The argument that strategy and risk are two aspects of one governance activity has been highlighted by many pundits over time. In practice however, some non-profit boards still separate strategic planning from development and review of their risk register.
My previous two posts (see links below) promoted the concept of continuous monitoring of the external and internal environments, and adjustment of strategy in the light of significant changes in stakeholder needs and emerging priorities. This post looks at the parallel issue of ensuring that risk considerations are integrated into strategic planning.
Let’s start with a schematic called the risk bow-tie, illustrated below. Risk managers use risk bow-ties to help them identify various threats associated with a particular type of hazard, and then to assign escalating threat controls to each in order to prevent the hazard being triggered. Subsequently, for each of the possible consequences of that hazard, a range of escalating mitigation measures is assigned, to minimise the harm or damage caused by the event.
A variation on the risk bow-tie makes provision for both unexpected threats, and unforeseeable events (often called ‘black swan’ events, like the COVID-19 pandemic).
The bow-tie chart device has also been used as a marketing tool to identify ways of optimising customer retention. My version however, is more closely aligned with the risk bow-tie, as it adopts similar graphic elements to describe the consideration of options, strategic decision making, and execution measures for primary and secondary goals.
COVID-19 has dramatically demonstrated the need for boards to be resilient, and to employ ‘adaptive governance‘. Recognising the continuous nature of the board’s strategic and risk management roles therefore, and the need to integrate strategy and risk deliberations, the chart below combines the risk and strategy bow-ties in a mirrored timeline. As the strategic question “What should we do and why?” is asked, the risk question “What could go wrong?” is posed simultaneously. That question is applied to each of the action options before the board, including the option to do nothing.
The parallel chains of strategy and risk bow-ties reminds us that responsible boards integrate their risk deliberations into all their decision-making and strategic planning. Treating them as separate and potentially unrelated activities, possibly addressed at different times on the board governance calendar, is likely to result in more adverse outcomes, with negative consequences for your organisation’s reputation and finances.
Whenever we schematise complex concepts and processes like strategy and risk governance, we are likely to over-simplify and generalise. That said, this ‘adaptive governance’ schematic is primarily intended to encourage non-profit directors to see risk as a key dimension of every decision they make, rather than a matter they attend to once a year when the risk register is updated.