Close Sidebar
COPYRIGHT © PROFESSIONAL EVALUATION AND CERTIFICATION BOARD 2021 ALL RIGHTS RESERVED
Now Reading
Integrating Risk Management into Strategic Decision-Making for Enhanced Resilience
Search for content, post, videos
Search for content, post, videos

Integrating Risk Management into Strategic Decision-Making for Enhanced Resilience

April 18, 2025

When an organization develops its strategic vision, strategic plan, or any other forward-looking initiatives it is critical that the organization integrates an analysis process focused on Issue Identification, Risk, Threat, Vulnerability, Hazard (RTVH) assessment to enhance decision-making and monitor ever changing RTVH mitigation effectiveness.

Risk, Threat, Vulnerability, Hazard (RTVH) Identification and Analysis Missing the Point?

Ask yourself, “What issues is my organization focused on? What is on our radar screen? What are our goals and objectives?” Do you see a confluence of risks merging or creating cascade and collateral damage effects beyond the specific risk being realized? If so, how does your analysis account for highly improbable events and unanticipated effects?

Unseen Risks: Hidden Dangers in a Rapidly Changing Global Threat Landscape

So many events are unfolding on a global scale that it is difficult to shape strategic decision-making, let alone integrate RTVH initiatives to assess strategic decisions. Categorizing all the issues that present RTVH to an organization needs a framework and a way to identify the potential interconnections that present potential cascade effects and can cause collateral damage that will affect business performance.

Due to the non-static nature of risk, exposures constantly change. Mitigation has the effect of altering the risk so that a new exposure is created. Mitigation buffers risk temporarily. One thing that is not considered when doing a risk assessment is the action of others who have the same risk exposure and are taking mitigation actions to buffer the risk exposure that they have. It is imperative to develop a mindset of constant risk monitoring and buffering activities. See my article on thinking like a commodities trader when it comes to risk.

Below is an example of a RTVH format that I have utilized with clients to establish more of a focus and explanation of the Issue of concern and how that is further analyzed as to RTVH, potential business impacts, mitigation, and Key Performance Indicators (KPI).

  • Issue: Identify the Issue that is of concern
  • Risk: Identify the risk realization scenario
  • Risk Rating: (1 = Least Severe; 5 = Most Severe)
  • Threat: How does the risk threaten XYZ
  • Vulnerability: Where is XYZ vulnerable to risk realization
  • Hazard: What physical hazard(s) does the risk present to XYZ

                Business Impact:

  •           Financial – Estimated cost over time if the risk is realized.
  •          Recovery Time – How long will it take XYZ to recover if the risk is realized?
  •          Customer Tolerance Level – How long will XYZ customers stay customers if the risk is realized?
  •          Reputation – What is the potential damage to XYZ’s reputation and image?
  •          Operational – How does the realization of the risk affect XYZ’s ability to operate normally?
  •          Regulatory – What potential existing and new regulatory issues will arise if the risk is realized?

 

  • Risk Parity – Risk Parity is a balancing of resources to a risk. You identify a risk and then balance the resources you allocate to buffer (risk buffering) against the risk being realized (that is occurring).
  • Key Performance Indicator – Metrics on how well the risk is being buffered.

Effective risk management can only be achieved when one understands the breadth of an enterprise’s sphere of operations. Internal programs must integrate with external exposures. The enterprise cannot effectively implement a risk management program if it does not include its “value chain” in the process. The problem faced by today’s enterprise is: “how to effectively design and implement a broad-based risk management program.”

Creating a Risk Mosaic Requires Constant Updating, Consequence Identification, and Control

Identification and quantification of potentially disruptive events that could escalate into a crisis must be accomplished so that controls and safeguards can be developed to prevent or minimize the impact of any type of disruption. When the right precautionary approach is to consider the unseen as potentially harmful; how do we operate?

The reality of risk today; volatility, uncertainty, complexity, and ambiguity parameters are broader with more prevalent swings. Have you adjusted your competitive strategy thinking and models?

Uncertainty Cubes: What Shape Is Your Uncertainty Cube?

McKinsey has come up with the “Uncertainty Cube” as an enhancement for analyzing scenarios. In a November 2, 2020, article entitled “Are scenarios limiting your pandemic recovery strategy?” McKinsey authors provide examples of the “Uncertainty Cube” used as an analysis tool. The article highlights include the following:

 

Building an “uncertainty cube” allows business leaders to accurately assess the probability that certain outcomes will materialize under various scenarios.

