Introduction to Strategy Formulation

Levels of Strategy
Levels of Strategy

I introduce strategic management in this post. My book, The Effective CISSP: Security and Risk Management, has details.

Strategy

Strategy is a buzzword. Everybody uses it but may not use it with a consistent definition. Generally speaking, a strategy is a plan to achieve long-term or overall objectives derived from organizational mission and vision. It can be developed at the corporate, business, or functional levels by different levels of managers.

The following are common definitions of strategy:

  • plan to achieve a long-term or overall objective (ISO 9000:2015)
  • plan to accomplish the organization’s mission and achieve the organization’s vision (ISO 21001:2018)
  • organization’s overall plan of development, describing the effective use of resources in support of the organization in its future activities
    Note 1 to entry: involves setting objectives and proposing initiatives for action (ISO/IEC/IEEE 24765:2017)
  • organization’s approach to achieving its objectives (ISO 30400:2016)

Strategic Management

Strategic management, a crucial element of corporate governance, comprises three phases: strategy formulation/development (strategic thinking, external and internal analysis, gap analysis), strategy implementation/execution, and strategy evaluation.

David’s Model of the Strategic Management’s Process
David’s Model of the Strategic Management’s Process
Information Security Governance
Information Security Governance
InfoSec Governance Processes
InfoSec Governance Processes

Strategy Formulation

Strategic Thinking

Strategy formulation typically starts with strategically thinking about organizational mission and vision, which shapes its long-term and overall nature. Strategic goals and objectives are derived from the mission and vision. Strategic thinking helps define the desired state.

Strategic Thinking
Strategic Thinking
Goals, Strategy, and Risk
Goals, Strategy, and Risk
Goals and Objectives
Goals and Objectives

External and Internal Analysis

External and internal analysis is typically conducted to scan the macro and micro environments and industries for opportunities and threats, identify stakeholders, understand their needs and requirements, determine the constraints and resources, and so forth. SWOT analysis is one of the most well-known tools for external and internal analysis; it helps determine the current state and may contribute to the desired state.

External and Internal Analysis
External and Internal Analysis

Gap Analysis

Determining the gap between the desired and current state implies that the desired and current state have been determined. Once the gap has been identified, a roadmap with milestones and initiatives is defined to move from the current state to the desired state. A strategy can be expressed as portfolios of initiatives. A business case evaluates an initiative in terms of cost and benefit and other feasibility dimensions. If the business case is approved, the initiative is turned into a project. A portfolio, evaluated by return on investment, can comprise one or more programs or projects.

Strategy Development
Strategy Development
Strategic Portfolios
Strategic Portfolios
Organizational Strategy
Organizational Strategy

Strategy Implementation/Execution

A policy stands for the management intention. Once the strategy is formulated or developed, policies are issued to direct the strategy execution/implementation. Once the management intention of strategy implementation is explicitly expressed through a policy, a project charter is then established to authorize the project formally.

Strategy, Initiative, Product, and Project
Strategy, Initiative, Product, and Project
PMI OPM Strategy Execution Framework
PMI OPM Strategy Execution Framework
Project Life Cycle
Project Life Cycle (Source: PMBOK)

Strategy Evaluation (Performance Measurement)

Goals and objectives, measured by KGIs and KPIs, are typically organized hierarchical levels or dimensions. The balanced scorecard (BSC) is a strategy evaluation or performance measurement tool that typically uses four perspectives/dimensions: learning and growth, internal processes, customer, and financial perspectives.

Balanced Scorecard (BSC)
Balanced Scorecard (BSC)

A business case is not only developed to evaluate the feasibility of an initiative and make the go/no-go decision in the initiation phase but also to track the benefits realized and value created across the whole life cycle.

Business Case
Business Case

Reference

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

Leave a Reply