Army as Bureaucratic Organization

A Meta-Classification of Strategic Risks: An objective-subjective perspective

1. Introduction

Nowadays public and private organizations operate in environment at an increasing complexity and dynamism, where possible crisis is a very recurring worry and the general risk is perceived as fairly high. Consequently, management of risk and uncertainty is now becoming an aspect of primary importance in organizational strategies and management (Baird and Thomas, 1985; Fone and Young, 2005), as well as an established discipline (Bernens, 1997). Indeed, there is a large agreement about the fact that it helps the organization to protect from dangers, to enhance its performance, and to establish sustainable competitive advantage by optimizing the cost of managing dangers (Gibbs, 2006).

According with the ISO 31000 Risk Management standard, the risk management process has to be articulated in different phases, which are risk identification, risk analysis, risk assessment, monitoring and treatment, and models of risk classification are recognized to be an important step in risk identification, as they are aimed at assuring the largest coverage of all types of possible risks. Such importance is justified by the general assumption that un-identified risks are risks that the organization is not able to face.

In this framework, a multitude of risk classification schemes has been produced in the last decade. The objective of the present paper is to propose a new risk classification scheme and to empirically validate it.

With this purpose, in the following of the article early work on this topic will be briefly reviewed so as to put in evidence limitations of previous risk classifications, and to show how our model could represent an improvement. After that, our tool for meta-classification of strategic risk will be presented in detail.

2. Theoretical background

2.1. Previous risk-classification models

In the last decade a multitude of risk-classification models have been proposed. The Project Management Institute, for example, identified some risk categories based on main sources of risk for the organization (2000; Pritchard, p. 16): technical, quality and performance, project management, organizational, external and legal. In the same way, Fone and Young (2005)'s risks categories arise from seven different sources-environments: physical, social, political, legal, economic, operational and cognitive. Hopkin (2002) identified similar sources: financial, infrastructure, reputational, and marketplace. And again, Andersen identified risk categories with the support of large companies'CEOs, resulting in the following list: business continuity, network, reputation, enterprise, intellectual property, kidnap & extortion, product recall, political risks, total absence management.

Although comprehensive and credited in the academic as well as applied domain, these models encounter the main limitation that categories are often overlapping (for example, project management and organizational) and that the nature of risk is already inherently specified, which may lead to a an artificial overestimation of risks belonging to the specified categories and to an under-estimation of risk belonging to the un-specified categories (for example, when adopting the Pritchard model, reputational types of risks may be under-estimated or completely over-looked).

Moreover, these models have been created based on interviews with CEOs, or employees involved in key roles, that is by means of a bottom-up investigation. Consequently, the scheme is always dependent on the context where it was created; this makes it difficult to compare results of different studies, and to export the scheme outside its original context.

An attempt to overcome the above limitations was conducted by Letens, Van Nuffel, Heene and Leysen (2007) in the seminal article titled "Towards A Balanced Approach In Risk Identification". Here authors adopted a top-down approach, which consisted in the application of the Integral Theory (Wilberg, 1977) to the identification-classification of risky events for whichever organization. The Integral theory is an overarching model of human and social development, a global scheme of physical, psychological, social and cultural phenomena, resulting from the crossing of two axes, as depicted in figure 1: the internal-external axe and the individual-collective axe.

Figure 1. The four quadrant of the Integral Theory (Wilberg, 1977)

Letens et al. (2007) presumed that the classification could be abstract enough to not to artificially evoke precise risky event and that it could be flexible enough to be applied to whichever context; additionally, categories are un-doubtly mutually exclusive (=non-overlapping) for the dichotomic nature of the axes.

Indeed, Integral theory provides individuals and organizations with a powerful framework that is suitable to virtually any context and can be used at any scale, for which reason it is becoming fairly important in organizational studies .

In the Letens et al. (2007)'s proposal the four quadrants have to be intended as follows.

The upper-left quadrant represents all the risks that directly influence the entity's experience of the world. This quadrant handles the risks related to "what the entity experiences." An identified risk is the risk that the company would have to deal with an image problem and consequently might lose business deals.

The upper-right quadrant represents all the risks related to the exteriors of the studied entity. This part of the integral framework houses the risks associated with "what the entity does"--tangible, internal risks such as the resources and the infrastructure belonging to the entity are covered by this quadrant, therefore the financial risks.

The lower-left quadrant covers the risks involved with the entire arena of culture and worldviews. The risks that are studied here are associated with "what the external environment of the entity experiences." An example would a particular meteorological problem that would affect business of the company.

Tangible risks belonging to the environment surrounding the entity belong to the lower-right quadrant. The risks that are taken into consideration in this quadrant are the risks associated with "what the external environment of the entity does." Risks belonging to this quadrant would be for example strategies and policies affecting the business of the company.

This tool was assumed to be flexible, i.e. applicable to a large variety of contexts,

...