Risk Through the Eyes of Strategy: How the COSO ERM Framework looks at the relationship between risk and strategy from three perspectives

Start adding items to your reading lists:
Save this item to:
This item has been saved to your reading list.

Authors: Frank Martens and and Sallie Jo Perraglia

Strategy selection is a high-stakes exercise. In 2012, 81% of the biggest underperformers against their industry over the prior 10 years had lost their way because of strategic blunders, strategy+business magazine reported.[1] They couldn’t blame their failures on execution, operational errors, compliance faults or external events. It came down to strategy.

Indeed, the success of any strategy is closely linked to an organization’s understanding and command of risk. Can that command of risk be improved? We think so. And we think the right way to approach it is by looking at risk through the eyes of strategy, taking three different perspectives.

Integrating risk and strategy from three perspectives is embedded in COSO’s draft ERM Framework update, called Enterprise Risk Management – Aligning Risk with Strategy and Performance. COSO engaged PwC to author the update of its Enterprise Risk Management – Integrated Framework, published in 2004, and recently released a draft for public comment through September 30.

From the eyes of strategy, think of three perspectives on risk: risk coming toward the strategy; risk coming from the strategy; and the risk of the strategy itself. The first refers to execution risk that rises to the level of strategic consideration. The second refers to the risk profile of the strategy – and of all the alternatives. The third is the risk of the strategy itself not moving the organization to realize its raison d’être. We detail them in succession below.

We think all three perspectives have been under-appreciated by most strategy functions. They can help boards and management better understand how risk and strategy interrelate. Most importantly, these perspectives make clear how strategy selection can be enhanced. Indeed, the draft Framework update provides principles that boards and management can use to apply these three perspectives and improve their strategy and performance.

1.      Risk to executing the strategy

Strategy and risk are integrally related – and they always have been. Indeed, most strategy-selection processes do consider risk. Usually, however, those risks are considered in relation to their potential effect on the ability to execute the strategy.

There are times when the risks found in execution become so important that they threaten the strategy itself. The risk coming toward the strategy – we call it the “risk to executing the strategy” – are important enough that the board should consider revisiting the strategy.

Think of cyber-risk. Before data breaches became commonplace, cyber-risk was a threat left to IT departments to manage. Now, cyber-risk is a boardroom issue. In our 2015 Annual Corporate Directors Survey, 65% of directors said they wanted to spend more time talking about IT risks, including cyber-risk security.[2] The only issue they believed deserves more attention is strategic planning. 

In some cases, those boardroom conversations aren’t limited to “what are we doing to manage cyber-risk?” kinds of execution questions. Rather, they’re about whether cyber-risk could endanger their strategy. Companies involved in the “Internet-of-things” (IoT), for example, including Fortune 500 auto-makers and industrial giants, each know their strategy won’t succeed if they don’t understand how cyber-risk affects them. So they’re keeping their eye on developments, ready to shift strategic direction as the cyber-risk environment changes. Those are the risks to executing the strategy, seen through the eyes of strategy.

2.      The implications from the strategy

Every potential strategy has a risk profile, a set of risks that emanate from the strategy – these we call the “implications from the strategy.” Management and boards of directors should consider how each alternative strategy maps to the organization’s risk appetite, and how each alternative will drive the organization to set business objectives, allocate resources, and develop coherent, distinctive capabilities. Then, and only then, should management and boards select and approve a strategy from among alternatives.

In mass-market fashion, for example, an entrant might consider many different strategies. Two might include, for example, a fast-growth expansion in emerging markets, and a high-turnover approach of speeding new designs from runway to retail in two weeks.

Each of those strategies, and the related capabilities needed to execute them, has its risks. The first strategy asks whether the brand can create customer loyalty in emerging markets and whether the company can manage geopolitical and treasury risks. The second strategy raises questions about whether designs will always be on trend and whether designs can be manufactured and moved through the supply chain quickly enough. Both are viable strategies. But each has a different risk profile built on different assumptions.

The board and management need to understand these assumptions – the implications from the strategy – before they approve a strategy. Because if they contrast the risk implications from alternative strategies – if they vet all alternative strategies for their implications – they might actually select a different strategy than they otherwise would have.


Playback of this video is not currently available

3.     The possibility of strategy not aligning

Central to selecting a strategy is the possibility of strategy not aligning with an organization’s mission and vision. Every organization has a mission, vision and core values that define its purpose, what it’s trying to achieve and how it wants to conduct business.

