Strategic and operational risks
Examining the risks in terms of their potential impact and probability of occurrence.
Risks are bound up with all aspects of business life, from deciding to launch a major new product to leaving petty cash in an unlocked box. The SBL exam syllabus highlights risk management as an essential element of business governance. The examiner has emphasised that being aware of all possible risks and understanding their potential impact – as well as the probability of their occurrence – are important safeguards for investors and other stakeholders.
In order to provide a structure for risk analysis, and to help allocate responsibility for managing different types of risk, risks need to be categorised appropriately. One method of risk classification is to reflect broad business functions, grouping risks relating to production, information technology, finance, and so on. However, directors also have to ensure that there is effective management of both the few risks that are fundamental to the organisation’s continued existence and prosperity, and the many risks that impact on day-to-day activities, and have a shorter time frame compared with longer-term strategic risks. These two types of risk can be categorised as strategic and operational respectively. Having categorised risks, management can then analyse the probability that the risks will materialise and the hazard (impact or consequences) if they do materialise.
Strategic risks are those that arise from the fundamental decisions that directors take concerning an organisation’s objectives. Essentially, strategic risks are the risks of failing to achieve these business objectives. A useful subdivision of strategic risks is:
- Business risks – risks that derive from the decisions that the board takes about the products or services that the organisation supplies. They include risks associated with developing and marketing those products or services, economic risks affecting product sales and costs, and risks arising from changes in the technological environment which impact on sales and production.
- Non-business risks – risks that do not derive from the products or services supplied. For example, risks associated with the long-term sources of finance used. Strategic risk levels link in with how the whole organisation is positioned in relation to its environment and are not affected solely by what the directors decide. Competitor actions will affect risk levels in product markets, and technological developments may mean that production processes, or products, quickly become out-of-date.
Responsibility for strategic risk management
Strategic risks are determined by board decisions about the objectives and direction of the organisation. Board strategic planning and decision-making processes, therefore, must be thorough. The UK Cadbury report recommends that directors establish a formal schedule of matters that are reserved for their decision. These should include significant acquisitions and disposals of assets, investments, capital projects, and treasury policies.
To take strategic decisions effectively, boards need sufficient information about how the business is performing, and about relevant aspects of the economic, commercial, and technological environments. To assess the variety of strategic risks the organisation faces, the board needs to have a breadth of vision; hence governance reports recommend that a board be balanced in skills, knowledge, and experience.
However, even if the board follows corporate governance best practice concerning the procedures for strategic decision making, this will not necessarily ensure that the directors make the correct decisions.
The report Enterprise Governance – Getting the Balance Right, published by the Chartered Institute of Management Accountants (CIMA) and the International Federation of Accountants (IFAC) highlighted choice and clarity of strategy, and strategy execution, as key issues underlying strategic success and failure. Other issues identified in the report were the ability to respond to abrupt changes or fast-moving conditions, and (the most significant issue in strategy-related failure) the undertaking of unsuccessful mergers and acquisitions.
Managing strategic risks
Strategic risks are often risks that organisations may have to take in order (certainly) to expand, and even to continue in the long term. For example, the risks connected with developing a new product may be very significant – the technology may be uncertain, and the competition facing the organisation may severely limit sales. However, the alternative strategy may be to persist with products in mature markets, the sales of which are static and ultimately likely to decline.
An organisation may accept other strategic risks in the short term but take action to reduce or eliminate those risks over a longer timeframe. A good example of this sort of risk, would include fluctuations in the world supply of a key raw material used by a company in its production. For instance, the problem can be global, the business may be unable to avoid it, in the short term, by changing supplier. However, by redesigning its production processes over the longer term, it could reduce or eliminate its reliance on the material.
Ultimately, some risks should be avoided, and some business opportunities should not be accepted, either because the possible impacts could be too great (threats to physical safety, for example) or because the probability of success could be so low that the returns offered are insufficient to warrant taking the risk. Directors may make what are known as ‘go errors’ when they unwisely pursue opportunities, risks materialise, and losses exceed returns.
