Risk States

A goal's risk state reflects whether there is alignment between ambition and the organization's capacity to achieve the goal within a specified timeframe, given the current pace and direction. This concept is key in assessing the feasibility and potential risks involved in meeting strategic goals.

Depending on a goal's risk state, the methodology provides guidance on managing the risk by suggesting appropriate actions.

The methodology outlines six risk states. Determining the risk state of a goal involves a three-step process: conducting a risk analysis, forecasting potential outcomes, and gathering supporting evidence.

To showcase organisational sense of urgency and leadership resources, you would want to already now act as the risk state is your current state

  • Dire

    Priority 1

    We're in a dire risk state and need to scale back our goals.

    The warning signs are clear: Our goals are overly ambitious, and our best option might be to lower them - or can we find other options? A dire risk state is alarming, and it should drive immediate action. This is a critical moment. Is your organizational culture prepared to acknowledge the gravity of the situation without assigning blame?

    • Your risk exposure surpasses your capacity to manage it.

    • Continuing on the current path will likely lead to failure.

    • It's advisable to reconsider your ambitions.

    • Evidence strongly suggests the goal will fall short of its threshold

    For example, if a company forecasts its liquidity goal and the evidence indicates it will not be met, it's in a dire risk state—continuing on the current trajectory spells failure. Strong evidence often clarifies why things are going wrong, which can guide corrective measures. These might include raising additional capital, which could dilute shareholder interests. The crucial question is whether stakeholders are willing to provide the necessary resources.

  • Pessimistic

    Priority 2

    We're in a pessimistic risk state and need to intervene to steer towards a more positive outcome.

    Questions are flying, but there's no real mystery: you need to intervene. Do we have a culture that encourages us to step back, rethink, and adopt an analytical approach to problem-solving?

    • The forecast suggests the goal will likely fall short of its threshold, but the evidence isn't strong.

    • Your risk exposure is slightly greater than your risk capacity.

    • You need to intervene and find evidence wether the goal is realistic with the current risk capacity.

    When a situation is viewed pessimistically, it means there's a concern or expectation of potential failure or problems. This negative outlook prompts the need for intervention. Intervention involves taking proactive steps to address the identified threats and prevent negative outcomes. For example, if a project manager pessimistically anticipates delays in a project, they might intervene by reallocating resources and adjusting timelines. In essence, a pessimistic perspective highlights the need for intervention to steer towards a more positive outcome.

    The main distinction between a dire and a pessimistic risk state is that in the former, you have a clearer understanding of what needs to be corrected, though it might be unclear if addressing risk capacity is possible. In a dire risk state, the most reliable approach is to lower ambition to reduce risk exposure. In a pessimistic risk state you need to intervene, and you need to delve deeper into the underlying threats that are causing the goal to likely fall short of its threshold. After this investigation, you can determine the most appropriate actions and hope they're feasible.

  • Optimistic

    Priority 3

    We are in an optimistic risk state, needing to validate our sense of harmony.

    The range of possible outcomes is broad, and uncertainty is palpable. Although there's optimism about achieving the goal, things could swing in any direction. To strengthen our position, we need to gather as much evidence as possible and keep the forecasts updated. Can we eventually achieve harmony? Does our organizational culture support leadership through uncertainty?

    • The current forecast suggests that the goal might be met, but the evidence supporting this is weak.

    • Your risk capacity is slightly lower than your risk exposure, indicating that more evidence is needed to determine if the current ambition level is realistic.

    For example, if a project forecasts its future operational safety goal, the projection might indicate a likely success, but with weak evidence. This level of uncertainty requires the team to further explore the identified threats and opportunities. To reach a more harmonious state, we need to better understand these risks and determine effective ways to address them.

    The main distinction between a harmonious and an optimistic risk state is that in a harmonious state, you generally know what needs to be monitored and adjusted, with a clear sense of whether risk mitigation steps are feasible. In an optimistic state, you need more time to understand the threats and opportunities, then decide on the best course of action, hoping it's achievable.

  • Potent

    Potent

    Priroity 4

    We are in a potent risk state and need to explore the opportunities.

    The rocket lands safely: This state indicates a potential goldmine that could raise your ambition level. However, this potential can vanish if you don't act quickly—like if a competitor seizes the opportunity first. You must determine whether your culture fosters innovation and encourages new ideas.

    • The forecast suggests that the goal will be exceeded, but the supporting evidence is weak.

    • Your risk capacity is slightly lower than your risk exposure.

    • You need to explore whether to pursue the opportunity.

    If a business identifies one or more opportunities related to a goal, it can impact the forecast. For instance, recruiting more women into a company might positively affect a diversity goal. If the opportunity hasn't been thoroughly explored, the forecast relies on weak evidence. This is the time to evaluate if the opportunity can help exceed the goal and, eventually, raise your ambition level.

