ERM Chapter 7 Strategy

ISO 31000:2018, Uncategorized 19 Minutes
https://preteshbiswas.com/wp-content/uploads/2025/03/ERM-and-Strategy_-An-In-Depth-Exploration.wav

Strategy serves as a critical foundation for enterprise risk management. Establishing and comprehending organizational objectives stem from the strategy, with risk management concentrating on the uncertainties that could impact the realization of those objectives. Strategy is emphasized in the initial stage of the ISO 31000 process (defining scope, context, and criteria) and in the second element of the updated COSO ERM Framework (strategy and objective setting). It is also a key component of the risk management (RASP) framework. A clear grasp of an organization’s mission, vision, and core values, along with the formulation of its strategy and objectives, is essential for identifying, understanding, and managing risks in alignment with the organization’s risk appetite. We will explore strategy and objectives in depth, presenting approaches to crafting business strategy and expanding on this foundation to examine the interplay between risk and strategy processes. Lastly, we will assess the role of risk within various strategy models.

Business strategy outlines what an organization aims to accomplish and the methods it will use to do so, rooted in decisions about its future direction. It articulates where the organization envisions itself in three to five years, often expressed through strategic objectives. A well-defined business strategy allows the organization to fulfill its mission, objectives, strategies, and plans. According to the Oxford English Dictionary, strategy is a plan designed to achieve a specific goal. It is a vital component of success for both individuals and organizations. While a solid strategy doesn’t ensure success, it significantly boosts the likelihood. Effective strategies typically feature four key aspects: clear long-term goals, a deep understanding of the external landscape, a sharp evaluation of internal resources and strengths, and strong execution. Strategy is a recognized business discipline that has been extensively studied. Notable insights on strategy include:

  • Lee Bolman: “A vision without a strategy remains an illusion.”
  • Lewis Carroll: “If you don’t know where you are going, any road will get you there.”
  • Stephen Covey: “Begin with the end in mind.”
    Grasping the concept of strategy is fundamental to enterprise risk management.

7.1 The board’s role in defining strategy

A primary goal of a governance structure is to ensure that an organization’s strategy is effectively executed. The strategy originates with the organization’s Shareholders, Members, or Trustees. By establishing and sustaining the organization, they define its fundamental purpose. They delegate the responsibility of overseeing this purpose to a board of directors, who establish the strategic objectives. The board, leveraging its authority, then empowers the executive team to develop and implement a plan to achieve these strategic goals. As such, when discussing risk management, it is crucial to revisit and understand the strategic objectives set by the board on behalf of the Shareholders, Members, or Trustees.

Formulating Strategy

Strategy develops over time and varies in focus depending on an organization’s lifecycle stage. To guide the development and evaluation of strategy, organizations employ a range of management models. The following widely recognized management models assist in designing, validating, implementing, and reviewing organizational strategy:

Design – crafting potential strategic pathways for the organization:

  • Ansoff Model
  • Business Model Canvas
  • CORR (Customer, Offering, Resources, and Resilience)

Validation – evaluating strategic options to determine the most suitable course of action:

  • SWOT (Strengths, Weaknesses, Opportunities, Threats)
  • Porter’s Five Forces
  • PESTLE (Political, Economic, Social, Technological, Legal, Environmental)

Implementation – converting the selected strategy into actionable objectives and tasks:

  • VMOST (Vision, Mission, Objectives, Strategy, Tactics)
  • Value Chain Analysis

Review and Repurpose – periodically assessing existing strategies and objectives to ensure ongoing relevance:

  • BCG Matrix
  • Kotter’s “Our Iceberg Is Melting”
  • McKinsey 7S Model

Typically, organizations establish a 3-to-5-year strategy to fulfill the vision and mission set by shareholders, which is then endorsed by the board. Alongside this, they create an annual plan and financial budget, which form a shorter-term subset of the broader strategy, focusing on immediate goals. The 3-to-5-year strategy documents and annual plans are generally internal resources and not publicly released. However, many organizations issue a strategy statement or report, often included in their annual report. In larger organizations, there may be legal or regulatory obligations to disclose strategy details. In the UK, the Financial Reporting Council’s “Guidance on the Strategic Report” outlines requirements for what must be included in a strategic report. This ensures shareholders receive a comprehensive and clear overview of the organization’s business model, strategy, development, performance, position, and future outlook, including a description of key risks and their potential impact on future prospects. While the FRC guidance is tailored to UK public limited companies, it has been widely adopted as a best practice standard across other countries and organization types. Organizations are often hesitant to share detailed strategy documents broadly, even internally. Publicly available strategy statements tend to emphasize marketing angles and are sometimes referred to as business plans. Many smaller organizations lack formal strategy statements or documentation altogether.

