| What is the distinction between strategic, tactical and operational risk management? For that, you need to distinguish between strategic, tactical and operational risks. But also know the points of contact. Even more, you have to be able to sense where one becomes the other. Because there are gray areas in risk management, where things are sometimes not clear. Where risks can exhibit characteristics of multiple levels. Or pass from one level into another. | In this contribution, I express my own opinion, not that of any organization |
Contents
What is the question?
A friend asked me ‘Can you help me? I want to know when a risk is strategic or not.‘
I explained that strategic risks depend on strategic decisions. Mutatis mutandis for tactical risks and tactical decisions, and operational risks and operational decisions.
But that shifted the problem to decisions.
A more structural explanation is needed.
Personally, I prefer to depart from strategic, tactical and operational decisions.
The reason for this is simple: that way I can first pull the concepts far apart so that I can then fill in the gray areas between them later on.
Operational management and operational risks.
Operations management is where operational decisions are made. This has everything to do with generating daily or periodic added value and the direct support to it such as deliveries and storage of raw materials. It is a decision within, for example, a well known production process. These processes are known and are routine.
Strictu sensu one can identify this with the management of anything that generates output. So, for example, the production of medication, cars, radios, raw materials, the handling of files, the executive duties of consultants, the delivery of training….
So the risk universe may depend on process that one subjects to risk analysis. These are organization-specific.
The risks associated with these tasks are operational risks. Examples include a workplace accident on the shop floor, a failed batch of computer chips, a failed batch of semi-finished goods, a chemical leak from a container, a faulty server or truck breakdown, a supervisor on sick leave …
Tactical management and tactical risk.
Tactical management is where tactical decisions are made. It is about keeping the organization and its operational processes functioning. This has everything to do with organization-wide processes. These are processes that therefore affect the entire organization. Examples are purchasing, human resources hiring, finance with the payment of invoices, the payment of salaries. These processes are known and are routine. They are supporting the operational processes. The risk universe depends on the processes present. In many companies, this is a similar risk universe, barring any specific tactical processes.
So the risks can be diverse, such as a software bug in a warehouse management software package that gives errors in reporting to management, a calculation error in wages, failure to pay wages on time, a denial of a payment by the bank one works with, bad marks on an audit report,…
Strategic management and strategic risks.
Strategic management is where one makes strategic decisions. It is about “What will the future bring us, what are we going to do? This is different because these are decisions where on the one hand one has no previous history, on the other hand one looks pretty far ahead in doing this. There is no previous history with every decision because every situation in which one has to decide is totally new.
The decisions one makes have everything to do with choosing or not choosing, for example, new ways to create value. This often involves choosing options and seeing opportunities, deciding which opportunities to invest in, and how much, and allocating people and assigning them resources. Those employees thus initiate a project to mine a new source of added value.
Associated with that are the strategic risks. Risks that one often cannot properly assess with probability and severity. And risks that one must primarily seek “outside in”.
Thus, it makes less sense to define the risk universe by those of the tactical processes and the associated knowledge and skills, nor those of the operational processes. The risk universe must focus primarily on the outside world. This can be done using the acronym ‘STEEPLD’ which stands for ‘Societal’, ‘Technical’, ‘Economic’, ‘Environmental’, ‘Political’, ‘Legal’ and ‘Demographic’. So the trick here is to have a good view of the outside world of one’s organization, through those seven glasses.
Other methods include working out future scenarios, looking at Gray Rhinos on the horizon, and looking at what governments identify as national risks.
The transitions between strategic, tactical and operational risk management
That said, such strategic projects may also have operational or tactical risks that can grow into strategic risks. And thus the first blurring occurs. Because in the above, I pulled everything apart too strongly. I did that to provide clarity, but that was not simply 100% correct. The world of risk management is “flou”. And so there are gray areas between strategic, tactical and operational risk management.
And reputation, for example, has a lot to do with that. For example, every organization gives itself the mission of staying afloat. A good reputation helps with that, but a bad reputation does not. That can be very pernicious if, because of a bad reputation, customers decide to take another supplier. Such a cause can be non-social responsibility. But fraud can also be pernicious. Or cognitive dissonance.
After all, the most important thing is to have a good reputation. Suppose you have a good reputation, a filled order book but little cash. Then you might find some lenders. But if you lose clients en masse because of a bad reputation, you stand a chance of bankruptcy.
These are examples of internal, operational or tactical, risks becoming strategic. This is because the primary mission of the organization is compromised, which is long-term survival.
A typical process that is in the gray zone is the company’s IT support. If it provides services such as backup, it is supportive of the entire company. At that point, it can be seen as tactical. However, when a help desk employee solves a problem for a user, one can see it as an operational process. So one sometimes just has to make a choice of how the organization labels this.
The reverse also occurs.
Sometimes strategic risks become tactical or operational risks over time. This occurs when a strategic project is initiated to generate a new direct or indirect capital gain. By direct added value here I mean the revenues from a future production process. By indirect added value I mean, for example, cost savings, by insourcing a commonly used support process.
When the decision is made, it is strategic. The project implementing the process is a strategic project, and thus will have strategic risks. The project initiates a process, which then first inherits strategic risks from its project. After some time, however, the process is “acquired” and builds up a history of risks through the problems encountered repeatedly. As experience is gained, problems can be avoided, and strategic risks are reduced to operational or tactical risks.
Conclusion
While you can brew a nice definition around strategy, strategic risks and measures, there are gray areas with the tactical and operational levels. An important trick is not to bother with that, but to recognize the how and why. If necessary, classify a process somewhere manu militare. But always consider reputation as strategic.
See also other contributions on strategy and strategic risks and measures:
Strategic risk management: the fox and the hedgehog