Have you reviewed how you conduct strategic planning lately? It could change your organisation’s ability to manage business risk.
What the new ISO 31000:2018 risk management standard means for your organisational strategy
It’s been nine years since the ISO standard for risk management was last updated, and at Blue Zoo we welcome the changes in the new ISO 31000:2018 edition.
Although the simplification provided by the 2018 Standard is a key benefit, the new Standard also comes with some non-trivial changes. The messages in the 2018 Standard reinforce the practical integration of risk management into broader business activities, key decision making processes, and focuses more on recording and reporting of risk decisions (not just risks and risk events). In particular:
- How risk management integrates into the broader business processes (e.g. strategic and operational planning, project management, compliance, etc.)
- Formalising how risk management informs decision making as well as the decision making process itself, the connections to both opportunity and risk as well as the way managers find the balance between them; and
- Documenting risk decisions in the broader business processes, as well as communicating activities and outcomes across the organisation, assisting interaction with stakeholders, and including the quality of the dialogue with top management and oversight bodies to meet their responsibilities for risk management.
This is a vital update.
True organisational resilience results from a strategy informed by robust risk and governance frameworks (See Diagram 1).
Today’s operating environment is increasingly fast-moving and hyper-connected. A shift in any of the many “moving parts” in our ecosystem has more power to make or break an organisation than it ever had in the past. Your strategy should be responsive to this reality.
Strategy is fundamentally about maintaining competitive advantage, and a successful strategy is one that makes your organisation sustainable and resilient.
- A Sustainable organisation demonstrates long term Value Creation. It provides products and services valued by the market, and cultivates strong relationships with stakeholders that enable its continued operation and market presence.
- A Resilient organisation demonstrates targeted Value Protection. It can survive changes in the market and continue to perform even when unforeseen things occur.
So, how does your organisation, regardless of its size, stay agile and responsive to changes whilst ensuring long-term survival? How do you adapt and keep your organisation relevant without losing sight of who you are, and why your organisation exists?
The best organisational strategies are responsive to the external environment while having an internal robustness as well. You need an open systems model that facilitates both, and fits multiple needs and contexts.
An integrated iterative approach to strategic planning
Proactive business evolution can be achieved with a systematic development of organisational maturity. To get better at creating and protecting value, organisational leaders need to:
- iterate strategic planning more frequently than had sufficed in simpler times. The cycles of change are accelerating, and on top of that, there is no longer a linear relationship between profit and success. If strategic planning is not adequately responsive to the changing environment, we put our organisations at risk – just ask the taxi industry.
- integrate strategic planning into a robust business planning process that’s aligned with the purpose and values of the organisation, mindful of your stakeholder ecosystem, grounded in informed governance and risk management, and captures performance feedback.
Here is one way to do it – align your purpose, passion and practice in an integrated iterative process (See Diagram 2).
I Purpose, Vision, Mission
Start by getting really clear about why your organisation exists, and the value it provides. What is important to your organisation? What is its core purpose? Here, you define what you want to create. This is the compass by which to navigate subsequent steps, and to weather any storms that may arise – in the marketplace or within the organisation.
II Values, Principles, Behaviours
Values and behaviours articulate the way in which you go about achieving what’s important to your organisation. To minimise the common occurrence of cognitive dissonance, ensure that your brand is congruent with your purpose. Reward structures need to align with values to incentivise the right behaviours.
Getting this wrong can get you into a lot of trouble – just ask any of the major banks being investigated under the Banking Royal Commission, where some incentivised staff for new accounts resulting in staff manipulating prospects to open accounts they don’t need, or create fraudulent accounts with fake names. Beyond legality, culture should reinforce desired behaviours and regulate undesired behaviours.
While business policies and practices need to be evaluated against principles and values to produce aligned and consistent outcomes, strategy doesn’t end there. Employees are just one of many interconnected stakeholder groups in an organisation’s ecosystem.
III Ecosystem Mapping
Stakeholder mapping looks beyond your immediate impact lens into how each group is linked to and may influence each other, as well as the organisation. Here’s where you identify everyone who cares about what you do, internally and externally. Stakeholders might include regulators, investors, the community, customers, employees, suppliers, supplier subcontractors, and so on.
Why is ecosystem mapping important? To understand the flow and direction of power and influence among stakeholders, because this could affect how well your organisation can create and protect its value. Here are some examples.
Consumer impact – Traditionally, organisations are more powerful than consumers; they dictate what happens in the marketplace. Now, with the proliferation of social media, consumers can consolidate to make their voices heard, especially when they don’t agree with what big organisations are doing.
- Look at the streak of bad press Coles Supermarkets received recently: objections to the single-use plastic bag ban, the public backlash to their Little Shop marketing campaign, and the outcry that forced them to rescind their intention to give away the reusable plastic Coles Better Bag for free indefinitely, and the raising of a petition to boycott Coles. Tuning in better to consumer sentiments during planning could have resulted in different marketing decisions and outcomes.
Supplier vulnerabilities – Does your organisation truly know the ways your suppliers, their subcontractors, and so on could expose your organisation to risk?
- These top Australian companies didn’t – some were forced to close their career websites, and the data security of others including government organisations were badly hit, when a cyberattack on their HR software vendor PageUp resulted in a massive breach of these companies’ recruitment data.
- This large enterprise does – ahead of the Modern Slavery Act still being reviewed by Australian government, Fortescue Metals Group’s Human Rights Policy stipulates that there must be no slavery or forced labour in their supply chain. Their policy is a commercial application of the same principles underpinning the Walk Free Foundation (founded by FMG’s non-executive Chairman Andrew Forrest) and go beyond first line suppliers to analyse the entire supply chain.
Consumers and suppliers are two of many stakeholder groups that can influence an organisation’s performance, and they do so in different ways. Which factors should you regard as more important? And would your organisation be able to articulate why?
You cannot prioritise the few until you understand the whole. A broad understanding of the whole ecosystem is required to map your risk profile comprehensively. Only then can you prioritise what to maximise and what to mitigate, and to what degree – to determine your risk appetite with clarity.
IV Risk Appetite & Prioritisation
It is impossible to protect every aspect of your business; prioritisation is best based on a clear understanding of your organisation’s risk appetite, culture and objectives. Having mapped your purpose, values, and stakeholder ecosystem before this step, you can make clearer decisions as to how much risk your organisation is willing to take, considering its context.
Then once you have embarked on a path, how would you know it’s the right one? That’s where governance structures come in.
V Governance Structures
Governance is about the decision – how much performance and how much conformance is required in our organisation? It is the structures by which we plan, executive, review and improve our purpose-driven activities, measuring how aligned we are across each of the components.
The risk management focus will inform what you want to protect and to what degree, as well as how much control you want, where and why.
VI Planning and Performance Feedback
At this stage you can map out the actions you need to take at each level of the organisation from overarching strategy to departmental business plans to individual actions. What actions do you need to take to keep your organisation thriving, and how do you keep things on track? What if unforeseen circumstances arise – how do you adjust your plans?
Establish ways to check on progress, while being mindful of whether activities are still supportive of your purpose and aligned with your values. Learn, improve, iterate, and use performance metrics to inform future planning cycles.
With an iterative integrated approach like the one above, leaders can build a robust business model that is responsive to fast-changing environments without losing sight of what’s important to their organisations and stakeholders.
Using a consistent method over time builds organisational learning so that feedback can be obtained quickly and effectively, and your pace of iteration will increase with each review.
Purpose, passion, practice – an iterative integrated approach to strategic planning can help you align all three, to build true resilience and sustainability.