Does the “Uncertainty Cube” enhance or inhibit analysis? It may enhance analysis to a point. A cube is a rigid structure, bounded by artificial sides. It, therefore, limits analysis to the extent that the analyst chooses the cell structure of the cube.

Risk is not bound by artificial structures, such as a cube shape. No matter how creative you get with the cube shape, it is limited to the artificial boundaries that you set. Perhaps the following example will visually explain:

Although novelty items, the Amazon X Cube and the Megaminx Shengshou appear to be applicable in the context of “uncertainty” as discussed in the McKinsey article. However, there is still the boundary problem that presents artificial limits to the identification and analysis of risk. As already stated, “risk is not static.”  Perhaps a more logical depiction would be to depict the analysis points as floating points that have no boundaries and are in a constant state of flux (change)? So, what is the shape of your uncertainty cube?

Can we accurately assess the probability that certain outcomes will materialize under various scenarios?  Probability is at best a guess against what may happen in the future. Can we accurately assess, no matter how creative we get, when we place artificial boundaries on the parameters of our analysis? There will always be forces influencing the analysis that we have not considered due to analysis bias, emotional bias, overlooking the obvious, applying outmoded analytical tools, etc.

Ask yourself, “What is my organization’s risk absorption capacity? Where is our risk saturation point? At what point does our risk profile allow for risk deflection? At what point does our risk profile create a risk explosion for our organization?” These four questions, all too often, never get asked when conducting investigations into risk, threat, vulnerability, business impact, and/or hazard analyses. How do you begin to answer these questions? First, you need to be open to complexity; second you must be able to see beyond the immediate, and third you must embrace the dynamic nature of risk as non-static.

The recent World Economic Forum publication “Global Risks 2025” provides some excellent examples of connecting the dots. However, the WEF publication seemed to fall into the media driven moment, focusing on “Climate Action Failure” and “Extreme Weather” as heavily weighted risks, while “Infectious Diseases” merited the lowest weight rating. Please note that “Pandemic” was not on the list of risks in the report of “Global Risks Interconnections Map 2025”.

Overcoming the Cassandra Effect or Is the Sky Really Falling?

We need to shift from seeing risk management as a corporate paper exercise that sees risk as a threat and gets relegated to bookshelves. Risk is a driver of change, a source of new opportunities and critical to understand for good decision-making. Shifting our mindset from “how can I get rid of it” to “how can I benefit from it”. Organizations must move beyond risk management to risk intelligence. They must develop and use holistic approaches to recognize patterns, ask the right questions, connect the dots, figure out what to do, and make higher quality decisions based on present and emerging risks.

Embracing change and making good decisions is not only a sign of risk intelligence, but also essential to surviving and thriving in today’s uncertain world. Tumultuous disruption is today’s new normal; hoping for the best is not a good management strategy.

Risk management can evolve into risk intelligence. It introduces the core elements that risk intelligent organizations must embrace and discusses how risk intelligent organizations respond to uncertainty by making quality decisions. Further, it explores the psychology of decision-making under stress and introduces the stages risk intelligent organizations go through before acting in a crisis. It then builds on this understanding to introduce and develop practical techniques to improve the speed and quality of decision-making under uncertainty.

Emerging Technologies hold immense potential to address societal challenges, improve efficiency, assist response, management, reentry, recovery, and return to normal operations (RMRRR). Ultimately, harnessing the potential of emerging technologies requires a joint effort from individuals, organizations, and governments. Emerging technologies are a cornerstone of the future, promising significant advancements across various sectors. However, this progress is accompanied by associated security risks.

Conclusion

Risk taking is central to the functioning of any organization. Excessive risk taking and a simultaneous decline in the risk absorption capacity of the organization can lead to catastrophic results (i.e., the financial system and financial crisis). One can never achieve true certainty when assessing risk unless you reduce the probability to zero or one. Opacity, that is, constant uncertainty and changing factors make getting a clear picture of risk realities nearly impossible. To overcome opacity, you need to constantly monitor the risk environment. It is all about targeted flexibility, the art of being prepared, rather than preparing for specific events.

Geary Sikich

Geary Sikich is a seasoned risk management professional who advises private and public sector executives to develop risk buffering strategies to protect their asset base. With a M.Ed. in Counseling and Guidance, Geary's focus is human capital: what people think, who they are, what they need and how they communicate. With over 25 years of experience in management consulting as a trusted advisor, crisis manager, senior executive and educator, Geary is well-versed in contingency planning, risk management, human resource development, “war gaming,” as well as competitive intelligence, issues analysis, global strategy and identification of transparent vulnerabilities. As a well-known author, his books and articles are readily available on Amazon, Barnes & Noble etc.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts