Risk Strategy

A risk strategy involves the strategic analysis and decisions an organization or project makes to move toward a desired risk state within a specific timeframe. By analyzing risk states and the patterns, the organization can choose the best approach to meet its goals, taking into account how the timeframe affects the level of risk.

Risk Strategy - short intro

Daniel Kahneman's "Prospect" theory suggests that people and organizations prefer to stay in their current situation, seeing change as risky. However, external factors will inevitably impact this situation, presenting threts and opportunities. If you don't take risks (challeging your current risk state status), you might face greater risks by doing nothing, as others could shift your goals towards failure.

It's crucial to understand that taking calculated risks yourself may be safer than inaction, which lets others control your risks and achievements. Incorporate this understanding into your organizational culture when deciding on optimal risk strategies and planning goal progression.

Elements of a Risk Strategy

  • Risk-seeking: Willingness to increase risk exposure, often to explore new opportunities. This requires additional risk capacity.

  • Risk-neutral: Maintaining the current level of risk exposure, ensuring that neither significant threats nor opportunities are overlooked.

  • Risk-averse: Reducing risk exposure by prioritizing safety, potentially shifting resources from one goal to another.

A successful risk strategy balances these elements, adjusting them as needed to maintain harmony between risk exposure and risk capacity. Organizations should also have continuity plans to handle unexpected disruptions like pandemics, severe weather, or political shifts. If these plans are inadequate, the risk strategy must be reevaluated and updated.

Key Considerations

  • Risk acceptance: Defines the levels of risk an organization or project can tolerate (goal interval).

  • No "safe havens": There is no completely safe risk state, so constant monitoring is essential.

  • Interdependencies: Goals are often interconnected, requiring a comprehensive approach to risk management.

Implementing a risk strategy requires clear focus and communication, with a willingness to make tough choices. It should outline which goals require risk-seeking, risk-neutral, or risk-averse approaches, and offer concrete actions to achieve these goals.

Creating Contingency Plans for Risk Strategies

When developing a risk strategy, it's crucial to include contingency plans. These plans should outline how to achieve a goal and what to do if things don't go as expected. If a goal's risk state starts to deviate from the risk strategy, you'll need to take corrective action to get back on course. Predefined contingency plans can facilitate a quick return to the planned path.

Contingency plans typically cover scenarios where identified risks for specific goals develop unexpectedly, planned actions don't work as intended, or forecasts and supporting evidence suggest an unanticipated shift in a goal's risk state.

Sporveien Case

Sporveien's CBTC project required strategic risk management due to its complexity. The project adopted a holistic approach to goal and risk management, assessing the risk status of goals monthly. These assessments informed adjustments to the project's risk strategy, which were then presented to the steering group, Sporveien's management teams, and the board.

Key capabilities developed for effective risk strategy included:

  • Adaptive Culture: Accepting adjustments in ambition levels and goal priorities.

  • Unified Goal Ownership: Ensuring goals were a collective responsibility, not individual pet projects.

  • Dynamic Balancing: Balancing goals dynamically to achieve the best overall risk level.

  • Opportunity Awareness: Highlighting opportunities and making strategic decisions to pursue them.

  • Effective Communication: Using the Goal Risk Status to communicate likely project outcomes and facilitate decision-making.

  • Common Understanding: Creating a shared understanding of project risks and requirements across all organizational levels.

  • Consistent Situational Awareness: Ensuring the management team had a unified view of the project's status.

An overarching risk strategy was developed for each milestone and adjusted monthly, guiding resource prioritization and reporting focus. Measures were monitored for quality, cost, and time, with new risks evaluated for their impact on goals. Below is the risk state transformation for the project from 2018 until 2021. The De-Risk Matrix supported the risk strategy by having focus on the goals were risk capacity had to be added. For goals were the threshold value was assessed as too ambitious, the value was lowered according to the methodology.

  • Risk States 2018

  • Risk States 2019

  • Risk States 2021

Culture in choosing an optimal risk strategy

Organizational culture significantly influences risk strategy selection. Leaders' and employees' judgments shape decisions and actions, affecting the chosen strategy. For instance, a defensive approach might involve gathering solid evidence before adjusting goals.

Employees adapt to the organization's values over time, but new leaders might question existing judgments, offering alternative perspectives that can lead to improvements. Often, leaders stick to established views, missing opportunities to adjust their risk understanding and strengthen goal achievement.

Kegan and Lahey identified "the immunity to change," which preserves existing thinking patterns and prevents change. Failing to alert superiors about serious risks is common, especially at higher levels, leading to severe consequences. Organizations prefer not to disturb leadership unnecessarily, taking responsibility themselves.

Time optimism is another common behavior. Leaders commit to timelines, and reporting leaders strive to meet goals, often reporting deviations too late. Fear of making mistakes and losing leaders' trust holds us back, as explored in "Immunity to Change." We rationalize fear, thinking, "I’ve been given responsibility to solve the task independently, and my leaders don't want to be disturbed."

We protect ourselves from fear, leading to automatic assessments and biases: "This is how we think and do things here," meaning work and leadership groups might not ask the right questions when working on the risk strategy. Kahneman, in "Noise - A Flaw in Human Judgment," highlights how professionals can have different perspectives without realizing it, threatening performance and reputation.

Leaders may have differing viewpoints, creating noise and confusion about what is relevant. This noise represents differing arguments not directly related to the goal, risk, or action but important to the individual. If the team doesn't analyze and agree on what to consider, it becomes harder to analyze risk states accurately. Kahneman refers to this as "noise" and "bias," making it harder to see which goals, risk states, and actions are crucial for achieving desired results.

A desired culture for choosing an optimal risk strategy involves becoming aware of how individuals and teams unconsciously close off from the unknown and unsafe. An effective process includes:

  • Showing curiosity about others' viewpoints.

  • Uncovering ingrained biases and resistance.

  • Acknowledging risk complexity.

  • Seeing the organization holistically and analyzing consequences.

  • Recognizing different interpretations of facts.

  • Avoiding rigidity to allow new solutions.

  • Demonstrating honesty about risk states.

  • Being solution-oriented.

  • Learning from each other to improve results.

This learning provides insights necessary for prioritizing differently and changing behavior individually and collectively. During crises, teams quickly learn and change attitudes and behavior.