Oh, the infamous ‘strategic versus operational risks’ debacle. (Well, it’s infamous in my nerdy circles anyway.)
If you research the difference between strategic and operational risks, you will get different views.
Some define them as the risk of a strategy failure (strategic risk) versus a failure to execute a strategy (operational risk). Others include only external factors into the definition of strategic risks. And most sound a bit abstract and leave room for different interpretations, especially in organisations with lower risk maturity.
I prefer to take a practical approach and focus on the audience. This is a much easier way for deciding what should be captured in strategic, operational or project risk registers. As part of this, you consider whether the risk requires, for example, the attention or direct involvement of the CEO, a divisional head or a project lead.
Based on my experience, a strategic risk register should generally include risks that could affect achievement of the strategic plan or that could impact the entire organisation. These are the risks that need to be collectively monitored or managed by your board or top executives.
So, if you follow this line of thought, the answer to the question above will be ‘probably not’. You generally shouldn’t have divisional or project-level risks in your strategic risk register. Well, not unless their severity could impact the organisation’s performance, continuity or reputation, which would then require the board’s attention. This ensures that executives’ time is spent on the right things, while the rest is managed at the divisional or business unit level, regardless of the risk type (financial, compliance, etc.).
That said, there is really no ‘wrong’ or ‘right’ way of doing risk assessments. Instead of striving to be a ‘risk management purist’, consider the following two things.
First, focus on the objective of your risk assessment rather than the definitions, process and documents. Prioritise ‘managing risks’ (the objective) over ‘risk management’ (the process).
If you jot down a few risks on the back of an envelope and discuss them with your leadership team over a weekly cup of coffee, and this works for your business and your stakeholders, then don’t feel the need to change anything. This is better than having a fancy system where risks are captured but not really paid attention to (where risks go to die).
Second, if your organisation has lower risk maturity but wants to improve, consider starting with a strategic risk assessment.
Often people will take a bottom-up approach and start by asking business units to conduct operational risk assessments. I prefer the top-down approach because I think it’s a better way of driving a positive risk culture.
Once your leadership team figures out a way to assess organisational-level risks, then a similar process can be followed for the divisional level. This will not only give more clarity and consistency to divisional staff but also ensure that key organisational risks are assessed first.
Also, it’s easier to get one risk register done right before moving on to completing multiple / divisional registers, rather than the other way around.
I hope this is helpful.