Risk Management: Example of Risk Indicators for Strategic Planning

Introduction: Defining Risk Beyond Probability and Impact

The guiding standard in the domain of risk management is ISO 31000. It’s intriguing to observe the evolution of the standard’s definition of risk over time:

• The previous ISO definition of risk: “A chance or probability of loss.”
• The definition according to ISO 31000:2018: “The effect of uncertainty on objectives.”

What has changed?

• The old definition mentioned “loss“; the new one employs the term “effect.” This shift implies potential positive and negative effects, as well as highlights the importance of intangibles like customer perception.
• The old definition used “chance” and “probability” to describe the likelihood of occurrences. In the modern definition, we encounter the “effect of uncertainty,” also explained as the effect of incomplete knowledge. This approach allows more flexibility in defining risks, extending beyond the “probability x impact” model.
• The addition of the term “objective” to the new definition highlights that risks are defined within a specific context, preventing potential misalignment with overall strategy.

Let’s explore the practical application of risk management in strategic planning using the guiding principles of the ISO standard.

1. Risk Assessment: Systematic and Stakeholder-Aware

Map possible risks through systematic analysis of driving forces and their early sign indicators in the context of the organization’s strategy and stakeholders’ interests.

The general guideline of the ISO standard emphasizes that risk assessment should be systematic and take into account the views of different stakeholders.

What does it mean in practice?

Risk Assessment: Systematic

The concept of ‘systematic’ risk assessment varies across industries. Essentially, it involves following determined processes and standards, such as:

• Regularity of risk assessment
• Quantification of the risk
• Assigning responsible individuals

Below, we discuss how this can be implemented at an operational level.

Risk Assessment: Stakeholder’s View

Similar to other business domains (consider, for example, the sustainability reporting directive), the ISO standard focuses on stakeholder definition and requires taking stakeholders’ views into account when managing risks.

In practice, this means that organizations need to:

• Conduct a stakeholder analysis to define interested parties involved.
• Take the interests of stakeholders into account when creating a risk model in the context of objectives.

This standard requirement aligns well with the approach we endorse through our strategy implementation system.

Users of BSC Designer will find the stakeholder analysis template in their accounts.

• The list of stakeholders can be defined via Settings > Organization >Strategy.
• The stakeholders from the list will be included in the ‘Owner‘ list and can be assigned to a goal, risk, or risk mitigation plan.

Risk Identification in the Context of Objectives

The next step of risk assessment is to name the specific risk. The new ISO standard requires risks to be defined in the context of objectives. The aspiration of the standard is to improve the alignment between the risk and the business context.

In strategic planning, instead of having a separate risk scorecard, integrate risks into the strategy scorecards.

When conducting value-based strategy decomposition, we break down the strategic ambitions of the stakeholders into more specific goals and subgoals. At this point, we quantify goals and define risks to better understand the business context we are dealing with.

Most of the tools we use to scan the business environment (refer to the Strategy Analysis segment on the diagram) will naturally help with the identification of risks.

To define a risk in BSC Designer:

• Select an existing goal or create a new one.
• Choose Add Risk from the Add button menu.
• Fill in the relevant factors in the description field and use the Documents section to upload any supporting documents.

To enter the results of risk analysis:

1. Select the Likelihood indicator.
2. Enter the initial risk estimation into the Inherent field.
3. Enter the acceptable risk into the Acceptable field.
4. Enter the current risk estimation into the Residual field.

Repeat the steps for the Impact indicator.

Defining Early Sign Indicators

The root cause of the risk is what is referred to in ISO as the effect of “incomplete knowledge”.

How can we enhance our risk models in the context of the driving forces?

In addition to probability indicators, define early sign indicators. For instance, these could be early warning indicators of economic crises or even wars. By translating general driving forces into more specific factors, we increase the chance of finding a reliable early warning indicator.

In strategic planning, we distinguish these predictive/leading indicators aligned with success factors from indicators that measure outcomes (lagging indicators).

To create a predictive early-sign indicator in BSC Designer:

• Create a new indicator.
• Switch to the Context tab.
• Change the type of indicator to “Leading”.

Changing type of indicator to Leading.

This indicator won’t be taken into account when calculating the performance of its parent goal, but we can track it and use it to quantify risk discovery or risk mitigation initiatives.

2. Risk Analysis: Probability, Impact, Vulnerability

Make risks more specific by quantifying attributes such as probability, impact, and vulnerability.

Risk analysis is a broad practice focused on understanding risk and its potential effects on the organization. Below, we provide suggestions for risk analysis in the context of strategic planning.