Many organisations struggle to identify the line between Strategic and Operational Risks.
The solution to properly separating the two lies in the very definition of risk from ISO 31000: “the effect of uncertainty on objectives.”
The fundamental purpose of a risk program, and thus a risk register, is to manage the risks (and opportunities) potentially impacting on the organisation’s business objectives. Losing sight of this big picture and getting lost in the quagmire of low-level risks and day-to-day issues is often the easier thing to do, as they are evident and tangible. However, this will detract from the risk program’s effectiveness.
Many organisations place all risks into one all-encompassing risk register. The result can be the listing of a risk that has the potential to derail core business objectives next to a minor operational hazard of little potential impact. Separating risks into registers in accordance with the level of management expected to oversee them (e.g. Board, Executive Management, Supervisory) is more useful and prevents upper management decision-making from being clogged with operational-level issues.
In military terms, the use of the term ‘objective’ usually refers to the location, high ground or target that an army, or part thereof, intends to occupy. The objective is the primary focus of planning and resourcing a military campaign. Using this as an analogy for risk management, the generals of an army need to concern themselves with the strategic risks – the issues that will impact them on conquering their objective. First off, they have to determine that the objective is the correct one. There have been many instances in military history where an army has fought a battle, arrived at a location (objective) generally some form of high ground only to find it is of no real military significance. Once the Generals agree the objective is the right one, they then turn to what is likely to impact their advance to the objective. Both negative and positive impacts. This then is Strategic Risk. In organisational terms, Boards or Executive Leadership are agreeing on the organisation’s business objectives, and then identifying and managing the Strategic risks and opportunities that have the potential to impact on those top-level objectives.
On the other hand, returning to the military analogy, the smaller sections of an army (call them platoons or sections) have to align themselves with the overall objective of the Generals, but are more concerned with their immediate objectives; how to cross a barbed wire fence or a river, what towns need to be reached by when, where they will bivouac (sleep) at night and do they have enough supplies and materiel. These are the Operational Risks. In organisational terms, Managers and Supervisors are concerned with the risks and opportunities that impact on their daily tasks and functions whilst being cognisant of the overarching organisational strategic risks.
From a strategic perspective, Generals cannot be concerned with the ‘lower level’ operational issues. If one platoon or section cannot cross a river, that is not a concern but if the river holds up the whole army, then it could derail the entire battle. There need to be clear and effective systems, communications and lines of reporting to ensure that the lower level commanders achieve their risks and where they cannot, this is communicated to the Generals. Organisationally this translates to Boards and Senior Management not concerning themselves with, for example, the number of slip/trip/fall risks identified in a workplace, but they do need to ensure that there’s a clear line of reporting from managers if these everyday risks can’t for some reason be addressed or have become a trend.
At the end of the day, risk management processes should be set up so that Strategic and Operational Risks are separated, with the Board / Executive Leadership focussing on Strategic Risks and Managers/Supervisors focussing on Operational matters; and with Risk Reports developed to ensure that information is conveyed in a timely and effective manner so that the correct decisions can be made by the responsible level of management when needed.
Please contact QRMC for more information.