Identify and Manage Strategic Risk Impacts on Your Organization

Identify and Manage Strategic Risk Impacts on Your Organization

The world is in a perpetual state of change. Organizations need to build adaptive resiliency into their strategic plans to adjust to ever-changing market dynamics.

Analyst perspective

Organizations need to build flexible resiliency into their strategic plans to be able to adjust to ever-changing market dynamics.

Like most people, organizations are poor at assessing the likelihood of risk. If the past few years have taught us anything, it is that the probability of a risk occurring is far more flexible in the formula Risk = Likelihood * Impact than we ever thought possible. The impacts of these risks have been catastrophic, and organizations need to be more adaptive in managing them to strengthen their strategic plans.

Frank Sewell,
Research Director, Vendor Management
Info-Tech Research Group

Executive Summary

Your Challenge

Moreso than any other time, our world is changing. As a result, organizations – and their vendors – need to be able to adapt their strategic plans to accommodate risk on an unprecedented level.

A new global change will impact your organizational strategy at any given time. So, make sure your plans are flexible enough to manage the inevitable consequences.

Common Obstacles

Identifying and managing a vendor’s potential strategic impact on your organization requires multiple people in the organization across several functions. Those people all need coaching on the potential changes in the market and how these changes affect strategic plans.

Organizational leadership is often taken unaware during crises, and their plans lack the flexibility needed to adjust to significant market upheavals.

Info-Tech’s Approach

Vendor management practices educate organizations on the different potential risks to vendors in your market and suggest creative and alternative ways to avoid and help manage them.

Prioritize and classify your vendors with quantifiable, standardized rankings.

Prioritize focus on your high-risk vendors.

Standardize your processes for identifying and monitoring vendor risks to manage potential impacts on your strategic plan with our Strategic Impacts Tool.

Info-Tech Insight

Organizations must evolve their strategic risk assessments to be more adaptive to respond to global changes in the market. Ongoing monitoring of the market and the vendors tied to company strategies is imperative to achieving success.

Info-Tech’s multi-blueprint series on vendor risk assessment

There are many individual components of vendor risk beyond cybersecurity.

This series will focus on the individual components of vendor risk and how vendor management practices can facilitate organizations’ understanding of those risks.

Out of Scope:

This series will not tackle risk governance, determining overall risk tolerance and appetite, or quantifying inherent risk.

Strategic risk impacts

Potential losses to the organization due to risks to the strategic plan

• In this blueprint, we’ll explore strategic risks (risks to the Strategic Plans of the organization) and their impacts.
• Identify potentially disruptive events to assess the overall impact on organizations and implement adaptive measures to correct strategic plans.

The world is constantly changing

The IT market is constantly reacting to global influences. By anticipating changes, leaders can set expectations and work with their vendors to accommodate them.

When the unexpected happens, being able to adapt quickly to new priorities ensures continued long-term business success.

Below are some things no one expected to happen in the last few years:

62%

of IT professionals are more concerned about being a victim of ransomware than they were a year ago.

82%

of Microsoft’s non-essential employees shifted to working from home in 2020, joining the 18% already remote.

89%

of organizations invested in web conferencing technology to facilitate collaboration.

Source: Info-Tech Tech Trends Survey 2022

Strategic risks on a global scale

Odds are at least one of these is currently affecting your strategic plans

• Vendor Acquisitions
• Global Pandemic
• Global Shortages
• Gas Prices
• Poor Vendor Performance
• Travel Bans
• War
• Natural Disasters
• Supply Chain Disruptions
• Security Incidents

Make sure you have the right people at the table to identify and plan to manage impacts.

Identify & manage strategic risks

Global Pandemic

Very few people could have predicted that a global pandemic would interrupt business on the scale experienced today. Organizations should look at their lessons learned and incorporate adaptable preparations into their strategic planning moving forward.

Vendor Acquisitions

The IT market is an ever-shifting environment. Larger companies often gobble up smaller ones to control their sectors. Incorporating plans to manage those shifts in ownership will be key to many strategic plans that depend on niche vendor solutions for success. Be sure to monitor the potentially affected markets on an ongoing cadence.

Global Shortages

Organizations need to accept that shortages will recur periodically and that preparing for them will significantly increase the success potential of long-term strategic plans. Understand what your business needs to stock for project needs and where those supplies are located, and plan how to rapidly access and distribute them as required if supply chain disruptions occur.

What to look for in vendors

Identify strategic risk impacts

• A vendor acquires many smaller, seemingly irrelevant IT products. Suddenly their revenue model includes aggressive license compliance audits.
  • Ensure that your installed software meets license compliance requirements with good asset management practices.
  • Monitor the market for such acquisitions or news of audits hitting companies.
• A vendor changes their primary business model from storage and hardware to becoming a self-proclaimed “professional services guru,” relying almost entirely on their name recognition to build their marketing.
  • Be wary of self-proclaimed experts and review their successes and failures with other organizations before adopting them into your business strategy.
  • Review the backgrounds their “experts” have and make sure they have the industry and technical skill sets to perform the services to the required level.

