Page 81 - IRMSA Risk Report 2021
P. 81
5.2.1 INTEGRATING STRATEGY, RISK AND RESILIENCE
For an organisation to prosper, it must be relevant to its customers, differentiated from its competitors and economically
viable and commercially sustainable. Organisations that meet these four requirements create value for their stakeholders. In
our Master Class of 2019, presented in conjunction with The Decision-Making Advisory Group (TDAG), IRMSA showcased how
many organisations are struggling to meet these requirements. In some cases, it is dramatic. In many other cases, it is a gradual
decline. These gradual declines that result in value loss are as a result of at least one of the following reasons:
• Misses
• Mistakes
• Malice
Misses occur when organisations do not do what they should have done. For example: failure to evolve to meet changing
customer needs. These organisations will lose relevance and no longer be with us. Mistakes occur when organisations do
what they should not have done. For example: failure to deliver on all of their strategic objectives, resulting in impairments of
investments. While misses and mistakes are generally the result of well-intentioned executives, Malice occurs when executives
are deliberately acting in their own interest and not that of the other stakeholders.
The risk capability in an organisation is mostly concerned with execution activities (i.e. doing things right) and with downside
protection (i.e. doing less of the bad). This might help to prevent cases of malice, but is not at all well positioned to prevent
misses and mistakes because these result from strategy (i.e. doing the right things). Moreover, while prevention of mistakes is
doing less of the bad, prevention of misses requires doing more of the good (i.e. positioning the organisation to capitalise on
upside opportunities). In other words, for an organisation to survive and thrive it needs to “do the right things” AND “do things
right”, and it also needs to “protect against the downside” AND “position for the upside”.
In addition, since strategy is about the future and the future is inherently uncertain, strategic decisions are about making
decisions in a context of uncertainty. Proactive risk management reduces the potential negative impact of risks on strategic
drivers (what we called “flags” in Section 2) and therefore makes the future less uncertain and therefore easier to influence.
Good strategic decisions follow a good process that aims to deliver the highest expected value for the organisation’s strategic
objectives. Due to the uncertainty, sometimes that good process delivers a bad outcome. When this happens, an organisation
might handle it well or poorly, which can be seen as an indicator of its level of resilience. The implications of how the problem
is handled can be significant, in some cases bolstering the reputation of the organisation and, in some cases, undermining the
organisation.
THE CALL TO ACTION:
Organisations typically employ four capabilities to address the issues above, viz.
A STRATEGY A BUSINESS-
CAPABILITY A RISK- A RISK- CONTINUITY
TO FOCUS THE MANAGEMENT MANAGEMENT MANAGEMENT
ORGANISATION ON CAPABILITY TO CAPABILITY TO CAPABILITY TO DEAL
THE RIGHT THINGS PROTECT AGAINST PURSUE WITH ISSUES THAT
SO THAT IT MIGHT DOWNSIDE EVENTS OPPORTUNITIES HAVE ARISEN, WHICH,
PROSPER AND THAT COULD ERODE THAT COULD UNLESS ADDRESSED,
CREATE VALUE FOR VALUE. ENHANCE VALUE WILL UNDERMINE
STAKEHOLDERS. VALUE.
In most organisations, these three capabilities run independently. Given the prevalence of misses, mistakes, and malice, IRMSA’s
view is that organisations would benefit from an integrated capability of strategy (including governance), risk and resilience.
81