However, directors also need to be aware of the potentially serious consequences of ‘stop errors’ – not taking opportunities that should have been pursued. A competitor may take up these opportunities, and the profits made could boost its business.
Although boards need to incorporate an awareness of strategic risks into their decision making, there is a danger that they focus excessively on high-level strategy and neglect what is happening ‘on the ground’ in the organisation. If production is being disrupted by machine failure, key staff are leaving because they are dissatisfied, and sales are being lost because of poor product quality, then the business may end up in serious trouble before all the exciting new plans can be implemented. All of these are operational risks – risks connected with the internal resources, systems, processes, and employees of the organisation.
Some operational risks can have serious impacts if they are not avoided. A good example of an operational risk is the failure to protect sensitive data. This operational risk materialised for Dixon Carphone in June 2018, when it announced that the personal information, names, addresses and email addresses of 10 million of its customers may have been accessed since 2017. A subsequent investigation by the Information Commissioner’s Office (ICO) found a cyber-attack had installed malicious software on 5,390 tills in branches of its Currys PC World and Dixons Travel chains. This software went undetected over a nine month and collected a huge amount of data, leaving customers vulnerable to both financial theft and identity fraud. The ICO said Dixon Carphone’s poor security arrangements and the inadequate steps taken to protect data had breached the Data Protection Act 1998 and gave Dixon Carphone the maximum penalty fine under that legislation.
Other operational risks may not have serious financial (or other) impacts if they only materialise once or twice. However, if they are not dealt with effectively, over time – if they materialise frequently – they can result in quite substantial losses. A good example to illustrate the latter, would be a situation regarding a concern that security measures at a factory might be insufficient to prevent burglaries. The impact of a single burglary might not be very great; the consequences of regular burglaries might be more significant.
Responsibility for operational risk management
Clearly, the board can’t manage all operational risks itself. However, it is responsible for ensuring that control systems can deal appropriately with operational risks.
The board may establish a risk committee to monitor exposure, actions taken and risks that have materialised. The risk committee is likely to assess operational risks in aggregate, over the whole organisation, and decide which risks are most significant, and what steps should be taken to counter these. This may include setting priorities for control systems and liaising with internal audit to ensure audit work covers these risks.
The risk committee may be supported by a risk management function, which is responsible for establishing a risk management framework and policies, promoting risk management by information provision and training, and reporting on risk levels.
A key part of line managers’ responsibilities is the management of the operational risks in their area. As well as ensuring specific risks are dealt with effectively, managers will be concerned with their local working environment and will deal with conditions that may cause risks to materialise. For example, they may need to assess whether employees are working excessively long hours and are more likely to make mistakes as a result. They will also supply information to senior managers to enable them to assess the risk position over the whole organisation.
Ultimately, employees will be responsible for taking steps to control operational risks. However, senior management is responsible for ensuring that employees, collectively, have the knowledge, skills, and understanding required to operate internal controls effectively.
Managing operational risks
It may be fairly obvious what the most significant strategic risks are and how important they are. But because of the number and variety of operational risks, accurate operational risk analysis can be more difficult, and can require evidence from a large number of different sources.
A key distinction, when defining different types of operational risk, is between low probability high impact risks and high probability low impact risks. The management of risks with low probability but severe impact may well involve insurance, for example a sporting venue insuring against the loss of revenue caused by an event being cancelled. Alternatively, for other risks, the organisation may have a contingency plan in place, such as the availability of alternative information technology facilities if a major systems failure occurs.
Any controls put in place to deal with low probability high consequence risks will normally be designed to prevent the risks occurring.
By contrast, risks that materialise frequently, but are unlikely to have a significant impact if they do, may be dealt with by controls that detect or correct problems when they arise. These controls will often reduce risks rather than eliminate them totally.
If risk management is to be effective and efficient, the board needs to understand the major risks that its strategies involve, and the major problems that could occur with its operations. Risk and initiative cannot be separated from business decision making; however, directors can ensure that a wide view is taken of risk management and thus limit the trouble that risks can cause.
Adapted from an article written by a member of the SBL examining team