The Difference Between Strategic and Operational RiskPublished February 6, 2020 by Dave Schmoeller • 2 min read
Strategic risk and operational risk are both valuable to organizations and are critical in managing an organization’s overall risk management program. Organizations are finding that strategic risk management is something that can’t be done the same old way and requires new creative thinking in order to execute successfully. Operational Risk Management is important to make sure there are plans in place to remove roadblocks in order for organizations to execute against their strategic plans. Risk assessments are often performed in order to get a better idea of how well the operational risk program is performing. There are two other types of risk that organizations must also include in an overall risk management program; financial risk and compliance risk. Financial Risk Management(FRM) looks closely at reporting, market performance, and liquidity. Compliance Risk Management(CRM) looks at risk from the compliance lens, examining legal and regulatory compliance. Enterprise Risk Management (ERM) rolls in the four types of risk to form the foundational components of an ERM program. Organizations leveraging an ERM program are far better prepared for risk and know which risks can be mitigated or accepted.
Strategic Risk Management
Strategic risk represents a possible source of loss often determined by business plan performance, business objectives, and the organization’s business strategy. Strategic Risk Management (SRM) is used to identify, assess, and manage risks in an organization. The focus of SRM is typically on internal and external scenarios and enables the organization to achieve its strategic objectives. SRM programs need to account for risks related to shifts in customer demand, competitive pressures, technological changes, and pressure from stakeholders. The key to SRM is to measure and manage as many of the risks as possible.
Operational Risk Management
Operational Risks represent risks related to the organization being able to execute against its strategic plan. Operational Risk Management (ORM) is used to conduct risk assessments, risk decisions, and implementation of risk controls. A successful ORM program provides risk acceptance, avoidance, and mitigation. Operational Risk can often fall into the three categories of environmental risk, financial risk, and reputational risk. Like other frameworks, the operational risk framework encompasses identification, assessments, monitoring, and reporting of risks.
The Difference Between Strategic and Operational Risk
Strategic Risk and Operational Risk are both parts of an ERM strategy. That being said, what are the differences between the two? Strategic Risk looks at the business as a whole, its objectives, and its overall strategy. Operational Risk, on the other hand, brings a more tactical view of an enterprise’s risk profile with assessments and implementing of controls. It wouldn’t make sense in an enterprise to have one without the other. Operational Risk tends to have more emphasis in many organizations because of its assessment and control capabilities. Many companies are looking to remediate risk and most of that is done in the Operational Risk domain.
Strategic Risk and Organizational Risk play important roles in an ERM strategy. The secret to managing risk is to do four things: accept the risk, avoid risk, reduce risk, or transfer risk. Strategic Risk works to identify risk to the business plan and strategy. Operational Risk enables the organization to execute against its strategic plan. There are synergies between the two and several differences. On one hand, Strategic Risk is led by strategy while Operational Risk is more tactical in nature. Most organizations are intent on identifying risk, putting controls in place to prevent it, and ultimately mitigate or accepting the risk. An organization should have an ERM program with solid foundational components like Strategic Risk Management, Organizational Risk Management, Financial Risk Management, and Compliance Risk Management.