Sharpening strategic risk management

Authors: Armoghan Mohammed and Richard Sykes

While conventional enterprise risk management (ERM) techniques have done a reasonable job in identifying and mitigating financial and operational risks, research shows that it is the management of strategic risk factors that will have the greatest impact on your ability to realise your strategic objectives [1]. Bringing ERM into the forefront of strategic decision making and execution could thus give your business a decisive edge.

Strategic risks can be defined as the uncertainties and untapped opportunities embedded in your strategic intent and how well they are executed. As such, they are key matters for the board and impinge on the whole business, rather than just an isolated unit.

Strategic risk management is your organisation’s response to these uncertainties and opportunities. It involves a clear understanding of corporate strategy, the risks in adopting it and the risks in executing it. These risks may be triggered from inside or outside your organisation. Once they are understood, you can develop effective, integrated, strategic risk mitigation.

Far from holding back the business, strategic risk management is about augmenting strategic management and getting the full value from your strategy. In a typical instance, a conventional approach to setting and executing strategy might look at sales growth and service delivery. Rarely does it monitor the risks of a shortfall in demand.

As Figure 1 outlines, effective strategic risk management is built around a clear understanding of how much risk your business is prepared to take to deliver its objectives, and a timely and reliable evaluation of how much risk it is actually taking.

Figure 1: Managing risk to deliver objectives

The problem is that risk management can often be run separately from frontline strategic assessments, decision making and monitoring against plans. Boards can thus improve their focus on risk by integrating risk management into their routine strategic evaluation, debate and challenge.

Figure 2 sets out the main types of risk a business is likely to face. Financial risks are typically well controlled and are part of the routine focus of board risk discussions, with strong impetus coming from the increased regulatory, accounting and financial audit focus. As financial information is a key element of stakeholder communications, performance measurement and strategic delivery, board risk discussions will devote considerable time to these risks.

Operational risks are typically managed from within the business and often focus on health and safety issues where industry regulations and standards require. These internally driven risks may affect your organisation’s ability to deliver on its strategic objectives.

Hazard risks often stem from major exogenous factors, which affect the environment in which the organisation operates. A focus on the use of insurance and appropriate contingency planning will help address some of these. However, there is often a danger that as many of these risks cannot be controlled, boards and senior management will not reflect these in their strategic thinking. Confining strategic management to controllable factors will leave your business at risk of failing to address these factors.

Strategic risks are typically external or affect the most senior management decisions. As such, they are often missed from many risk registers. Your board has a responsibility to make sure all these types of risks are included in their key strategic discussions.

Figure 2: Risks to business

So how are risk management frameworks evolving in the face of these gaps in how risk is managed and the need for greater integration with strategic management? Our conversations with boards highlight three major concerns. First, many executives are worried that the risk frameworks and processes that are currently in place in their organisations are no longer giving them the level of protection they need.

Second, boards are seeing rapid increases both in the speed with which risk events take place and the contagion with which they spread across different categories of risk. They are especially concerned about the escalating impact of ‘catastrophic’ risks, which can threaten an organisation’s very existence and even undermine entire industries.

The third shift is that boards feel they are spending too much time and money on running their current risk management processes, rather than moving quickly and flexibly to identify and tackle new risks. As a result, some are not convinced that their return on spending on ERM is fully justified by the level of protection they gain from it.

PwC recently conducted a qualitative research study into how various multinational organisations have responded to these challenges. The study revealed four key findings:

The boards of big organisations do not fully understand the risks that they are running...
... or how the knock-on impacts can spread across risk categories. This in turn makes it harder to manage organisations within their risk appetite.


Checks and balances at the board level are critical.
Does the board have people with enough industry expertise to ask tough questions about executives’ decisions? In many cases the answer is no. Even the most sophisticated approach to risk can be undermined by a lack of industry insight.


In the Internet age, speed and prejudice are all.
Information moves instantaneously around the world, and opinion morphs into accepted ‘fact’. So corporations must hit the ground running with the right responses delivered at pace. All too often, they are caught unprepared.


Leadership and culture.
There is frequently a gap between what management says about risk and what it does. Are the CEO and board setting the right behavioural example and risk-aware culture, in line with the corporation’s strategy? Do rewards encourage risk-based thinking and behaviour?

 

These shortcomings reveal that current approaches to risk management are no longer fit for purpose. It is important to develop and expand existing frameworks and tools, drawing on outside experience and knowledge wherever possible. Indeed, the external viewpoint that independent directors can bring to the boardroom will play an essential part in ensuring this breadth of risk-thinking enhances the development of strategic thinking. The challenge your and many other boards face is how to make sure the processes used to review and approve strategy can be extended to include an appropriate consideration of risk. There is a range of approaches that may be considered.

A well-defined understanding of how risk impinges on strategy is essential. The achievement of strategic objectives will often be expressed as one or more key strategic intents or visions. Examples include ‘increasing revenue by £X in the next year, increasing market share in core markets by Y% or improving customer satisfaction metrics by Z’. In setting these strategic goals, the board intends to increase or safeguard the company’s share price for investors (or other types of value for key stakeholders for non-profit organisations).

The impact of risk events can be expressed as an acceptable variation in these strategic goals, which management is prepared to accept to achieve them (e.g., 2% growth with virtual certainty, or 10% growth with increasing risk of losses). While not all risks can be mapped back to a defined impact on strategic outcome metrics, the discipline of considering risks in this context will help your board to understand the potential impact and define the priorities for managing these risks.

Key questions for the board

The previous article, ‘Building a risk-resilient organisation’, posed five questions designed to help your organisation judge how effectively key risks are understood and managed. Here, we take this further by putting forward a series of questions aimed at helping you judge how effectively risk considerations are integrated into strategic objectives and their execution:

1. How well is my strategy actually defined?

A good understanding of the key risks to strategic goals and the share price of the organisation requires a good understanding of the strategy itself. A robust articulation of the key elements of strategy (strategic intent, strategic drivers/actions, the context within which the strategy will be delivered, etc.) will allow your board to define and identify how the strategy will interact with the risks faced by the business.

2. How broad are the risks that we are considering?

Strategy should be defined in the context of the risk environment in which the business operates. The broader the consideration of the types of risks the business faces, the better the strategy can be developed to respond to or navigate through these risks. Bringing together the internal risk information from the business, with an understanding of exogenous risk exposures as highlighted by senior management and non-executive directors in particular, should be a key focus of the board.

3. What risk scenarios have we considered to test our plans?

It is often difficult to identify all potential risk exposures and their causes. Those risks that are going to be of most interest to the board will often be defined by the potential impact of the consequences of the risk manifesting. Scenario analysis with board input can encourage management to consider a range of scenarios that can result in significant adverse consequences for the business and help to make sure a wider breadth of risk impacts are considered than is currently the case.

4. Have we mapped our risks to key performance and value measures?

Where possible, it is useful to consider risk in the context of how shareholders or stakeholders measure value in the organisation. This will help management articulate to stakeholders how the risks they are taking or the risks the business is exposed to may affect the organisation’s ability to realise its objectives. Creating common metrics for risk and performance also allows management to define the priorities of risk management activities and focus on the more relevant risks to stakeholders and the board.

Encouraging management to understand risk impacts in the context of key performance metrics can be a complex task. However, if the key value drivers of the business are well understood by management, determining the potential impact of risk events on these value drivers should be achievable and would be considered part of a good risk management system.



1 Black swans turn grey - the transformation of risk, January 2012
(http://www.pwc.co.uk/governance-risk-compliance/publications/risk-practices-black-swans-turn-grey-the-transformation-of-the-risk-landscape.jhtml)