A critical aspect of strategy is how an organization manages its reputation. To evaluate an organization’s reputation and understand the potential sources of reputation risk, it’s useful to break down and map out the elements that shape its reputation. Reputation risk is a major concern for business leaders because it acts as a meta-risk—capable of emerging and escalating rapidly from both internal and external sources. For organizations with a strong reputation or those that depend on it to draw investment and talent, reputation risk poses a significant threat. Organizations possess a ‘reputation premium,’ which reflects their earning potential beyond what is accounted for in their brand or net assets. Many leading global brands rely heavily on this premium. Should this organizational value be jeopardized or undermined, the consequences could be severely damaging.

The board and strategic risk

7.2 Risk Management Strategy

Having explored organizational strategy, we now examine how risk management integrates with it. Below is a straightforward 4-step process for managing risk. When aligned with an organization’s strategy, it appears as follows:

  • Step 1 – Evaluate the context, strategy, and objectives, and determine the level of risk the organization is prepared to pursue or tolerate to meet these goals (risk appetite).
  • Step 2 – Identify and evaluate the risks tied to achieving the strategy and objectives.
  • Step 3 – Implement the necessary controls and measures to address these risks.
  • Step 4 – Continuously monitor and reassess the risks and controls, reporting to stakeholders on their impact on the strategy and objectives.

This 4-step process is cyclical. If the proposed risk management approach does not align with the organization’s risk appetite, a strategy review may be necessary. In such cases, two options emerge:

  • Adjust the strategy, objectives, and/or risk appetite, or
  • Enhance the management efforts, such as increasing investment in controls.
ERM – four easy steps

When examining how strategic risk is handled within organizations, it’s critical to recognize that the board should either take ownership of or maintain close oversight over the organization’s strategic risks. In certain organizations, a dedicated strategic risk register exists, typically managed by the Chief Risk Officer or a similar role, reflecting the connection between the board and the organization’s risk data.

The following strategic risk categories are typical examples found in strategic risk registers:

  • Succession planning for the CEO and key C-suite executives.
  • Risks posed by competition.
  • Existential threats or evolutionary shifts within the industry.
  • Arrangements for shareholder exits.

Boards should address four essential strategic questions regarding risks to the strategic plan:

  1. How do we align enterprise risk management (ERM) with the organization’s strategic direction and plan?
  2. What are our primary business risks, both those arising from the strategic plan and those that could either jeopardize or bolster it?
  3. Are we accepting an appropriate level of risk?
  4. Are we aware of which risks, if effectively managed, could enhance or diminish the organization’s value or performance?

These questions are part of a broader set of board inquiries designed to steer discussions toward ensuring that risk management processes and frameworks are suitable for achieving the intended ERM goals, rather than merely confirming compliance with those processes and frameworks.

Strategy and Risk Management standards

Risk management standards place significant emphasis on strategy. We reviewed key standards, primarily ISO 31000 and COSO, both of which underscore the need to comprehend an organization’s context and objectives, including its strategy.

In ISO 31000, strategy is addressed within the “Scope, context, and criteria” phase of the risk management process. This step involves:

  • Outlining the purpose and scope of risk management efforts.
  • Assessing the organization’s external and internal context.
  • Establishing risk criteria by determining the acceptable level and nature of risk.
  • Setting criteria to assess risk significance and aid decision-making.

The COSO (2017) framework highlights the centrality of strategy in enterprise risk management (ERM), noting that “enterprise risk management is as much about understanding the implications from the strategy and the possibility of the strategy not aligning as it is about managing risks to set objectives.” COSO elaborates on strategy and objective-setting with the following components:

  1. Analyzes Business Context – The updated framework evaluates the business context, considering internal and external stakeholders. It stresses that management must account for risks arising from shifts in the business environment and adjust strategy execution accordingly.
  2. Defines Risk Appetite – The organization sets its risk appetite in the context of creating, preserving, and realizing value. This appetite is factored into strategy formulation, articulated by management, endorsed by the board, and embedded throughout the organization.
  3. Evaluates Alternative Strategies – Different strategies rest on varying assumptions, which may be vulnerable to change. The organization assesses strategic options, selecting one that enhances value while factoring in risks tied to the chosen strategy.
  4. Formulates Business Objectives – Management defines objectives at various business levels that align with and support the strategy, ensuring they reflect and conform to the organization’s risk appetite.

