It’s entirely possible to come up with a brilliant strategy, but it’s another matter entirely to implement it successfully. One of the major challenges is what to do when the initial assumptions that underlie our plans prove to be inaccurate or just plain wrong. This is where risk assessment and risk management come into play.

The most fundamental thing about plans is that they tend to go awry. The military teaches a very healthy attitude in this regard, which is why military planners always assume that a plan will only survive until an operation actually starts. As they say, “no plan survives contact with the enemy.” I talk about this attitude and why it’s relevant to business in some detail in my new book, Brilliant Manoeuvres: How to Use Military Wisdom to Win Business Battles, due out some time in September.

So why should we plan, and what should we do to mitigate risk?

Planning is absolutely necessary, because it gives everyone their ‘marching orders’ as well as a fundamental understanding of the overall vision and responsibilities to achieve the mission. Planning is also needed to calculate schedules, logistical requirements, and other quantitative items such as distances and timings. The plan provides a basic framework that allows controlled changes to occur if and when a risk throws a wrench in the works.

How can we minimize the potential effects of unforeseen circumstances throwing our plans off track? The most effective way is to conduct a risk assessment before implementation begins and to build the findings into the plan as a form of risk management.

Risk consists of two elements: probability and impact. Each particular risk can be characterized by its probability of occurrence and its potential negative impact. The aim of risk assessment is to identify the events that could hinder or prevent achievement of the mission and objectives. These are then rated according to probability of occurrence (usually 1 to 5, from lowest to highest probability) and then negative impact (again 1 to 5, from least to greatest potential impact). The highest risks must be addressed through active risk management, and these measures can be integrated into the overall plan.

Measures that aim to reduce the probability of occurrence can be viewed as preventive measures. A simple analogy is to look at the risk of fire. Fire inspections, rules against indoor smoking, and various other means aiming to reduce the probability of a fire can be categorized as fire prevention measures.

Measures that aim to reduce the negative impacts of risks are viewed as risk mitigation. These are further classified into two sub-categories: response/containment and recovery. The former provides the initial response with a view to containing the risk effects. The latter enables recovery from the risk. Both types of risk mitigation measures can be included in contingency plans, which are nothing but plans which go into effect in the event that the particular risk they are designed for occurs. Continuing with the analogy of a fire risk, response and containment measures and plans include such things as smoke detectors, fire alarms, sprinkler systems, fire extinguishers, and evacuation drills. Recovery measures would include such things as fire insurance, alternate work locations, and disaster cleanup services.

These three types of measures—prevention, response/containment, and recovery—form what I call the three lines of defence against risks; they provide an excellent framework to go from risk assessment to risk management through the development and implementation of risk prevention and risk mitigation plans.

We can see how this approach can supplement the basic planning that you do to implement your strategy or any other type of operational or tactical plans within your business or organization. The trick is to conduct a realistic and challenging risk assessment on your plans, no matter what their nature and level, before finalizing them. That way you can build in risk prevention and mitigation, including contingency plans to cater for various risks that can derail your plans before and during implementation.

© Alcera Consulting Inc. 2012. We encourage the sharing of this information with proper attribution. All other rights reserved.

  1. I agree, Rich. I feel this is an area that’s largely overlooked in strategy execution. Strategy, by definition, has long-term objectives, and the longer you go out, the more susceptible your are to risk. So as you suggest, risk planning should be taken seriously in any effort, but especially when it comes to strategy. Thanks for the post!

    • Hi John,

      Thanks for commenting. In fact, there are three dimensions which determine whether something is strategic, operational, or tactical: impact, level of constraint (or freedom of action), and degree of responsiveness to the situation. This is illustrated in the diagram included with the following article on my website:

      Given that, strategy can still play out over a very short timeframe. Imagine a situation where a competitor introduces a game changing product that causes you to revisit your strategy post haste. Another example could be a competitor that is suddenly ripe for acquisition and that demands a quick strategic turnaround by strategic leadership.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.