Not preparing for your growth can delay your goals

Why can’t I get a new laptop?

For example:

• An IT professional services organization plans to take advantage of the growing work-from-home trend to expand its staff by 30% over the coming year.
• Logically, this should include a review of the necessary tasks involved, including onboarding.
  • Suppose the company does not order enough equipment in preparation to cover the new staff plus routine replacement. In that case, this will delay the output of the new team members immeasurably as they wait for their company equipment and will delay existing staff whose equipment breaks, preventing them from getting back to work efficiently.

Sometimes an organization has the right mindset to take advantage of the changes in the market but can fail to plan for the particulars.

When your strategic plan changes, you need to revisit all the steps in the processes to ensure a successful outcome.

Strategic risks

Poor or uninformed business decisions can lead to organizational strategic failures

• Supply chain disruptions and global shortages
  • Geopolitical disruptions and natural disasters have caused unprecedented interruptions to business. Incorporate forecasting of product and ongoing business continuity planning into your strategic plans to adapt as events unfold.
• Poor vendor performance
  • Consider the impact of a vendor that fails to perform midway through the implementation. Organizations need to be able to manage the impact of replacing that vendor and cutting their losses rather than continuing to throw good money away after bad performance.
• Vendor acquisitions
  • A lot of acquisition is going on in the market today. Large companies are buying competitors and either imposing new terms on customers or removing the competing products from the market. Prepare options for any strategy tied to a niche product.

It is important to identify potential risks to strategic plans to manage the risk and be agile enough in planning to adapt to the changing environments.

Info-Tech Insight
Few organizations are good at identifying risks to their strategic plan. As a result, almost none realistically plan to monitor, manage, and adapt their strategies to those risks.

Prepare your strategic risk management for success

Due diligence will enable successful outcomes

1. Obtain top-level buy-in; it is critical to success.
2. Build enterprise risk management (ERM) through incremental improvement.
3. Focus initial efforts on the “big wins” to prove the process works.
4. Use existing resources.
5. Build on any risk management activities that already exist in the organization.
6. Socialize ERM throughout the organization to gain additional buy‑in.
7. Normalize the process long term with ongoing updates and continuing education for the organization.

(Adapted from COSO)

How to assess strategic risk

1. Review Organizational Strategy
   Understand the organizational strategy to prepare for the “What If” game exercise.
2. Identify & Understand Potential Strategic Risks
   Play the “What If” game with the right people at the table.
3. Create a Risk Profile Packet for Leadership
   Pull all the information together in a presentation document.
4. Validate the Risks
   Work with leadership to ensure that the proposed risks are in line with their thoughts.
5. Plan to Manage the Risks
   Lower the overall risk potential by putting mitigations in place.
6. Communicate the Plan
   It is important not only to have a plan but also to socialize it in the organization for awareness.
7. Enact the Plan
   Once the plan is finalized and socialized, put it in place with continued monitoring for success.
   

Insight summary

Insight 1

Organizations build portions of their strategies around chosen vendors and should protect those plans against the risks of unforeseen acquisitions in the market.
Is your vendor solvent? Does it have enough staff to accommodate your needs? Has its long-term planning been affected by changes in the market? Is it unique in its space?

Insight 2

Organizations’ strategic plans need to be adaptable to avoid vendors’ negative actions causing an expedited shift in priorities.
For example, Philip's recall of ventilators impacted its products and the availability of its competitor’s products as demand overwhelmed the market.

Insight 3

Organizations need to become better at risk assessment and actively manage the identified risks to their strategic plans.
Few organizations are good at identifying risks to their strategic plan. As a result, almost none realistically plan to monitor, manage, and adapt their strategies to those risks.

Strategic risk impacts are often unanticipated, causing unforeseen downstream effects. Anticipating the potential changes in the global IT market and continuously monitoring vendors’ risk levels can help organizations modify their strategic alignment with the new norms.

Identifying strategic risk

Who should be included in the discussion

• While it is true that executive-level leadership defines the strategy for an organization, it is vital for those making decisions to make informed decisions.
• Getting input from operational experts at your organization will enhance the long-term potential for success of your strategies.
• Involving those who directly manage vendors and understand the market will aid operational experts in determining the forward path for relationships with your current vendors and identifying new emerging potential strategic partners.

Review your strategic plans for new risks and evolving likelihood on a regular basis.

Keep in mind Risk = Likelihood x Impact (R=L*I).

Impact (I) tends to remain the same, while Likelihood (L) is a very flexible variable.

See the blueprint Build an IT Risk Management Program

Managing strategic risk impacts

What can we realistically do about the risks?

• Review business continuity plans and disaster recovery testing.
• Institute proper contract lifecycle management.
• Re-evaluate corporate policies frequently.
• Develop IT governance and change control.
• Ensure strategic alignment in contracts.
• Introduce continual risk assessment to monitor the relevant vendor markets.
  • Regularly review your strategic plans for new risks and evolving likelihood.
  • Risk = Likelihood x Impact (R=L*I)
    • Impact (I) tends to remain the same and be well understood, while Likelihood (L) turns out to be highly variable.
• Be adaptable and allow for innovations that arise from the current needs.
  • Capture lessons learned from prior incidents to improve over time, and adjust your strategy based on the lessons.