Other standards addressing strategy and its associated risks include:

  • Banking – Basel III
  • Insurance – Solvency II
  • Health and Safety – ISO 45000 family (Occupational Health and Safety)
  • Legal – ISO 31022 (Guidelines for Managing Legal Risk)
  • Business Continuity – ISO 22301 (Business Continuity)
  • Projects – Association for Project Management PRAM Guide
  • UK Public Sector – The Orange Book 2020

While risk registers typically list numerous operational and project-related risks, it’s critical that they also include high-level strategic risks, which are a priority for senior management and the board. In some organizations, due to confidentiality concerns, a separate strategic risk register may be maintained by the Chief Risk Officer or a similar role.

RASP

RASP stands for Risk Architecture, Strategy and Protocols. Strategy in the context of RASP refers to the risk management strategy that the organisation has adopted. This is not the overall strategy of the organisation itself but the strategy for how risk will be managed in the organisation. The strategy an organization chooses can shape its approach to risk management. This strategy is typically influenced by the organization’s current stage in its lifecycle, as illustrated in the Organizational Lifecycle figure. For instance, during the startup and growth phases, the strategic emphasis is usually on expansion and development. Operations at this point are often streamlined and flexible, with risk management largely handled by frontline teams and limited centralized support. In contrast, during the maturity stage, the focus often shifts to boosting margins for existing products or services and fostering innovation for new offerings. By this stage, organizations typically have established a more structured risk management framework, including a strong, professional risk function within the second line of defense. Thus, as an organization progresses through its lifecycle stages, there is an opportunity for its risk management practices to evolve and mature accordingly.

Risk management framework consists of

  1. Risk management Architecture
    • Committee structure and teems of reference
    • Roles and responsibilities
    • Internal reporting requirements
    • External reporting controls
    • Risk management assurance arrangement
    • Budget and agreement on resources
  2. Risk Management strategy
    • Risk Management Philosophy
    • Arrangements for embedding
    • Risk management
    • Risk appetite and attitude to risk
    • Benchmark tests for significance
    • Specific risk statements/policies
    • Risk assessment techniques
    • Risk priorities for present year
  3. Risk Management Protocol
    • Tools and techniques
    • Risk classification system
    • Risk assessment procedures
    • Risk control rules and procedures
    • Responding to incidents, issues and events
    • Documentation and Record keepings
    • Training and communications
    • Audit procedures and protocols
    • Reporting/disclosures/Certificate

Up to this point, we’ve examined the risks stemming from an organization’s strategy and its strategic objectives. Another significant way strategy impacts risk management is through the establishment of the organization’s risk appetite. Risk appetite refers to the level of risk an organization is prepared to pursue or tolerate to achieve its goals. To fully leverage the benefits of risk management, it’s essential that the strategy and risk appetite statements are in sync. This alignment is typically evident in the formal delegation of powers and authority within the organization.

7.3 Strategy Model

Organizations are increasingly integrating enterprise risk management (ERM) into their strategy-setting processes. Rather than developing a strategy and then identifying the risks it generates, they are incorporating risk considerations directly into the strategy formulation stage. We explored this interplay between risk management and strategy within the COSO (2017) ERM Framework.

The COSO (2017) ERM Framework highlights that “the role of risk in strategy selection” involves making decisions and embracing trade-offs. Applying ERM to strategy is logical, as it provides a structured way to balance the art and science of informed decision-making.

Risk often plays a role in strategy-setting, but traditionally, it is assessed mainly for its potential impact on a pre-established strategy. Discussions typically center on risks to the current plan: “We have a strategy—what might undermine its relevance or feasibility?” However, organizations are improving at asking broader, proactive questions: “Have we accurately forecasted customer demand? Can our supply chain meet deadlines and budgets? Will new competitors arise? Is our technology infrastructure sufficient?” These are daily challenges for executives, and addressing them is essential to executing a strategy effectively.

In this section, we merge strategy and risk management, exploring: How can risk management shed light on the application of strategy models? How can risk management tools aid in strategy development?

