5 Steps to Effective Strategic Risk Management
Strategic risk management is a crucial, but often overlooked, aspect of enterprise risk management (ERM). Traditionally, ERM has focused on categories of risk such as financial and operational, but those risks aren’t always connected to the organization’s strategy. In fact, if you don’t identify your “strategic risks,” there could be greater consequences given they can come from various categories and include risks that threaten an organization’s future and even their survival.
What is risk management?
Before we dive into an overview of strategic risk, let’s discuss generally what risk management is. Risk management is defined as the process of identifying, assessing, and mitigating risks that pose a threat to an organization.
Risk management is an important part of an organization’s overall governance, risk, and compliance (GRC) strategy. With a constantly changing regulatory landscape and new risks emerging everyday, audit and risk professionals play a major role in ensuring risk management best practices are in place. From things like supply chain constraints to ESG to artificial intelligence (AI), risk management in business is key to help protect your organization.
It truly is everyone’s responsibility to help manage risk on behalf of the organization, which is why having established and well-defined risk management methods can help everyone understand and manage risks more effectively.
To enable employees and leadership, it’s important to have a methodology that provides a clear risk management strategy and a process that can be used across the organization to help everyone stay on the same page. In addition, to avoid confusion or misallocation of resources, having a common understanding of risk terms is also key to effective risk management.
Now that we’ve explored what risk management is, let’s take a look at some common types. Risk management examples include:
- Operational risk management
- Compliance risk management
- IT risk management
- Third-party risk management
- Enterprise risk management (which includes strategic risk management)
- Insurance risk management
Why is risk management important?
Risk management is crucial because it helps organizations understand how they will identify and mitigate potential risks, which could have a significant impact on their reputation and financial stability or result in non-compliance with laws or regulations ranging from local to global.
Creating a risk management plan can help organizations address matters such as data protection and privacy, cybersecurity, financial crime, and more as they arise. An effective plan needs to reflect an evolving risk environment, which requires frequent evaluation of risks.
Risk management plans must also be broadly shared across the organization so employees and leadership have the information they need to make timely risk-based decisions and coordinate efforts to mitigate risks appropriately.
What does risk management do?
As I said before, risk management really does fall on everyone at an organization, but internal audit and risk professionals are on the second and third lines of defense and typically in charge of monitoring and managing this across their organizations.
Overall, the teams and individuals responsible for risk management should be constantly identifying and assessing factors that can contribute to risk, and finding ways to help mitigate those risks.
After identifying risks, which is typically done during a risk assessment process and generally documented using a risk assessment matrix, an organization needs to determine how to move forward whether they accept the risk (it is tolerable and we can surmount it), reduce the risk (should take steps to minimize it), or share the risk (shouldered by multiple teams in the company).
What is strategic risk?
Simply put, strategic risks are risks that a company takes that could potentially result in a major loss. As I said in the beginning, these are the types of risk that not only threaten a company’s future success but also their survival. There are several strategic risks to consider, from legal and regulatory changes to merger integrations. Like any type of risk, organizations need to determine which strategic risks could have the most impact.
For example, a company that has superior and unmatched manufacturing processes will still fail if their consumers no longer want their products or can easily access similar products from somewhere else. This lesson was learned by even the most efficient buggy whip makers once Henry Ford introduced his Model T in 1908. Cellphone handset manufacturers faced a similar crisis when the Apple® iPhone® arrived on the scene. And think of the continued impact Amazon’s digital-first approach has had on many traditional retailers.
These are all examples where a strategic risk management process could have helped companies mitigate the impact of these new disruptive technologies, while also presenting them with an opportunity to innovate and maintain market relevance.
And that’s where identifying strategic risks comes into plan. By first identifying strategic risks, organizations can then develop an effective strategic risk management plan to help combat the root cause and mitigate these types of risks.
What is strategic risk management?
Strategic risk management is the process of identifying, quantifying, and mitigating any risk that affects or is significant to a company’s business strategy, strategic objectives, and strategy execution. With more significant risk exposures over the years, including the financial crisis and the recent banking crisis, there has been an accelerated focus on strategic risk management. It has also become an increasingly important risk type for the board and executive management to understand and make informed decisions on.
