Integrated Risk Management Part 2: Applying Risk Management to the Company Strategy
Risk should be considered at all times and at all levels of the organization. One area to start assessing risk is when a company's strategy is being conceived. This typically happens during annual planning at the executive ranks of the company, but risk reviews should be conducting during significant business changes.
During the strategy planning process, risk comes in two forms--risk of the company strategy and risk to the company strategy.
One way executives can help themselves testing their strategy is to lay out their strategy scenarios and expected and unexpected outcomes of those scenarios. They should measure their strategy from two perspectives--if everything goes as expected and then again with the unexpected scenario. This process will allow you leaders to identify strategic options and risk responses that the company can pursue, not just the "perfect case" scenario.
Next steps is for executives to consider is potential risks that the aforementioned options or scenarios might entail. For example an executive may consider outsourcing manufacturing of equipment to another country for cost savings; but when that outsourcing strategy is evaluated against the likelihood that data is likely to be stolen in that country due to a volatile political climate that executive might decide that the total risk is too much. After going through this exercise executives can evaluate if their solutions are within the companies risk appetite.
Check in next week for Part 3 for Risk Assessment.
Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.