We examine how risk management can enhance our understanding of strategy models across the following stages:

Design – Generating potential strategic options for the organization:

  • Ansoff Model
  • Business Model Canvas
  • CORR (Customer, Offering, Resources, and Resilience)

Validation – Assessing the identified strategic options to choose the most suitable one:

  • SWOT (Strengths, Weaknesses, Opportunities, Threats)
  • Porter’s Five Forces
  • PESTLE (Political, Economic, Social, Technological, Legal, Environmental)

Implementation – Converting the selected strategy into actionable objectives and tasks:

  • VMOST (Vision, Mission, Objectives, Strategy, Tactics)
  • Value Chain Analysis
  • SMART (Specific, Measurable, Achievable, Relevant, Time-bound)

Review and Repurpose – Periodically evaluating existing strategies and objectives to ensure they remain appropriate:

  • BCG Matrix
  • Kotter’s “Our Iceberg Is Melting”
  • McKinsey 7S Model

1) The Ansoff Product / Market Grid Model

The Ansoff Model is a tool for crafting strategy. Various models are available to organizations for strategy design, and in this course, we’ve chosen models widely applied across industries globally. The design phase typically occurs in these situations:

  1. Launching a new organization – Depending on the size and complexity, strategy design might involve a highly structured, formal process or a more casual approach that develops as the concept for the new organization solidifies.
  2. Introducing a new product or service, or
  3. Experiencing a major shift in the organization’s internal or external environment.

This model provides a systematic approach to defining the scope and direction of an organization’s strategic growth within the marketplace. It serves as a framework to pinpoint growth directions and opportunities. From a risk management standpoint, the Ansoff Model pairs effectively with the positive aspect of risk (opportunities) and aligns with risk appetite considerations. For instance, if the chosen strategy is Market Development, the organization may need to embrace a higher risk appetite to pursue greater risk. The model is illustrated below.

2) Business Model Canvas

This model provides a structure for designing and evaluating how an organization interacts with its market, utilizes its resources, and delivers its customer offerings. It outlines the process by which an organization generates, provides, and secures value. The framework consists of nine elements: customer segments, value propositions, channels, customer relationships, revenue streams, key resources, key activities, key partnerships, and cost structure. From a risk management perspective, this model supports risk identification by examining the organization through nine distinct perspectives, each presenting its own set of risks. It also aids in considering critical controls—specifically, what actions are necessary to ensure each component functions effectively.

3) CORR

This tool is used for shaping strategy. CORR, which stands for Customer, Offering, Resources, and Resilience, views an organization’s business model as centered on delivering specific customer offerings. These offerings are supported by the organization’s resilience and mechanisms to ensure its long-term sustainability. The model can be broken down as follows:

  • Customer encompasses analysis of customer segments, acquisition, retention, and the methods for delivering products or services.
  • Offering refers to the value proposition for customers and the associated benefits provided to them.
  • Resources cover the organization’s data, capabilities, assets, as well as its partnerships and networks.
  • Resilience reflects the organization’s reputational strength (rooted in ethos and culture) and financial stability (based on revenue and expenditure).

From a risk management standpoint, this model promotes a perspective focused on risk resilience within the organization.

4) SWOT

This model aids in validating proposed strategies by providing insight into how well the strategy’s key components align with the organization’s strengths and opportunities. SWOT, an acronym for Strengths, Weaknesses, Opportunities, and Threats, is a framework—sometimes called situation analysis—used to assess an organization’s competitive standing. It evaluates both internal and external factors, offering a lens to examine current capabilities and future possibilities. The model is effective in brainstorming settings and is relatively easy to grasp and apply. From a risk management perspective, it effectively highlights the internal and external context related to risk and serves as a valuable tool in risk workshops to encourage discussions about risk.

5) Porters five forces

Porter’s Five Forces is a tool for evaluating the competitive landscape surrounding an organization. It considers factors such as the number and strength of competitive rivals, the threat of new entrants, the influence of suppliers and customers, and the availability of substitute products or services. These elements shape the competitive environment and, consequently, affect an organization’s capacity to generate value, as illustrated. From a risk management viewpoint, this model encourages a thorough assessment of strategic risks arising from external competition. It also informs risk appetite decisions by prompting consideration of competitive areas where significant risk-taking might be necessary to secure market share.