There are many strategic risks, but here are a few to consider:
- Shifts in consumer demand and preferences
- Legal and regulatory change
- Competitive pressure
- Merger integration
- Technological changes
- Senior management turnover
- Stakeholder pressure
As you can see, strategic risk is focused on the big stuff, and prioritizing strategic risk management means sweating the big stuff first. In other words, an effective strategic risk management framework should prioritize understanding the risks that your business faces to take the necessary steps to protect your assets and your business.
Strategic risk is a bell curve
Like any business risk, understanding strategic risks requires looking at the distribution of potential outcomes (frequently falling into a normal distribution or “bell curve”) with the most likely outcome being the peak of the curve. Many strategic risk management strategies focus on this peak ignoring the slope to either slide. Understanding the distribution of possible outcomes and comparing it to the expected impact that risk management activities will have on reducing the risk exposure is a crucial component of developing an effective risk management strategy.
Imagine two strategic risk examples, each with a similar expected result. One falls along a narrow, steep curve, indicating a low risk of failure and little upside opportunity. The other is represented by a wider bell, with greater chances of both under- and over-performance. Which to choose? The answer depends on an individual company’s risk appetite.
Strategic risk management: Shifting the curve
Now imagine a third curve with that same expected result. This one rises steeply from the left but slopes more gently downward on the right. Here, downside risk has been minimized, and upside opportunity increased. That is the goal of strategic risk management: to shape the curve in a way that favors success.
How do you measure and manage strategic risk?
As the saying goes, you can't manage what you can't measure.
For us to understand the different strategic risk management techniques, we must first take a look at how to measure it. A key tenet of ERM solutions is measuring risk with the same yardsticks used to measure results. In this way, companies can calculate how much inherent risk their initiatives contain and monitor risks to inform business decisions.
Strategic risk can be measured with two key metrics:
- Economic capital is the amount of equity required to cover unexpected losses based on a predetermined solvency standard. This standard is usually derived from the company's target debt rating. Economic capital is a common currency with which any risk can be quantified. Importantly, it applies the same methodology and assumptions used in determining enterprise value, making it ideal for strategic risk management.
- Risk-adjusted return on capital (RAROC) is the anticipated after-tax return on an initiative divided by its economic capital. If RAROC exceeds the company's cost of capital, the initiative is viable and will add value. If RAROC is less than the cost of capital, it will destroy value.
Five steps for effective risk management strategies
Strategic risk solutions involve five steps that must be integrated within the strategic risk management planning and execution process to be effective:
- Define business strategy and objectives. There are several risk management methods that companies commonly use to plan strategy, from simple SWOT analysis to the more nuanced and holistic balanced scorecard. The one thing that these frameworks have in common, however, is their failure to address internal and external risk. It is crucial, then, that companies take additional steps to integrate risk management at the planning stage by using a risk management framework, which is a template used by companies to identify, eliminate, and minimize risks. A great place to start identifying and prioritizing risks is by building a risk assessment matrix. You can use this as a way to define risks and categorize them based on the likelihood of occurrence and level of impact. Plus, it helps increase visibility of risk across your organization (remember the importance of keeping everyone up to date on risk).
- Establish key performance indicators (KPIs) to measure results. The best risk management KPIs are detailed, providing an idea for how a company can improve performance. So, for example, overall sales is a poor KPI because there could be a multitude of reasons why a company is or is not hitting targets, while sales per customer lets the company drill down for answers.
- Identify risks that can drive variability in performance. An effective risk management strategy will identify the unknowns, such as future customer demand, that will determine results.
- Establish key risk indicators (KRIs) and tolerance levels for critical risks. Whereas KPIs measure historical performance, KRIs, or key risk indicators, are forward-looking leading indicators intended to anticipate potential roadblocks. Tolerance levels serve as triggers for action.
- Provide integrated risk reporting and monitoring. Finally, companies must monitor results and KRIs on a continuous basis to manage risks or grasp unexpected opportunities as they arise.
Strategic risk represents the greatest dangers your company faces, but also presents some of the greatest opportunities. Taking steps to follow risk management best practices at the enterprise level can minimize downside exposure while allowing you to take advantage of these opportunities. By assessing and responding to strategic risks in an ever-changing environment, your company can drive innovation, remain agile, and build risk resilience.
Apple and iPhone are trademarks of Apple Inc., registered in the U.S. and other countries and regions.
Grabbing Risk by its Horns | Best Practices for SOX, Audit, Risk, and Compliance
How is risk managed, tracked, and controlled at your organization, and how can you enhance the process and your results? Join this session to hear about the latest best practices in SOX, audit, and enterprise risk management.