    The main distinction between a defensive and a potent risk state is that in the former, you know you need to increase your ambition but aren't sure by how much. In a potent risk state, you have a clearer sense of which opportunities to pursue and their potential benefits. The challenge is to confirm if these opportunities are truly as promising as you think, and if they can be executed. If the evidence is strong enough, you can move from a potent risk state to a more secure one.

  • Defensive

    Priority 5

    We are in a defensive risk state and need to increase our ambition level.

    Hit the snooze button: There's not much urgency because you're on track to meet your goal. You might be able to snooze once or twice, but don't get too comfortable. To avoid a culture of complacency, it's time to raise the ambition level before you fall asleep at the wheel. The organization needs to aim higher if it wants to win.

    • The forecast shows strong evidence that the goal will be exceeded.

    • Risk capacity is higher than risk exposure.

    • The current path likely leads to success.

    • The ambition level can likely be increased.

    Imagine a company that forecasts its revenue target and finds strong evidence that it will exceed expectations. This suggests that the current ambition level may be too low, pointing to a defensive stance. There's room for more risk to strike a better balance between risk exposure and risk capacity.

  • Harmonious

    Priority 6

    We are in a harmonious risk state and need to secure goal achievement

    The prize is almost yours: Congratulations—you've achieved harmony between ambition and capacity, with a high likelihood of reaching your goal. However, stay focused and don't get complacent. Does your organizational culture support maintaining focus until the end? Leadership needs to understand when it's truly safe to celebrate.

    • The forecast indicates strong evidence that the goal will be achieved within the target range.

    • Your risk capacity and risk exposure are balanced.

    • You're likely to achieve your goal if you stay on track.

    For example, if a project forecasts a safety goal with strong evidence that it's on track to meet the target, the team can be relatively confident. Similar projects in other locations have yielded comparable outcomes. However, it's still crucial to monitor identified threats and opportunities as you approach the goal's deadline.

How to find a goal’s risk state?

Let’s explore the process of determining a goal's risk state using the De-Risk Matrix, a unique approach to risk assessment that differs from traditional methods. We'll examine how to identify and classify risks, considering cultural factors that could impact the application of the matrix. The goal is to provide a clear understanding of whether an organization needs to adjust its risk exposure, increase its risk capacity, or both to meet its chosen goals. There are three steps involved in the methodology; Risk analysis, Forecasting and Evidencing.

  • Step 1 - Risk analysis

    The first step in assessing the risk state of goals is to identify risks and evaluate their probable and potential impacts. This process also involves gauging the level of evidence supporting these risk assessments. Unlike other risk evaluation methods, the De-Risk Matrix methodology focuses on finding the most likely impact a risk could have on one or more goals, emphasizing the need for solid evidence. Opportunities are considered as significant as threats because recognizing upside risks can pave the way for higher ambitions. The goal is to identify and prioritize risks that could affect multiple goals, integrating as many relevant risks as possible into the forecasting process.

  • Step 2 - Forecasting

    The second step in assessing risk states involves creating forecasts for each goal within a designated timeframe. This process integrates the risks identified earlier to predict outcomes more accurately. As measures are implemented to improve the likelihood of achieving goals, these forecasts are updated to account for their anticipated effects, potentially altering the risk state of the goals. The tools used for forecasting can range from simple Excel spreadsheets to sophisticated AI-based systems, depending on the size and complexity of the organization or project. Larger organizations often have dedicated teams or forecast owners responsible for maintaining and updating these forecasts.

  • Step 3 - Evidencing

    The third step in the De-Risk Matrix methodology, focuses on assessing the level of evidence supporting forecasts for goals. The degree of evidence provides an indication of the uncertainty in the underlying data. The step also emphasizes the need to evaluate all evidence sources and to potentially develop customized lists of evidence factors to suit specific organizational contexts. Additionally, it suggests that organizations can implement quantified approaches for evidence assessment, using weighted scoring systems.

Risks and risk analysis

Risks refer to future scenarios with potential positive and/or negative impacts on one or more goals. These are based on recognized uncertainties that could affect business or project outcomes, in line with ISO 31000's definition of risk as "the effect of uncertainty on goals." Risks must be identified, assessed, and managed in a comprehensive way. It's advisable to assign a risk owner for each identified risk to monitor and work with an action owner to address it.

Threats pose negative consequences for a business or project and require proactive mitigation. Opportunities offer potential benefits, but if not seized or if they don't deliver as expected, they can turn into threats, affecting goal achievement.

A single risk can represent both threats and opportunities. For example, the risk of digitization could mean adopting new technologies for competitive advantage or facing disruptions if ignored. Recognizing the dual nature of risks is key to effective management.

To identify and analyze risks, various methods like PESTEL, SWOT, Blue Ocean Strategy, McKinsey’s 7S, and scenario analysis can be used. The data gathered from these methods is incorporated into forecasts for each goal. Risk identification is an ongoing activity, and information about risks can emerge from formal and informal settings, such as seminars, news articles, or casual conversations.

