Reflections on Strategic Risk
Surveys say people are paying more attention to so-called “strategic risk”. The latest from Deloitte, called Risk Angles, says:
“Strategic risk is not new; however, in a world where risks are hastened along by business trends and technological innovations, strategic risk management has taken on new urgency. In fact, according to a recently published global survey of more than 300 companies, conducted by Forbes Insights on behalf of Deloitte, 94% say they aren’t just increasing their focus on managing strategic risks; they are changing how they do it – most often by incorporating strategic risk management into their business strategy and planning processes.”
There’s a Strategic Risk Management magazine, my friends at RIMS (the risk management society) have a paper and web page on strategic risk management, and according to a report from IIA, internal auditors in the USA need to pay more attention to strategic risks. In fact, earlier this year the IIA released a Practice Advisory (which is considered “strongly recommended guidance”) on “Internal Audit Coverage of Risks to Achieving Strategic Objectives”.
This sounds right, but it is worth exploring further.
For a start, just what is “strategic risk”?
RIMS says that “Strategic Risk Management (SRM) is a business discipline that drives deliberation and action regarding uncertainties and untapped opportunities that affect an organization’s strategy and strategy execution”.
A 2011 article by (originator of Deloitte’s excellent Risk Intelligence series) Mark Frigo and Richard Anderson, “What is Strategic Risk Management”, defines SRM as “a process for identifying, assessing and managing risks and uncertainties, affected by internal and external events or scenarios, that could inhibit an organization’s ability to achieve its strategy and strategic objectives with the ultimate goal of creating and protecting shareholder value. It is a primary component and necessary foundation of Enterprise Risk Management”.
The IIA doesn’t really define strategic risk, but says “Executive management is responsible for identifying and managing risk in pursuit of the organization’s strategic objectives. It is the board’s responsibility to ensure that all strategic risks are identified, understood, and managed to an acceptable level within risk tolerance ranges. Internal audit should have an understanding of the organization’s strategy, how it is executed, the associated risks, and how these risks are being managed.”
In Risk Angles, Deloitte defines strategic risks as “risks that have a major effect on a company’s business strategy decisions, or are created by those decisions. So they tend to have a larger and more widespread impact than the other types of risk that businesses have traditionally focused on, in areas such as operations, finance and compliance.”
Leaving aside the error in some of these definitions that risk management is only about the downside and not the seizing of opportunities, there is a larger question:
If risk is the effect of uncertainty on objectives (the ISO definition, but if you read COSO ERM carefully, you will see they essentially say the same thing), then how is “strategic” risk different?
In fact, if a risk doesn’t have a significant potential effect on the organizations strategies and goals, why should we worry about it?
Aren’t all risks that matter therefore “strategic risks”?
A compliance risk can significantly affect an organization’s ability to achieve its strategic goals. Just ask JP Morgan Chase as they consider their multi-billion dollar fines.
An operational risk, such as the floods in Thailand that shut down hard drive manufacturers, can cripple an organization.
We could stop there and conclude that the concept of something separate and distinct “strategic risk” is nonsense. But, I have a proposition for you to consider.
In the Introduction to the ISO 31000:2009 global risk management standard, there is this paragraph:
“Risk management can be applied to an entire organization, at its many areas and levels, at any time, as well as to specific functions, projects and activities.
You can (and should, in my opinion) take all your organization’s defined business strategies and goals and take a top-down approach to understanding and assessing the uncertainties surrounding achievement of each of those strategies. That should include assumptions that have been made, the things that need to go right, the things that could go wrong, and the events and circumstances that could lead you to surpassing your objectives. All of those uncertainties should be understood, an assessment made as to whether the risks are at acceptable levels, and actions taken as necessary to optimize outcomes.
I would call this top-down approach strategic risk management. It doesn’t preclude the individual risks being financial, compliance, green, blue, or whatever you want to name them.
At the same time, there is nothing fundamentally wrong with understanding and assessing risks at lower levels of the organization, such as those surrounding the use of technology. The key is to prioritize resources on the risks that matter to the organization as a whole over those that only matter to one department, business unit, or location.
In other words, if you are assessing risks within an area such as IT, Finance, or Human Resources, consider whether they will have an effect of any significance on the success of the organization as a whole in achieving its strategies and strategic goals in the pursuit of value.
