Strategic and operational risks
Examining the risks in terms of their potential impact and probability of occurrence.
Risks are bound up with all aspects of business life, from deciding to launch a major new product to leaving petty cash in an unlocked box. The SBL exam syllabus highlights risk management as an essential element of business governance. The examiner has emphasised that being aware of all possible risks, and understanding their potential impact – as well as the probability of their occurrence – are important safeguards for investors and other stakeholders.
In order to provide a structure for risk analysis, and to help allocate responsibility for managing different types of risk, risks need to be categorised appropriately. One method of risk classification is to reflect broad business functions, grouping risks relating to production, information technology, finance, and so on. However, directors also have to ensure that there is effective management of both the few risks that are fundamental to the organisation’s continued existence and prosperity, and the many risks that impact on day-to-day activities, and have a shorter time frame compared with longer-term strategic risks. These two types of risk can be categorised as strategic and operational respectively. Having categorised risks, management can then analyse the probability that the risks will materialise and the hazard (impact or consequences) if they do materialise.
Strategic risks are those that arise from the fundamental decisions that directors take concerning an organisation’s objectives. Essentially, strategic risks are the risks of failing to achieve these business objectives. A useful subdivision of strategic risks is:
- Business risks – risks that derive from the decisions that the board takes about the products or services that the organisation supplies. They include risks associated with developing and marketing those products or services, economic risks affecting product sales and costs, and risks arising from changes in the technological environment which impact on sales and production.
- Non-business risks – risks that do not derive from the products or services supplied. For example, risks associated with the long-term sources of finance used. Strategic risk levels link in with how the whole organisation is positioned in relation to its environment and are not affected solely by what the directors decide. Competitor actions will affect risk levels in product markets, and technological developments may mean that production processes, or products, quickly become out-of-date.
Responsibility for strategic risk management
Strategic risks are determined by board decisions about the objectives and direction of the organisation. Board strategic planning and decision-making processes, therefore, must be thorough. The UK Cadbury report recommends that directors establish a formal schedule of matters that are reserved for their decision. These should include significant acquisitions and disposals of assets, investments, capital projects, and treasury policies.
To take strategic decisions effectively, boards need sufficient information about how the business is performing, and about relevant aspects of the economic, commercial, and technological environments. To assess the variety of strategic risks the organisation faces, the board needs to have a breadth of vision; hence governance reports recommend that a board be balanced in skills, knowledge, and experience.
However, even if the board follows corporate governance best practice concerning the procedures for strategic decision making, this will not necessarily ensure that the directors make the correct decisions.
For example, the severe problems that the UK’s Northern Rock bank faced were not caused by a lack of formality. Northern Rock’s approach to risk management conformed to banking regulations, but its strategy was based on the assumption that it would continually be able to access the funds it required. In 2007, its funding was disrupted by the global credit crunch resulting from problems in the US subprime mortgage market, and UK Government action was required to rescue the bank.
The report Enterprise Governance – Getting the Balance Right, published by the Chartered Institute of Management Accountants (CIMA) and the International Federation of Accountants (IFAC) highlighted choice and clarity of strategy, and strategy execution, as key issues underlying strategic success and failure. Other issues identified in the report were the ability to respond to abrupt changes or fast-moving conditions, and (the most significant issue in strategy-related failure) the undertaking of unsuccessful mergers and acquisitions.
Managing strategic risks
Strategic risks are often risks that organisations may have to take in order (certainly) to expand, and even to continue in the long term. For example, the risks connected with developing a new product may be very significant – the technology may be uncertain, and the competition facing the organisation may severely limit sales. However, the alternative strategy may be to persist with products in mature markets, the sales of which are static and ultimately likely to decline.
An organisation may accept other strategic risks in the short term, but take action to reduce or eliminate those risks over a longer timeframe. A good example of this sort of risk, would include fluctuations in the world supply of a key raw material used by a company in its production. For instance, the problem can be global, the business may be unable to avoid it, in the short term, by changing supplier. However, by redesigning its production processes over the longer term, it could reduce or eliminate its reliance on the material.
