period of time, to achieve a complicated goal.”, while “Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of strategy.”
So while they intersect, Risk Management and Strategy Management are not the same. If the strategy is like GPS, will risk management just like brake?
1. A good Strategy vs. An Effective Risk Management (RM)
The quality strategy is about making the right decision at the right time which requires quality information. It's all about being efficient and effective. The ability to influence, initiate and manage change is dependent on organizational culture.
- A Quality Strategy includes RM guideline: A good strategy includes a set of choices, a comprehensive guideline, a series of actions, and a right set of metrics to measure result. Understanding business risks and addressing them is part of Strategy. One also has to identify where the risks are within the strategy, particularly what factors may keep you from executing the strategy. But Strategy is more than risk management, it really identifying what it is you want to do and how you want to do it An effective RM practice will make strategy closer to reality; A quality strategy is dependent on sound risk management practice
- An Effective RM has strategic Dots: Risk management is also not just about risk mitigation, every risk has opportunities (which leads to new strategy), from risk control to risk resilience , and then, to risk intelligence, risk management has strategic dots need be connected. Risk should be seen in a much more positive light as it creates many opportunities for those that wish to see beyond a defensive response. Those that see risk defensively and with pessimism are more likely to avoid risk management altogether, but when they do often, risks are overstated and cause paralysis. Those that take a very objective and pragmatic view of risk are more often than not the ones who come up with imaginative and innovative ways to turn it to their advantage. Good risk managers see that risk can provide very exciting opportunities.
- A strategy is to plan inevitable, while RM is to prepare for inevitable: Strategy Management is a bit of a misnomer. "Management" is the process of orchestrating inputs towards outputs, whereas "Strategy" is the approach taken to achieve the outputs. Management comes after Strategy, as Strategy defines the course to be navigated while management ensures the organization stays on the course. Of course, you could define "Strategy Management" as the process of developing, communicating and updating the Strategy, but this is not the same as the Strategy itself, but rather the governance of the organizational process around the Strategy.
2. Strategy is Management Practice, Risk Management is Governance Discipline
You can determine and 'manage' a strategy without risk management (albeit you'll be relying on luck over good business acumen) but you can't effectively manage risk without knowing the strategy.
- Strategy planning is usually a management practice, and risk management is governance discipline, they have interdependent relationship, on one side, they need be managed independently at higher level, such as executive team crafts strategy, but board oversees risk/governance, on the other side, they are not completely silo, should always be interactive, communicative and mutually enforce with either other at operational level, to ensure business effectiveness
- The strategy should balance the creation/maintenance/maximization of value against risk. Strategy and RM are different management discipline, but correlate and enforce with each other; strategy tends to be more of a top-down construct while risk management needs to operate in a complete cycle at all levels of the organization. Because without good risk management the opportunities which it creates cannot be properly transferred into value. Good governance will ensure the correct forum at the right level will discuss this balance and propel the right information up into the decision-making levels so that to best strategy can evolve.
- Trying to merge Strategy and Risk into a single amorphous activity is a recipe for chaos. Businesses need to separate the activities pertaining to strategic goals, from those which mitigate risks; otherwise, you might be bogged down in the process when trying to reach these goals. Risk Management applies also at lower levels than strategic. Good project planning assesses project risks and mitigates the known risks by planning for them. A project may be the result of the strategy, but project planning is not strategy planning. Keeping Strategy and Risk separate enables organizations to be more efficient and responsive.
3. RM Mechanism Embedded into Key Processes for Execution
A good strategy planning always includes execution as part of the strategy, and risk management mechanism should be well embedded into business process for execution. In addition, risk management is not only for bottom line, statistically, the organizations with better GRC management discipline outperform competitors significantly, so strategy and risk management does have inter-related structure to mutual enforce with each other
- An embedded Risk Management system will identify right down to the lowest level in the business all the risks the business has and these will be scored and passed upwards - each layer of management adding their bit and consolidating those below them until you have a top level Risk Register which the board should consider regularly and frequently alongside its appraisal of progress towards the strategic goal.
- How the Feedback loops should be handled: From a purely theoretical standpoint, it is easy to distinguish between the two as methodologies and map where the overlaps should exist and how the feedback loops should be handled. What happens when one or both are not implemented correctly. For example, what happens to strategy when a risk is overstated or incorrectly understood because the risk management methodology is poor?
- Worst scenarios are where risks are identified but overridden by cost, a lower priority or failure to recognize the cumulative impact of a number of low priority / low impact events. Issues become inevitable, resulting in delays and cost blowouts. Generally, these scenarios would be brought about by the need for rapid change to improve financial / service performance (in an environment where underperformance was entrenched) or where financial performance has a higher focus / priority than operations.
Therefore, a good strategy management needs to incorporate a solid Risk Management plan, however, Risk Management is a different concept which spans the organization from business operations to technology. Risk Management, in the context of Strategy Management, is how many obstacles and opportunities affect journey from A to B.