If they would, then you can choose to call them strategic, red, blue, or whatever. If not, perhaps they relate to activities that are not relevant to the organization’s objectives and which can be cut back.
Personally, I prefer to focus on the risks that matter to the organization’s success. I just call them risks.
What do you think?
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
I would call this top-down approach “enterprise risk management”.
I think the strategic risk management label is just more consultant nonsense.
Q
Quinton – I agree with both you & Norman – consultants have to re-package the same methodologies every so often in order to keep selling more seminars/books.
I think most American billion dollar companies tend not to care about any potential financial losses that don’t directly, negatively, impact their primary sources of revenue. Why should they? Fines can be appealed and reduced, there is always another supplier for temporary shortages (especially with 3d printers), and as long as the temporary revenue shortages fall (pun intended) within tolerable ranges, concern over these issues seems to be lacking. Just $.02 based on my specific experience.
Norman: Great topic. The challenge for many/most IA shops is that historically they have only audited a small % of their entity’s top “strategic objectives”, if any. I consider these to be the top objectives in the organization’s short/medium/long term plans. In my experience even ERM programs that profess to cover the full range of objectives have often not focused on completing risk assessments on top strategic risks. I see this routinely when I examine what’s in what most companies call their ERM “risk registers”. The traditional direct report audit model where auditors decide if they think “controls” in place/use (versus much bigger category of “risk treatments”) is adequate or “effective” is not well suited for this type of work. “Operational auditing”, the field of audit that has tried to tackle “strategic objectives”, regardless of what some may say, has not had a very positive track record based on my 25+ years in the space and feedback I get from senior executives and boards.
The board/demand driven/objective centric approach to ERM and IA we promote recommends an entity’s “OBJECTIVE REGISTER” include, as a minimum, the entity’s top “value creation” objectives which we define as the one’s capable of significantly impacting value, as well as top “potential value erosion” objectives which include financial statement reliability, obeying laws, safeguarding assets etc. Those interested can see presentations I have made on the business case for this approach at:
Click to access Risk-Oversight-Inc-Board-Driven-Objective-Centric-IA-ERM.pdf
In my opinion the IIA needs to focus significant resources on raising the skills of internal auditors so their boards and senior executives look to them and ERM support teams for help completing risk assessments on the really big, really important value creation objectives capable of creating/driving long term success. This represents a major opportunity for IA and ERM groups up to the task.
I couldn’t agree more on your theme and central points. In some sense, just as there never should have been a reason for creating ERM as a separate discipline from risk management, SRM falls into this same category. If risk management is done well and comprehensively, all elements of ERM and SRM should be accounted for and addressed.
The comments and definitions reflect a dangerous gap/disconnect and I am sad to say many experts are missing one of the most critical elements…not one mention of prevent or prevention in the definitions or the blog. While Mother Nature’s risks may not be preventable, many risks are. Evidence from hundreds and hundreds of post incident reports reveal most risks associated with humans are preventable if an organization and their people are equipped with the prevention tools.
Risk Management definitions suggest “reactive management” of risks rather than “proactive prevention”.
The good news is there are many examples of innovator organizations who are proving “proactive prevention” is a more effective, more efficient, less traumatic and less expensive solution.
Rick Shaw
Founder Awareity
Norman you are correct. Risk is risk.
Reblogged this on Corporate Governance & Social Responsibility.
Norman, right again. Risks are events or circumstances that may affect the organisation’s achieving its purpose – I prefer that word to “objectives” because too many see their objectives only in terms of revenue, profits, compliance, achieving targets etc. without recognising that risks which affect purpose come before all other goals and those goals are secondary, even if they are essential. A business fulfils a purpose in the value it provides, or should provide, getting goods to its customers as well as returns to its shareholders; just as a hospital for example, is there to provide safe and effective healthcare before it is there to produce a profit or to meet targets set by regulators. But achieving all those secondary gorals, and the tertiary and further goals from the top to the bottom of the organisation – but the successful completion of tasks is essential to achieving primary purpose just as the failure at the detailed level can have devastating impact on overall success. You probably know the old saying “for the want of a nail the shoe was lost; for the want of a shoe the horse was lost; for the want of a horse the rider was lost; for the want of a rider the battle was lost; for the want a battle the war was lost, and thus the kingdom was lost – all for the want of a nail.” So risk management needs to start top –down but be understood form the bottom up. That’s why I think organisations need a risk manager – someone who can help identify the top-down stuff and also draw together the bottom up stuff: ensuring the strategic leaders have enough knowledge to take the right decisions but don’t get bogged down in the details which need to be managed a a far lower level. Best wishes, Sarah
I agree with your views. But would like to refer COSO here…. COSO cude II clearly identifies 4 objectives –
Strategic
Operational
Reporting
Compliance
Being Strategic one of the objective, Strategic Risk Management has always been part of ERM. However, if some organisation wants to emphasis on Strategic part of it then I don’t see any problem. Rather, some time it is easy to make understand the management who are not so expert in risk culture.