Ultimately, some risks should be avoided and some business opportunities should not be accepted, either because the possible impacts could be too great (threats to physical safety, for example) or because the probability of success could be so low that the returns offered are insufficient to warrant taking the risk. Directors may make what are known as ‘go errors’ when they unwisely pursue opportunities, risks materialise, and losses exceed returns.
However, directors also need to be aware of the potentially serious consequences of ‘stop errors’ – not taking opportunities that should have been pursued. A competitor may take up these opportunities, and the profits made could boost its business.
Although boards need to incorporate an awareness of strategic risks into their decision making, there is a danger that they focus excessively on high-level strategy and neglect what is happening ‘on the ground’ in the organisation. If production is being disrupted by machine failure, key staff are leaving because they are dissatisfied, and sales are being lost because of poor product quality, then the business may end up in serious trouble before all the exciting new plans can be implemented. All of these are operational risks – risks connected with the internal resources, systems, processes, and employees of the organisation.
Some operational risks can have serious impacts if they are not avoided. A good example of an operational risk is the failure to receive material sent by mail, as it was not sent by a secure method. This operational risk materialised for the UK Government taxation authority, HM Revenue & Customs (HMRC). In October 2007, the personal details of 25 million people, stored on two CDs, were lost in the internal mail. The fallout from the loss of these CDs included the resignation of HMRC chairman Paul Gray, due to the organisation’s ‘substantial operational failure’.
What happened concerning these CDs is an example of an operational risk that has a serious impact if it materialises even once. Other operational risks may not have serious financial (or other) impacts if they only materialise once or twice. However, if they are not dealt with effectively, over time – if they materialise frequently – they can result in quite substantial losses. Again, a good example to illustrate the latter, would be a situation regarding a concern that security measures at a factory might be insufficient to prevent burglaries. The impact of a single burglary might not be very great; the consequences of regular burglaries might be more significant.
Responsibility for operational risk management
Clearly, the board can’t manage all operational risks itself. However, it is responsible for ensuring that control systems can deal appropriately with operational risks.
The board may establish a risk committee to monitor exposure, actions taken and risks that have materialised. The risk committee is likely to assess operational risks in aggregate, over the whole organisation, and decide which risks are most significant, and what steps should be taken to counter these. This may include setting priorities for control systems and liaising with internal audit to ensure audit work covers these risks.
The risk committee may be supported by a risk management function, which is responsible for establishing a risk management framework and policies, promoting risk management by information provision and training, and reporting on risk levels.
A key part of line managers’ responsibilities is the management of the operational risks in their area. As well as ensuring specific risks are dealt with effectively, managers will be concerned with their local working environment and will deal with conditions that may cause risks to materialise. For example, they may need to assess whether employees are working excessively long hours and are more likely to make mistakes as a result. They will also supply information to senior managers to enable them to assess the risk position over the whole organisation.
Ultimately, employees will be responsible for taking steps to control operational risks. However, senior management is responsible for ensuring that employees, collectively, have the knowledge, skills, and understanding required to operate internal controls effectively.
Managing operational risks
It may be fairly obvious what the most significant strategic risks are and how important they are. But because of the number and variety of operational risks, accurate operational risk analysis can be more difficult, and can require evidence from a large number of different sources.
A key distinction, when defining different types of operational risk, is between low probability high impact risks and high probability low impact risks. The management of risks with low probability but severe impact may well involve insurance, for example a sporting venue insuring against the loss of revenue caused by an event being cancelled. Alternatively, for other risks, the organisation may have a contingency plan in place, such as the availability of alternative information technology facilities if a major systems failure occurs.
Any controls put in place to deal with low probability high consequence risks will normally be designed to prevent the risks occurring. Preventative controls would be considered necessary such as necessary in order to minimise the possibility of a poisonous chemical emission.
By contrast, risks that materialise frequently, but are unlikely to have a significant impact if they do, may be dealt with by controls that detect or correct problems when they arise. These controls will often reduce risks rather than eliminate them totally.
If risk management is to be effective and efficient, the board needs to understand the major risks that its strategies involve, and the major problems that could occur with its operations. Risk and initiative cannot be separated from business decision making; however, directors can ensure that a wide view is taken of risk management and thus limit the trouble that risks can cause.
Adapted from an article written by Nick Weller (a technical author at BPP Learning Media)