6) PESTLE (Political, Economic, Social, Technological, Legal, Environmental)

PESTLE analysis offers a structure for recognizing external influences impacting an organization. Represented by the acronym, it covers six key external factors: political, economic, sociological, technological, legal, and environmental. These elements can significantly influence an organization, with effects that vary in scope, such as short-term or long-term impacts.

“PESTLE” stands for:

  1. Political Risks – Risks arising from changes in government policies, regulations, political stability, trade restrictions, and other factors related to government actions that can impact the organization’s operations. Tax policy, employment laws, environmental regulations, trade restrictions and reform, tariffs and political stability are some examples.
  2. Economic Risks – Risks related to economic conditions, such as inflation, currency fluctuations, economic growth or recession, interest rates, and unemployment rates, which can affect the organization’s financial health and market conditions. Economic growth/decline, interest rates, exchange rates and inflation rate, wage rates, minimum wage, working hours, unemployment (local and national), credit availability, cost of living, etc are some examples.
  3. Social Risks – Risks associated with societal changes and trends, such as shifts in demographics, cultural values, consumer behaviors, and lifestyle changes, which can influence demand for the organization’s products or services. Cultural norms and expectations, health consciousness, population growth rate, age distribution, career attitudes, emphasis on safety, global warming are some examples.
  4. Technological Risks – Risks stemming from changes in technology, including advances, cyber threats, and technology obsolescence, which can affect operational efficiency and competitive positioning. Technology changes that impact your products or services, new technologies, barriers to entry in given markets, financial decisions like outsourcing and supply chain are some examples.
  5. Legal Risks – Risks related to changes in laws, regulations, and legal actions that could impact the organization’s compliance, liability, or operating environment. Changes to legislation that may impact employment, access to materials, quotas, resources, imports/exports, taxation, etc are some examples.
  6. Ethical or Environmental Risks – Risks associated with Ethical or Environmental aspects, environmental factors, such as climate change, natural disasters, resource scarcity, and sustainability pressures, which can affect operations, reputation, and compliance.

From a risk management perspective, PESTLE supports the development of a risk taxonomy or classification system within the organization. It also enhances the thoroughness of risk identification by providing diverse external perspectives.

7) VMOST

VMOST is a tool for putting strategy into action, particularly when we explored the objectives and purpose of risk management within an organization. The VMOST Analysis helps a business assess whether its core strategies are supported by corresponding activities. It addresses this by examining five key components: vision, mission, objectives, strategies, and tactics. Notably, while the COSO (2017) ERM framework positions objectives as part of strategy, VMOST reverses this, treating strategy as a component of objectives. From a risk management perspective, this model is effective for identifying key risk indicators (KRIs). It bridges strategy and objectives to actionable steps (tactics), enabling the creation of a robust top-down framework for measuring risk management.

8) Value chain analysis

The value chain model, used for executing strategy, outlines the complete set of activities an organization undertakes to deliver a product or service from its conception to its final use. This includes functions such as research and development, human resource management, production, marketing, and distribution. The model enhances organizational efficiency by optimizing these activities. It’s worth noting that the Extended Enterprise offers a simplified version of an organization’s value chain. From a risk management standpoint, the value chain model is useful for assessing risks within internal processes. Many organizations consider risks tied to “the customer journey” or the “front-to-back process,” making this perspective valuable for ensuring operational processes align with the strategy. It serves as an effective foundation for identifying the controls required at each stage of the process.

9) BCG Matrix

The Boston Consulting Group (BCG) matrix, employed for reviewing and refining strategy, assists an organization in determining which products to retain, sell, or further invest in. While it is commonly applied by commercial entities, its principles are also applicable to services offered by government and non-governmental organizations (NGOs). From a risk management perspective, this model aids in establishing key risk appetite and tolerance thresholds for an organization’s products and services. It’s critical that risk reporting and monitoring stem from the insights and decisions generated by this model, with those decisions subject to ongoing review.

10) Kotter Model

The Kotter Model, a framework for reviewing and repurposing strategy, is an 8-step change management approach crafted by John Kotter, a Harvard Business School professor, to guide organizations in achieving effective transformation. It highlights the importance of leadership, urgency, and engaging stakeholders.