Regards,
Kushal
InternalAuditExpert.in
Risk is risk only so far as objectives are objectives. COSO identifies 4 objective areas: compliance, financial, operational, and strategic. If I have a strategic objective to increase market share by 10% in 2014, I cannot focus on that and ignore risks to meeting my financial reporting goals or my employee retention goals. These may have some impact on market share, but not to the extent my R&D, sales and marketing departments do — and so risk events that impact (positively or negatively) those department goals are much more stategic. They are not, however, the only risks I need to mitigate and manage. Sometimes it is the mundane risks that reach out and bite us, and we ignore those risks at our peril.
All very relevant points. Enterprise risk management is a combination of both bottom up approach & top down approach. The bottom up approach is generally used is to find out the operational, compliance & financial risks at unit levels. These values are then aggregated to arrive at the Value at risk at the enterprise level. The top down approach begins with the risks that are strategic in nature and could be caused due to external factors such as changes to industry or technology. Firms may even need to re-look at their business model to deal with strategic risks . Failure to preempt these changes and to deal with strategic risks may lead to a firm going bust.
Hi Norman, I fully agree with you that every risk that impact an organization’s long term goals are strategic risk whether compliance, technology, HR or anything (see Micheal Porter’s value chain). These are also called business risk. However, financial risk is different from business risk. I have discussed risk categorization here: http://lnkd.in/b6MB7mw
Hi Norman. FYI The D&T Risk Intelligence series started in 2006 not 2011 with the firms Enterprise Risk Services practice. What you see now is the refresh and extension of the original series. You may know some of the originators including Rick Funston, Eric Hespenheide and myself. Best regards Mike.
Risk is risk. It matters not whether the source of the uncertainty is strategic, operational, or financial. However, risks originating from strategic sources are often ignored or downplayed because they are more difficult to quantify. Therein lies a significant strategic risk.
Risk is risk. I am not sure that this is a useful comment !
Agree with Tim, substantially. But a small niggling doubt: If the board (or the relevant body) does not ‘demand’ an objective-centric approach, but is instead ‘content’ with cosmetic efforts like annually-reviewed risk registers (perhaps the minimum required by regulators or other stakeholders), then what does the risk practitioner do. This may be a bit of a digression, but in such situations (a hard reality in many environments outside North America and Europe), can a deliberate focus on terminology like ‘strategic risk’ help bring attention to the nature of risk itself, and thus further the cause of effective risk management?
The board will be happy until something goes wrong. Then where is the risk manager who goes no further?
Norman: Just to clarify, though my last sentence was worded like a question, it was actually a suggestion, for a risk manager to further the cause of effective risk management, possibly by using terminology like ‘strategic risk’ to focus attention of key stakeholders.
Strategic risk is but one of three related elements:
– Strategic Risks
– Strategic Objectives
– Strategic Controls
At the risk of splitting hairs, and for the purposes of this discussion, I will define ‘organization’ as the ‘controlling entity’, since ‘organization’ otherwise exists at various levels up and down the institutional food chain.
By that definition, strategic risks are those which impact the controlling entity as a whole at a material level and may impact for a significant period of time. A strategic risk may directly impact a specific unit of an organization, (IT cloud administration), but if its impact can bring down the entire organization, or render a significant part of it inoperable, it is strategic. That’s the functional / organizational dimension.
The time dimension of identifying strategic risk is that it may impact over an extended period of time, either by condition of impact of consequences of impact. Whereas many of our organizational control processes are tactical in scope and time horizon, strategic risks require a different kind of management that transcends the typical management operating and reporting time horizon.