The impact of risks on risk exposure and capacity Managing risks influences the balance between risk exposure and capacity. A business must be adaptable to stay competitive in an ever-changing environment. Recognizing key trends and adjusting goals or risk capacity accordingly is crucial to success.

The subjective nature of risk Risk perception is subjective, varying among individuals in a business or project. To address this, a systematic approach is needed. It's crucial to recognize that different people might assess risk differently, necessitating careful consideration in risk management processes.

Evidence for risks Risks should be supported by appropriate evidence. This involves evaluating whether the evidence is anecdotal or data-driven and understanding the implications for forecasts and risk management.

Practical risk identification and management Risks can be identified and analyzed through various techniques, with ISO 31010 outlining several approaches. The objective is to determine how these risks might impact goals, either positively or negatively. Risks with positive impacts are typically prioritized, while those with negative impacts require further action to mitigate threats.

Risks can affect multiple goals, so they need to be integrated into forecasts and tracked on top-5 or top-10 lists. These lists can help prioritize the most critical risks that require attention.

In summary, effective risk management aims to reduce threats from risks with negative impacts and harness opportunities from risks with positive impacts.

Forecasting

Goal Forecasts

A forecast combines "pro" (ahead) and "gnosis" (knowledge). It's similar to risk management, focusing on predicting future outcomes. Examples include weather forecasts, interest rate projections, and revenue estimates. This book doesn't cover detailed forecasting methods or tools, but you can find many resources online, like Forecasting: Principles and Practice. Not all tools can integrate risks into forecasts, but Deloitte published a whitepaper in 2013 on creating risk-based forecasts.

Forecasting tools vary from simple Excel spreadsheets and Monte Carlo simulations to complex AI-based platforms. The best tool depends on the goal's requirements and desired precision. In "The Risk State of Goals," forecasts estimate the likely outcome for each goal within a given timeframe. After creating a forecast, the organization can identify where each goal stands in relation to its target range, determining its risk state.

To make reliable forecasts, use the best available information, focusing on realistic assumptions and expected impacts from risks. The forecasts should be reviewed periodically, especially after significant events or when new data is available.

Forecasts and Organizational Culture

Different organizations approach forecasting in unique ways. It's crucial to foster a culture that accepts that forecasts can change, which might cause goals to move between risk states. Leaders should encourage acknowledging and learning from mistakes to promote a culture of adaptability and quality.

Evidencing

Assessing Evidence for Forecasting

In the De-Risk Matrix, evidence is categorized into two levels: strong or weak. The strength of the evidence affects the uncertainty of a forecast. Strong evidence reduces uncertainty more effectively than weak evidence. The same principle applies to identified risks, as discussed above.

Uncertainty impacts decision-making. A forecast based on weak evidence provides a less reliable foundation for decision-making compared to one based on strong evidence. Therefore, it's essential to gather robust evidence to minimize uncertainty. However, even strong evidence should be regularly re-evaluated to ensure its continued relevance, since the external environment is constantly changing.

Strong and Weak Evidence - Make Your List

It's advisable to create a list tailored to your organization or project, providing a benchmark for assessing the strength of evidence. You can customize the list by assigning different weights to factors based on their importance to your organization's specific goals. For instance, transferability or data source might be crucial for the forecast of a particular goal.

The assessment of evidence for forecasts and risks should be consistent across an organization or project. Establishing a shared understanding of these evidence factors is a good way to maintain uniformity. As part of this, you should also develop a prioritization scheme for the evidence factors, recognizing that some are more critical than others depending on your context.

Over time, an organization or project can identify additional evidence factors relevant to their specific context, allowing for further refinement and customization of the list. It's also essential to stay alert to changes in the external environment and be ready to evaluate new types of evidence as they become relevant.

Risk states - under the hood


ISO 31000 defines risk as "the effect of uncertainty on achieving objectives." COSO uses a similar definition, marking a shift from older approaches that focused on risk as the product of probability and consequence, mainly emphasizing threats and downsides.

In this framework, risk arises when organizations or projects set specific goals, a concept called risk exposure— the organization’s inherent risk linked to these goals. The goal is usually to meet these targets and gradually raise them over time.

Organizational capacity, or risk capacity, reflects the ability to manage uncertainty and achieve goals. The degree of risk exposure determines the level of external risk an organization faces: higher ambitions typically mean more external risks are in play. This exposure affects risk capacity, influencing the organization's ability to meet its goals and tackle internal risks. When risk exposure exceeds capacity, corrective action may be needed.

To illustrate, if you set a goal to run 3,000 meters in under 11 minutes within three months, but find this target too ambitious after assessment, it indicates you're taking on more risk than you can handle. This could mean adjusting your goals or increasing your capacity to manage the uncertainty.

The balance between risk exposure and capacity varies depending on each organization's or project's goals. Maintaining this balance is crucial for sustainable progress. If the risk exposure is greater than capacity, the methodology can suggest corrective actions. Achieving this balance is critical to managing risk effectively.