Identifying strategic risk
Learn how to identify strategic risk to establish the exposure of the company to uncertainty or opportunity.
What is strategic risk?
Strategic risks are risks that affect a company's business strategy or strategic objectives. These risks can be uncertainties or opportunities, and are normally the key matters that concern the board.
How do I identify strategic risk?
The process of identifying strategic risk requires:
- intimate knowledge of the company, including the company's operating market, and legal, social, political, and cultural environment
- understanding of the company's strategic objectives
The process of identifying strategic risk culminates in specifying a series of risks that make up the company's risk profile.
What is a risk profile?
A risk profile is a view of all identified strategic risks.
Management and board members are often expected to decide on the aggregate level of risk to be taken by the company, as well as the amount of exposure to each type of risk the company handles. The risk profile illustrates the level and distribution of risk that a company retains.
Example
The risk profile below shows a series of strategic risks and the states each risk has been assigned to:
Strategies for identifying strategic risk
There are many different strategies you can use to identify strategic risk.
Brainstorm in a group
Brainstorming involves a group of people working together to identify potential risks, failure modes, and hazards. Often these sessions involve discussions around risk causes and options for risk treatment. Brainstorming is a popular way to identify risk in addition to key controls.
Conduct a team-based exercise
Many companies conduct team-based exercises to get participants thinking about risks. SWIFT (Structured What If Technique) is a popular choice that involves a facilitator using a list of prompt phrases to encourage participants to identify risk.
Interview key stakeholders
You can conduct an interview with select people to ask others for their perspectives. Structured interviews are often used when designing the risk management framework, and involve consultations with key stakeholders. An interview is a good option if you need to assess risk appetite within the company.
Send out a survey
Similar to structured interviews, although involving a larger number of people, surveys can also be used to gather different perspectives on risk and control effectiveness. For example, if you want to assess a company's risk culture, you can send surveys to assess the internal control environment. Many companies send surveys on an annual basis to assess staff understanding of key risk and governance policies and procedures.
Use different types of analyses
There are a variety of analyses you can use to identify risk:
| Type of analysis | Description |
|---|---|
| Scenario analysis |
an approach where participants receive a story or description of a future event, and reflect on the potential consequence and causes of the risk Scenario analyses are useful for identifying opportunities for fraud within the company. |
| Fault tree analysis |
a technique used for analyzing factors that contribute to an undesired event For example, if a company is working to improve customer service, fault tree analysis allows you to state the objective in reverse ("How can we annoy our customers?"), and prompts participants to identify potential causes that would annoy customers. |
| Bow tie analysis | a diagrammatic approach that is used to describe, link, and analyze the pathways of risk from causes to consequences |
| Incident analysis | a technique used to identify problems that occurred within a company, analyze the frequency of occurrence, and uncover the root cause(s) |