Although many strategic risks can be identified within the boundaries of corporate objectives, many are not. Climate change, energy transition, political risks and technological change are areas of risk beyond the entity’s definition of discretionary management direction. So it is often not possible to effectively define all relevant strategic risks in response to defined institutional objectives. In some cases, such as climate change, the definition of strategic objectives and related controls may be difficult to impossible in some instances due to the highly contingent nature of some critical elements of risk, but the risk exists nonetheless, and must be monitored over time and across the controlling entity in a deliberate and coordinated fashion over an EXTENDED period of time. (IF there are any readers whose executive management DO NOT suffer from Attention Deficit Disorder, please raise your hands.)
Finally, there is the issue of strategic controls which, in my personal observation, are often inadequately defined. Strategic controls are, or should be, closely aligned with and defined by strategic objectives in order first and foremost to assure the attainment of those objectives, and thereby to mitigate the strategic risks associated with those objectives to an optimum degree. This is where things most frequently break down. Organizations either do not define their strategic controls at the 30,000 foot controlling entity level of perspective, or they poorly manage them down and across the organization, and over time. IT and HR are notable examples of this failure in many instances. These are functional areas for which failure to administer strategic policy across the controlling entity can have pervasive implications beyond their cubicles.
Is strategic risk real. Yes. But it’s only part of the story.
Deb: You raise a very good point. I suspect at least some significant % of boards will not be “demanding” much in the way of specific deliverables from ERM and IA groups in the short term, but believe the “codification” of board risk oversight expectations will slowly start to change this. The FSB has put out a very detailed set of expectations for financial institutions in their July “Effective Risk Management Framework” paper and the UK has taken the lead with their November exposure draft on board oversight of risk, control and liquidity. The Canadian guidance on board risk oversight is starting to get traction and is now included in all core board certification programs and is being presented regularly by the Institute of Corporate Directors in Canada. The NACD in the U.S. is focusing significant resources on this topic. Parveen Gupta and I have authored a new paper that is scheduled for publication in Conference Board Director Notes on “Risk Oversight: Evolving Expectations for Boards”.
I believe boards will start to change and only hope ERM and IA service providers recognize the need for radical changes to status quo approaches.
The second step for an organization is to integrate strategic risk management into its existing strategy setting and performance measurement processes. As discussed above, there is a clear link between the organization’s strategies and its related strategic risks. Just as strategic risk management is an ongoing process, so is the need to establish an ongoing linkage with the organization’s core processes to set and measure its strategies and performance. This would include integrating risk management into strategic planning and performance measurement systems. Again, the maturity and culture of the organization should dictate how this performed. For some organizations, this may be accomplished through relatively simple processes, such as adding a page or section to their annual business planning process for the business to discuss the risks it sees in achieving its business plan and how it will monitor those risks. For organizations with more developed performance measurement processes, the Kaplan- Norton Strategy Execution Model described in The Execution Premium may be useful. [9] This model describes six stages for strategy execution and provides a useful framework for visualizing where strategic risk management can be embedded into these processes.
This discussion was also posted on the LinkedIn ISO 31000 Risk Management Standard and has generated so far 44 comments.
You can join the debate under the short link here : http://lnkd.in/bejanfY
Alex Dali, MBA, ARM, President at Global Institute for Risk Management Standards – G31000
Risk communications is a science-based, professional practice that is often an integral part of integrated risk management. Risk communications supports the identification and effective management of a wide range of risks that can exist for an organization, as well as for individuals and groups. Unlike public affairs or public relations, its primary focus is on stakeholders, those who are impacted by or who have a stake in the decisions professionals within Health Canada can make about risks and how they are managed. Although it may involve one-way information out about risks, strategic risk communications is generally characterized by an exchange of appropriate information that leads to informed decision-making.
Dan, I agree with your theme and comments expressed by Chris and Tim in particular.
I am also mindful of Kaplan’s recent categorization of risks into those which are preventable (Processes, Systems, People), strategic (those which we consciously take in pursuit of superior returns) and external (those which are emerging and difficult to anticipate and for which building and maintaining organisational resilience is an imperative…ref this years Davos global risk report etc).
On this basis not alone must we apply a more top down (ERM/SRM) approach but we must also temper our risk appetite such that the speed at which management is are driving the entity does not exceed its ability to absorb shock and respond in a manner which satisfies stakeholders. Thus we have the strategic imperative that management must at all times be in a position to defend reputation when business operations are threatened or regulators concerned as to practices etc..
Thanks
Peadar
In this post, you have given in-depth information about strategic risk management. I really enjoyed reading it.