Risk Management in a Balanced Scorecard approach:

Risk management is the process of identifying, assessing, and controlling threats to an organization’s capital and earnings. These risks could stem from a variety of sources, including financial uncertainty, legal liabilities, strategic management errors, technology issues, accidents, and natural disasters.

Every organization can face unexpected risks which can harm strategic goals. Risk management inspects the relationship between risks and focuses on the internal and external risks of an organization. Risk management programs can help an organization by considering all risks it faces. The aim of the risk management program is not only to eliminate risks in an organization but also to try to add to enterprise value by making smart risk decisions.

The importance of Risk Management is, that it is allowing a business with the necessary tools that it can identify and deal with potential risks. Once a risk has been identified, it can be easy to mitigate it.


  1. Effective use of resources
  2. Promoting continuous improvement
  3. Fewer failures
  4. Strategic business planning
  5. Awareness of significant risks
  6. Identify new opportunities
  7. Improve communications and give comfort to stakeholders

Analysis of Risk Process:

It is a problem-solving approach that uses various tools of assessment to work out and prioritize the risks for assessing and resolving them. The process could be

Identify Risks:

  • The initial step in the risk process is identifying the risks, listing various sources of risks by gathering employees in a business, and identifying risks in order to prioritize them.
  • Because all risks are not possible to mitigate, so prioritizations can help to mitigate which affects a business that can deal with them more urgently.
  • There are many different types of risks like Enterprise risk, Operational risk, Environmental risk, Market risks, Regulatory risks, etc.

Assess the Risk:

  • After identifying risk assess risks, there are two types of risk assessments they are qualitative and quantitative.
  • Qualitative assessment analyses the level of criticality based on likelihood and consequence. The risk owner and manager can rank and prioritize each risk that is identified.
  • Quantitative assessment analyses the financial impact/benefit of the event. This can carry out by the risk owner and risk manager/the management controller.
  • The qualitative and quantitative risks are necessary for the complete evaluation of risks and opportunities.

Control Risks:

  • The objective of the control risk is Preventive Action (Reduce the probability of occurrence) of the risk and/or mitigation action (to reduce the impact) of the risk.
  • To control risk the responses included: Avoid, Accepting, Mitigate and Transfer.

Review Controls:

  • In review, control needs to be monitored and report the control plans.
  • The frequency of monitor will be dependent upon the criticality of the risk.
  • By developing a review controls the risk responses and control plans are being actioned.

Risk Management framework in the context of strategy execution:

The risks can be categorized as below:

Category I: Risks from Employees’ Undesirable and Unauthorized Actions

  • Enterprises should strive to completely avoid Category I risks. 
  • The organization gets no benefits from allowing Category I risks to occur.
  • They should strive to reduce their likelihood to zero.

Category II: Risks of Not Achieving the Enterprise’s Strategic Objectives

  • The risks that the enterprise accepts to execute the strategy and generate superior
  • Returns. The organization must identify the principal risk events from their strategy and
  • Estimate their likelihood and impact. It can then reduce the likelihood and impact of Category II risks through the use of key risk indicator scorecards and cost-effective initiatives

Category III: Risks from Uncertain, Uncontrollable External Events

  • Events that managers can neither predict nor influence; often managers “don’t know they don’t know” about such risk events.
  • Managers, however, can take prior actions to mitigate the impact of these events should they occur (e.g., build earthquake-proof structures; backup data centers in a distant region; insure; hedge)

Category I Risks:   Employees’ Unauthorized Behavior and Actions

  • theft of cash and information
  • accounting irregularities
  • fraud
  • bribery and corruption
  • breakdowns in privacy and security
  • loss or destruction of information
  • discrimination and harassment
  • illegal and unethical behavior

Strong internal controls (e.g., segregation of duties), monitored by the internal audit department, combined with standardized operating procedures, should drive the probability of compliance and business-as-usual risks essentially to zero.

Category II Risks: Events that threaten the achievement of strategic objectives

The risks the company accepts to execute its strategy and generate superior returns.

Identifying, Mitigating, and Managing Category II Risks

What can cause us not to achieve the strategic objectives on our strategy map?

  • For each objective, identify the key risk events and risk indicators for each strategy map objective
  • Aggregate risk indicators into a Key Risk Indicator (KRI) scorecard
  • Set priorities for initiatives to mitigate the major risk events
  • Conduct risk management discussions at monthly or quarterly strategy review meetings

Category III: The risk from non-controllable external events

  • What are the non-controllable external events that can cause the strategy or the entire enterprise to fail?
  • Often these are risks that “we don’t know we don’t know”
  • Need for “risk envisionment”
  • Scenario planning, War-gaming, Stress tests, and Tail risk meetings

Why Scenario planning?

  • Provide a rational process for defining the plausible boundaries of future states of the world.
  • Strategy workshops help us choose which game should we play in the current environment? What should be the value proposition we offer to target customers to position ourselves for competitive advantage?
  • Scenario Analysis reveals that many possible future environments can exist. How will our current strategy perform in the various possible future?

Summary: Three Categories of Risks and their different assessment, mitigation and management processes

fruiStrategy ® EDGE enables you to define risks of all categories, identify the risk parameters and ownership, and take appropriate actions through a systems-driven approach as part of the strategy execution process.

fruiStrategy ® EDGE empowers you to execute strategies consistently by linking strategy plan to strategy execution and aligning the whole organization’s actions towards a strategic direction. You can establish a robust strategy execution process empowered by plug-and-play modules to achieve overall organizational transformation in a systems driver approach.

Please contact Shaik Abdul Khadar, Strategy Management Expert at [email protected] or +917799798333 for a quick demo or more information.