Strategic Risk Management


Organisations often struggle to deal well with strategic risks.  This is in part a problem with the ‘objectives’ focus of the risk definition in AS/NZS 4360 and in ISO 31000, but it also arises because many leaders struggle to know how to engage in genuine strategic risk thinking.  They find themselves dealing with risk registers full of operational risks, the most “important” of which become their focus. This becomes very frustrating for executive leaders and for governing bodies, who struggle to find, understand and manage the strategic risks to their long term success.

It is possible to lift the risk conversation to a strategic level by looking for risks an organisation’s purpose (why it exists) rather than to its objectives (what it is aiming to do).   By first creating a shared purpose and then testing for risks to that purpose, in just a few minutes a risk conversation that was operational can lift to a strategic level.

A strategic conversation about risk is also created when an organisational development focus is taken.  This is for two reasons.  First, in the long term sustainable success can only be driven by capability and because of this, responses (treatments) for strategic risks almost invariably include work to adapt or develop capability to better match future needs.  Second, capability development work is inherently long term since it takes time for new attitudes (culture) to develop and for individuals and systems to be able to perform at a new level.   It is strategic work, and its purpose is always to reduce the risk of failure.

Systemic Strategic Risk Review

A systemic strategic risk review differs in significant ways from a conventional ‘bottom up’ approach.  It also varies in some important ways from typical strategic risk work carried out directly by executive teams and by Boards:

  • Risks are assessed to purpose (the reason the organisation exists) rather than to objectives. This has a transformational impact on the level of the risk conversation.
  • The use of risk maps rather than risk registers opens up the conversation still further, and allows a level of interaction and challenge that is not possible when dealing with text-based risk descriptions.
  • Strategic external and internal scenarios are easily incorporated into the risk conversation, through the risk maps.
  • Offline, systemic risk analysis methods are applied to help leaders to understand the effects of risk inter-relationships and shared root causes. Paradoxically, the most powerful drivers are often subtle, complex and hidden and are seldom identified using a ‘standard’ risk analysis method.
  • The end point of a systemic strategic risk review is the identification and prioritisation of response strategies for risk as a whole, rather than a focus on managing individual risks.  This offers many advantages from a strategic perspective, since it optimises risk management effort for the organisation as a whole.
  • Systemic risk work by its nature is likely to identify risks related to capability, including those risk driven by the internal culture and by the way in which leaders operate.  This makes it a powerful ally to organisational development work.

Approaches to Systemic Strategic Risk Review

  • Option 1 – Systemic Risk Analysis.  The most powerful approach to Strategic Risk Review is to carry out a full Systemic Risk Analysis, starting with gathering raw data throughout the organisation.  This will often identify hidden, subtle risks that had previously not been acknowledged and is inherently strategic, since it forces the risk conversation to include root causes, long term drivers, and optimisation of the response as a whole.  Systemic Risk Analysis as a product is described at Manex Products and Services.  The nature and method of Systemic Risk Analysis are discussed at Systemic Risk Anlaysis.
  • Option 2 – Executive Team or Board Risk Review. When a senior leadership team or a Board are working directly on strategic risk, it is possible to apply the same principles in a more condensed form.  This can achieve similar outcomes to a full Systemic Risk Analysis, albeit with somewhat less rigour and with a reduced likelihood that subtle, hidden risk drivers will be found and understood.  Although tailored to each situation the review process ideally involves three short workshops, with offline preparation and analysis between workshops.  The whole process can take as little as two weeks.  A strategic risk review can also be arranged to occur over two scheduled Board meetings, or to take place ‘live’ as an integral element within a one or two day Board review.


The advantages of taking a systemic approach to strategic risk work include:

  •  A truly strategic risk conversation is easily created, based upon a focus on achieving purpose rather than objectives.
  • The richness of understanding achieved is greatly enhanced, using risk maps as a vehicle for dialogue, challenge and review.
  • It is likely to find and to deal with subtle, hidden sources of risks that have previously not been dealt with well.
  • The influences of risk inter-relationships and shared risk sources are taken into account.
  • Risk responses are strategic rather than operational and deal with root causes and drivers of risk as a whole, rather than seeking to fix one risk at a time.
  • A strategic risk review can be tailored to be a quick one-off conversation at Executive Team of Board level, or to be an exhaustive process based upon raw data and analysis.