Kotter’s 8-Step Change Model:

  • Create a Sense of Urgency – Highlight the need for change to motivate action among stakeholders.
  • Build a Guiding Coalition – Assemble a group of influential leaders to steer the change effort.
  • Develop a Vision and Strategy – Formulate a clear vision and strategy to direct the change process.
  • Communicate the Vision – Consistently share the vision across various platforms to secure support.
  • Empower Employees for Action – Eliminate barriers and authorize employees to enact the change.
  • Generate Short-Term Wins – Achieve and celebrate early victories to sustain momentum.
  • Sustain Acceleration – Leverage initial successes to fuel ongoing progress.
  • Anchor the Change in Culture – Integrate the change into the organization’s culture for lasting impact.

From a risk management perspective, this model supports risk scenario planning and stress testing by prompting the organization to explore plausible yet challenging future scenarios.

11) McKinsey 7S model

The McKinsey 7S Model is a review and repurpose tool that evaluates an organization’s design by analyzing seven critical internal components—strategy, structure, systems, shared values, style, staff, and skills—to determine if they are well-aligned to support the organization’s goals. Developed by McKinsey & Company, this strategic framework helps align these elements to drive success, making it valuable for organizational change, strategy execution, and performance enhancement.

It is commonly applied in scenarios such as:

  1. Managing organizational transformation.
  2. Adapting the organization to a new strategy.
  3. Supporting mergers or acquisitions.
  4. Boosting company performance.
  5. Anticipating the impact of future internal changes.

The 7 Elements of the McKinsey 7S Model:
The model categorizes elements into Hard and Soft groups:
Hard Elements (more tangible and manageable):

  1. Strategy – The organization’s approach to securing a competitive edge.
  2. Structure – The framework of hierarchy and reporting lines.
  3. Systems – The processes, workflows, and procedures that drive operations.
    Soft Elements (less tangible but vital for success):
  4. Shared Values – The core beliefs and culture of the organization.
  5. Style – The approach to leadership and management.
  6. Staff – The workforce’s capabilities, skills, and growth potential.
  7. Skills – The expertise and competencies of employees.

How to Apply the 7S Model:

  1. Evaluate the current condition of each element.
  2. Detect any misalignment among the elements.
  3. Pinpoint necessary adjustments to achieve alignment.
  4. Execute changes and track progress.

From a risk management perspective, this model is helpful for assessing control design, implementation, and effectiveness. It addresses both the “hard” aspects (such as design) and the “soft” aspects (like implementation and effectiveness, which depend on human factors).

7.4 Risk management tools

Risk management can significantly contribute to shaping strategy. During the strategy development process, organizations often reach a stage where they have more strategic options or initiatives under consideration than they can realistically pursue. At this point, they must select the options or initiatives that offer the greatest value. Several risk management tools can assist in evaluating the comparative advantages of different strategic options or initiatives. The two most pertinent tools are:

  • Suns and Clouds
  • Impact vs. Manageability

1) Suns and Clouds

Vaughan Evan’s Suns and Clouds chart, created in the early 1990s, provides insight into two key aspects of strategy:

  1. The presence of significant risks or opportunities, and
  2. Whether the overall mix of risk and opportunity is advantageous.

The tool involves two steps:

  • For each strategic option, identify the primary threats (clouds) and opportunities (suns) it presents.
  • Map these threats and opportunities on a chart, with their potential impact on the organization’s value on the y-axis and their likelihood of occurring on the x-axis.

This produces a visual representation of the threats and opportunities tied to the strategy. For instance, a cloud positioned in the upper right corner might indicate that the strategy carries excessive risk. Like many risk management tools, the real benefit lies in the discussions sparked by determining the placement of suns and clouds. These conversations help ensure alignment among participants regarding the potential threats and opportunities each initiative might pose to the organization. Moreover, if a cloud represents a critical strategy for the organization, the task becomes figuring out how to effectively manage that risk.

2) Impact vs. Manageability

This risk management tool, also developed by Vaughan Evans, employs a matrix to evaluate risks linked to a strategic option or initiative based on two factors:

  1. The potential impact a risk could have on the anticipated value the initiative might deliver to the organization (y-axis), and
  2. The ease or difficulty of managing that risk (x-axis).

The matrix categorizes manageability into four levels:

  • High – The risk can be easily managed.
  • Medium – The risk is manageable with effort.
  • Low – The risk is challenging to manage.
  • Zero – The risk is effectively unmanageable.

If the risks tied to a strategy fall into the unmanageable category, it may be prudent to abandon that strategy. Conversely, if the risks are manageable, the organization can address them, making the strategy more viable. When analyzing this model, it’s also important to consider the effort or resources needed to manage the risks effectively.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a ReplyCancel reply