The quotes above, admittedly out of context, illustrate a wide divergence in individual philosophies of risk. Organizations, too, operate at different positions on the risk continuum, but wherever they fall, risk is a fact of corporate life. From the moment the Board of Directors puts its stamp on a business strategy, it accepts the possibility of failure. Choosing which products or services it will provide, taking those offerings to development and then to market, and setting prices that will return a profit may or may not be successful, depending on the quality of decisions, the skillfulness of execution, and the adequacy of assigned resources to get the job done.

Most corporations have an office of Enterprise Risk Management (ERM) or an individual responsible for setting the parameters that govern their risk appetite and risk tolerance level, in the context of their market conditions and economic situations. For the purposes of this discussion, we will assume that your organization’s ERM has evaluated the strategic initiative you are working on and given it a green light. However, that doesn’t mean they consider it risk-free. It only means that they have determined the risk is worth taking.

The business dictionary defines risk as “the probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action.” Preemptive action. That’s where the change management leader comes in, guided by one primary rule: The riskier the initiative and the more exposed the organization is to negative outcomes, the more critical it is to manage the change aggressively rather than leave it to chance.

Just as different organizations have different change management models, risk management experts—consultants, economists, and government bodies—classify risk into categories, usually four to eight, some with sub-categories. For purposes of this discussion, we chose a relatively simple classification adopted in a 2013 report by Forbes Insights for Deloitte. Called Exploring Strategic Risk, the report identifies four types of risks.

Strategic risks are created by an organization’s business strategy and strategic objectives.

One strategic risk is the possibility that an organization’s strategy may be wrong or that an initiative may be misaligned with strategy. Others include changes in the market for a product or the competition for that market, often through innovation and development; damage to the brand or the corporation’s reputation, due to ethical lapses or quality issues; and economic trends that create market risk or pricing pressures.

Operational risks affect an organization’s ability to execute its strategic plan.

Operational risk relates to what is happening on the ground, in facilities, with internal processes, people, and systems. ACCA, the global body for professional accountants, identifies, as sub-risks, business disruption and system failures; clients, products, and business practices; damage to physical assets; employment practices and workplace safety; execution, delivery and process management; external fraud; and internal fraud.

Financial risks include financial reporting, valuation, market, liquidity, and credit risks.

They arise from the effects of market forces on financial assets and liabilities, for example, the risk that a customer, supplier, or partner will default on obligations; that the corporation will be unable to monetize assets without unacceptable losses; and the fluctuations in interest rates, currency exchange rates, and stock prices that affect an organization’s results.

Compliance risks relate to legal and regulatory compliance.

 Violation or noncompliance with laws, regulations, or necessary standards exposes a company to fines, payment of damages, and possibly voided contracts, with a subsequent impact on earnings or capital. Companies that fail to comply with prescribed practices may suffer damage to their reputations and loss of customers.

The risks defined above do not represent an exhaustive list, only a sampling of the risks that change leaders must put into perspective. The matrix below, based on factors identified by Prosci may help you capture vital information about the risks inherent in any strategic initiative:

 

For each risk, determine:		Risk #1: [Name]	Risk #2: [Name]	Risk #3: [Name]	Etc.
Likelihood	What is the probability of the risk occurring?
Severity	How damaging would it be?
Impact	What would happen if the risk actually occurred?
Accountability	Who is responsible for monitoring this activity?
Control Strategies	What can we do to mitigate risk?

 

Clarifying and quantifying risks is essential to formulating an effective change management strategy. Involving members of the initiative team and other key stakeholders in the exercise will increase the likelihood that the new attitudes and behaviors required to support the initiative will emerge. And the end result—new market entry, repositioning or rebranding, a new product launch, an acquisition—will have a far better chance of achieving your objectives.

Risk can be daunting, but viewing it strictly as a negative is shortsighted. In the Deloitte report, Sandra G. Carson, VP, Enterprise Risk Management and Compliance, Sysco Corporation, points out, “Risk is uncertainty. But we have to take risks to get to our goals, especially during changing times. So strategic risk is not just the negative impact of risk but also the sub- optimization of gain. I think companies that figure out both the value protection and value creation part of risk are going to set themselves up for success.”

Let us know: Does your organization embrace risk? If it does, you are well on your way to embracing change, the subject of our next blog post.