Examples are the risks from employees’ and managers’ unauthorized, illegal, unethical, incorrect, or inappropriate actions and the risks from breakdowns in routine operational processes.
These are internal risks, arising from within the organization, that are controllable and ought to be eliminated or avoided. Risk events from any category can be fatal to a company’s strategy and even to its survival. Our field research shows that risks fall into one of three categories. The first step in creating an effective risk-management system is to understand the qualitative distinctions among the types of risks that organizations face. We conclude by looking at how organizations can identify and prepare for nonpreventable risks that arise externally to their strategy and operations. We examine the individual and organizational challenges inherent in generating open, constructive discussions about managing the risks related to strategic choices and argue that companies need to anchor these discussions in their strategy formulation and implementation processes. In this article, we present a new categorization of risk that allows executives to tell which risks can be managed through a rules-based model and which require alternative approaches. But rules-based risk management will not diminish either the likelihood or the impact of a disaster such as Deepwater Horizon, just as it did not prevent the failure of many financial institutions during the 2007–2008 credit crisis. Many such rules, of course, are sensible and do reduce some risks that could severely damage a company. Despite all the rhetoric and money invested in it, risk management is too often treated as a compliance issue that can be solved by drawing up lots of rules and making sure that all employees follow them. investigation commission attributed the disaster to management failures that crippled “the ability of individuals involved to identify the risks they faced and to properly evaluate, communicate, and address them.” Hayward’s story reflects a common problem. Three years later, on Hayward’s watch, the Deepwater Horizon oil rig exploded in the Gulf of Mexico, causing one of the worst man-made disasters in history. Among the new rules he instituted were the requirements that all employees use lids on coffee cups while walking and refrain from texting while driving. When Tony Hayward became CEO of BP, in 2007, he vowed to make safety his top priority. To anticipate and mitigate the impact of major external risks, companies can call on tools such as war-gaming and scenario analysis. A rules-based approach is effective for managing preventable risks, whereas strategy risks require a fundamentally different approach based on open and explicit risk discussions. Risk events from any category can be fatal to a company’s strategy and even to its survival.Ĭompanies should tailor their risk management processes to these different risk categories. Sources of these risks include natural and political disasters and major macroeconomic shifts. External risks arise from events outside the company and are beyond its influence or control.
Strategy risks are those a company voluntarily assumes in order to generate superior returns from its strategy. Examples are the risks from employees’ and managers’ unauthorized, unethical, or inappropriate actions and the risks from breakdowns in routine operational processes. Preventable risks, arising from within the organization, are controllable and ought to be eliminated or avoided. Kaplan and Anette Mikes present a categorization of risk that allows executives to understand the qualitative distinctions between the types of risks that organizations face. Risk management is too-often treated as a compliance issue that can be solved by drawing up lots of rules and making sure that all employees follow them.