Organizations need to be reviewing their strategic risk plans considering the likelihood of incidents in the global market.

Pandemics, extreme weather, and wars that affect global supply chains are a current reality, not unlikely scenarios.

Ongoing Improvement

Incorporating lessons learned

• Over time, despite everyone’s best observations and plans, incidents will catch us off guard.
• When it happens, follow your incident response plans and act accordingly.
• An essential step is to document what worked and what did not – collectively known as the “lessons learned.”
• Use the lessons learned document to devise, incorporate, and enact a better risk management process.

Sometimes disasters occur despite our best plans to manage them.

When this happens, it is important to document the lessons learned and improve our plans going forward.

The “what if” game

1-3 hours

Vendor management professionals are in an excellent position to help senior leadership identify and pull together resources across the organization to determine potential risks. By playing the "what if" game and asking probing questions to draw out – or eliminate – possible adverse outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.

1. Break into smaller groups (or if too small, continue as a single group).
2. Use the Strategic Risk Impact Tool to prompt discussion on potential risks. Keep this discussion flowing organically to explore all potentials but manage the overall process to keep the discussion pertinent and on track.
3. Collect the outputs and ask the subject matter experts (SMEs) for management options for each one in order to present a comprehensive risk strategy. You will use this to educate senior leadership so that they can make an informed decision to accept or reject the solution.

Download the Strategic Risk Impact Tool

Case Study

Airline Industry Strategic Adaptation

Industry: Airline

Impact categories: Pandemic, Lockdowns, Travel Bans, Increased Fuel Prices

• In 2019 the airline industry yielded record profits of $35.5 billion.
• In 2020 the pandemic devastated the industry with losses around $371 billion.
• The industry leaders engaged experts to conduct a study on how the pandemic impacted them and propose measures to ensure the survival of their industry in the future after the pandemic.
• They determined that “[p]recise decision-making based on data analytics is essential and crucial for an effective Covid-19 airline recovery plan.”

Results

The pandemic prompted systemic change to the overall strategic planning of the airline industry.

Summary

Be vigilant and adaptable to change

• Organizations need to learn how to assess the likelihood of potential risks in the changing global world.
• Those organizations that incorporate adaptive risk management processes can prepare their strategic plans for greater success.
• Bring the right people to the table to outline potential risks in the market.
• Socialize the risk management process throughout the organization to heighten awareness and enable employees to help protect the strategic plan.
• Incorporate lessons learned from incidents into your risk management process to build better plans for future issues.

Organizations must evolve their strategic risk assessments to be more adaptive to respond to global changes in the market.

Ongoing monitoring of the market and the vendors tied to company strategies is imperative to achieving success.

Related Info-Tech Research

Identify and Manage Financial Risk Impacts on Your Organization

• Vendor management practices educate organizations on the different potential financial impacts that vendors may incur and suggest systems to help manage them.
• Prioritize and classify your vendors with quantifiable, standardized rankings.
• Prioritize focus on your high-risk vendors.
• Standardize your processes for identifying and monitoring vendor risks to manage financial impacts with our Financial Risk Impact Tool.

Identify and Reduce Agile Contract Risk

• Customer maturity levels with Agile are low, with 67% of organizations using Agile for less than five years.
• Customer competency levels with Agile are also low, with 84% of organizations stating they are below a high level of competency.
• Contract disputes are the number one or two types of disputes faced by organizations across all industries.

Build an IT Risk Management Program

• Transform your ad hoc IT risk management processes into a formalized, ongoing program, and increase risk management success.
• Take a proactive stance against IT threats and vulnerabilities by identifying and assessing IT’s greatest risks before they occur.
• Involve key stakeholders including the business senior management team to gain buy-in and to focus on IT risks most critical to the organization.

Bibliography

Olaganathan, Rajee. “Impact of COVID-19 on airline industry and strategic plan for its recovery with special reference to data analytics technology.” Global Journal of Engineering and Technology Advances, vol 7, no 1, 2021, pp. 033-046.

Tonello, Matteo. “Strategic Risk Management: A Primer for Directors.” Harvard Law School Forum on Corporate Governance, 23 Aug. 2012.

Frigo, Mark L., and Richard J. Anderson. “Embracing Enterprise Risk Management: Practical Approaches for Getting Started.” COSO, 2011.

Research Contributors and Experts

• Frank Sewell
  Research Director, Info-Tech Research Group
• Steven Jeffery
  Principal Research Director, Info-Tech Research Group
• Scott Bickley
  Practice Lead, Info-Tech Research Group
• Donna Glidden
  Research Director, Info-Tech Research Group
• Phil Bode
  Principal Research Director, Info-Tech Research Group
• David Espinosa
  Senior Director, Executive Services, Info-Tech Research Group
• Rick Pittman
  Vice President, Research, Info-Tech Research Group
• Patrick Philpot
  CISSP
• Gaylon Stockman
  Vice President, Information Security
• Jennifer Smith
  Senior Director