A chosen strategy must support the organization’s mission and vision. A misaligned strategy increases the possibility that, even if successfully executed, the organization may not realize its mission and vision. Misalignment could be obvious, like a (hypothetical) tobacco maker entering the holistic health and wellness market, or it could be subtle. A hospital, for example, might save lives by building a medical tourism business. But if it’s a community hospital whose mission is to serve the community’s disadvantaged, then the medical tourism service is mis-aligned with the mission. The hospital’s reputation could be seriously damaged if an overseas patient were given preferential treatment over an indigent senior from the neighborhood. That’s an example of the risk of strategy not aligning.

Due diligence and strategy reviews 

The biggest sources of value destruction are embedded in the implications from the strategy and the possibility of strategy not aligning with mission and vision. Those dimensions put the emphasis on getting the right strategy in the first place, rather than on execution.

In turn, this suggests a different approach – a risk-centric approach – to due diligence in selecting strategy. It may not be enough to stress test management’s proposed strategy, as many board deliberations cover today. Instead, each alternative strategy can be tested just as rigorously. Risk profiles can be developed for each alternative, and matched against the organization’s capabilities and risk appetite. And each alternative must make sense against the organization’s mission and vision. After this rigorous risk-centric assessment of alternatives, a strategy can be selected, objectives set and resources allocated – all with much greater confidence.

Granted, strategy selection is typically done every three to five years. But strategy is also often evaluated annually. In this process, knowing which risks to the strategy to keep an eye on is important. If those risks to the strategy – whether it’s cyber-security for an Internet of Things developer, or brand reputation in emerging markets for a fashion house – have undone the assumptions behind your strategy, it’s time to re-open the strategy-selection process. 

In both the due diligence process and in strategy reviews, ERM can be used to see risk from strategy’s vantage point. Many ERM programs have in practice stressed execution risk, and therefore missed the bigger picture role of a risk-centric approach to strategy selection. This was a major emphasis in updating the Framework – to ensure that ERM’s utility for strategic processes were made clearer. To see how, visit erm.coso.org to download the proposed Framework. Take a look at the draft Framework through the eyes of strategy and consider how ERM can be used to improve due diligence and strategy reviews. We invite you to comment on the proposed updated COSO Framework through the COSO site, or visit www.pwc.com/coso-erm for more updates.


What is the COSO ERM – Integrated Framework?

Originally issued in 2004 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the Enterprise Risk Management – Integrated Framework is one of the most widely recognized and applied enterprise risk management frameworks in the world. It provides a principles-based approach to help organizations design and implement enterprise-wide approaches to risk management.

After a decade of experience with the ERM Integrated Framework and with evolving practices in enterprise risk management, opportunities to get more value out of ERM became evident. Encouraged by the progress, COSO set out to update the ERM Integrated Framework and to further address the alignment of risk, strategy and performance. In 2014 COSO re-engaged PwC to serve as the project team.

A draft of the updated Framework was released on June 15, 2016. The proposed Framework, now called Enterprise Risk Management – Aligning Risk with Strategy and Performance, provides boards and management with principles to manage risk, from strategy-setting through execution, and recognizes the increasingly important connection between strategy and performance.

For more information on the COSO ERM Framework, please visit our microsite

[1] Christopher Dann, Mattew Le Merle and Christopher Pencavel, “The Lesson of Lost Value,” strategy+business (Winter, 2012). 

[2] “Governing for the long term: Looking down the road with an eye on the rear-view mirror,” PwC’s 2015 Annual Corporate Directors Survey.

PwC will not independently validate the feedback received from third-party sources for consideration in the continued development of the Framework

[2] “Governing for the long term: Looking down the road with an eye on the rear-view mirror,” PwC’s 2015 Annual Corporate Directors Survey.
[2] “Governing for the long term: Looking down the road with an eye on the rear-view mirror,” PwC’s 2015 Annual Corporate Directors Survey.

Contact us

Dennis L. Chesley

Partner, PwC US, Global Risk Consulting Leader

Tel: +1 (202) 730 8036

Frank Martens

Global Risk Framework and Methodology Leader, PwC Canada

Tel: +1 (604) 806 7590

Sallie Jo Perraglia

Manager & COSO Project Team Member

Follow us