Which came first, strategy or risk: which is the chicken and which is the egg?
Which comes first: strategy or risk? Is strategy the result of identifying opportunities and risks, how you optimize the balance of risk and reward? Or, do you set strategy based – in part – on risk-related information – so risk is an input to the strategy-setting and management process?
This seems to be a continuing discussion. I first had this come up in conversations with highly respected risk practitioners, who felt that governance in general was a subset of risk management: including not just the setting of strategy, but oversight of management as they deliver value to the stakeholders. It came up again last week in an email dialogue (initiated by one of my blogs) with an experienced chief audit executive.
There is definitely a critical relationship between risk and strategy:
- The processes of setting strategy and managing performance need risk information if they are to be effective.
- The more critical risks to manage are those relating to the achievement of organizational strategies, goals, and objectives.
- When risk levels change, consideration should be given to changing strategy.
The case for risk coming first is interesting but, for me, not convincing. Certainly, one can say (and people I respect do say) that the risk management program provides the information from which strategy is determined. But I have issues, all of which are rooted in the ISO 31000:2009 standard:
- ISO defines risk as the “effect of uncertainty on objectives”, with a critical clarification in Note 1: “an effect is a deviation from the expected – positive and/or negative”. I contend that the ‘expected’ referenced in the definition is what is projected and expected in the strategy.
- In the Introduction to ISO 31000:2009, two of the benefits of risk management are that it “increase(s) the likelihood of achieving objectives”, and “establish(es) a reliable basis for decision making and planning”.
- Note 3 to the definition of a risk management framework says: “the risk management framework is embedded within the organization’s overall strategic and operational policies and practices”. This is repeated in section 4.3.4.
- Section 4.3.1 of the standard asks the user to understand the (external and) internal context of the organization before starting the design and implementation of the risk framework. One of the elements of the internal context (which clearly precedes and is external to the risk framework) is “policies, objectives, and the strategies that are in place to achieve them.”
- The final nail in the coffin of the argument that strategy-setting is included in risk management is the fact that the process for setting strategy is not part of the ISO standard’s process.
So, my conclusion is that the organization sets strategy, and risk management is embedded within both the strategy-setting process and the process for managing performance against the strategies. Risk management is about identifying and enabling the management of risks that might affect the achievement of organizational goals and strategies.
Do you agree? Chicken or egg?
Leave a reply to Naomi Burley Cancel reply
Norman Marks on Governance, Risk Management, and Internal Audit 
Norman – Strategy setting occurs in the context of risk, so risk comes first. Whether you’re starting up a new business, adding a new product line or deciding to add to staff, you consider the risk in the environment and plan (strategy) accordingly. Good plan and good implementation, good result. Bad plan and bad implementation, bad result. Get strategy and its implementation right for a good result.
Keep up the good work.
Larry
My response as to which should come first is: Neither. They should be considered together. Setting strategy without considering risk is pardon the pun “very risky” and will leave the strategy incomplete. Considering risk before setting the strategy will result in similar problems. Risk management should be part of any strategy setting.
Sandy Liebesman
Norman
Peter Bernstein suggested in his book “Against the Gods,” that risk comes into play only when we place a bet on an outcome that will result from a decision we have made. The definition of risk I use is, “an event or situation that could compromise or enhance our ability to achieve an objective.” Until you have made the decision to achieve a specific objective using a specific strategy, you cannot assess risks. My definition is a little more detailed than the ISO definition, “the effect of uncertainty on objectives”, but to me, it is also more clear as to cause and effect.
Hugh Goldie
At the risk of sitting on the fence I would say it depends on what ‘flavour’ of risk you are speaking of.
At the time of setting the strategy the Board (or whoever undertakes this task) must determine its risk appetite, however the management of the risks that are inherent in the business operations, the market or industry the business operates in and the risks the Board agrees to undertake when they sign off on the strategy all are managed and continually managed for the duration of the life of the activities that arise as a consequence of the strategic direction dictated by the Board.
I would have to say that risk is a policy consideration. Policy comes before strategy, because it serves to constrain strategic options.
Another way to look at the issue is from an investor’s (whether entrepreneur, founder capital, or aftermarket) perspective. The investment process always starts with the investor’s risk profile.
Corporate governance needs to begin with a risk/return promise to investors, which is codified in policy. Boards should then use this policy as the primary criterion for evaluating management’s strategy proposals.
However, I would not go so far as to suggest that corporate governance is primarily a risk management mechanism. It needs to be equally concerned with the BETA and ALPHA of shareholder value. In other words, the policies boards develop and enforce need to be both restrictive and enabling.
You cannot set strategy without understanding your risks. Risk is defined as the effect of uncertainity on objectives. Strategy is about how you are going to meet your objectives. A difefferent risk assessment would focus on the risks that might prevent you from meeting your startegic plan.
My assumption is that strategies are established to achieve goals. One can assess the risk to a strategy only after a strategy has been defined. I think we might be pondering a mute point or beating a dead horse with chickens and eggs because ultimately they are two different things are are equally important and inextricably linked.
I see them as related and part of an analysis loop. I’ve described the three GRC components as a Rubik’s cube problem. They need to line up.
There is also a Plan (set the objectives/strategy), Do (design the system), Check (what are the risks, necessary resources, etc. and the margins of error, i.e. evaluate), Act (implement) aspect to this. Risk analysis helps inform the final decision, but then comes around again as an additional results input for Plan adjustment.
Then you get into the issue of risk for specific areas, like IT risk management and IT governance as parts of the whole ERM and Corporate Governance picture.
It can get messy and hard to follow, but can also make or break a business.
I equate strategy with the roadmap one has defined to achieve a goal or objective. That strategy or roadmap is developed after due consideration of risk. Strategy without considering risk is flawed and will likely fail. In practice one should continuously iterate between the two and it does not matter which you initiate first i.e. set strategy, assess risk, change strategy or assess risk, set strategy, re-assess risk etc. There is no chicken or egg dilemma here, both approaches will give you a good outcome.
All strategies have risk – even the risk of not setting objectives etc. All risks need a strategy (or part thereof) to either increase or decrease their likelihood or impact. As such, they are completely intertwined but if you had to say what is the best order of emphasis on which part, then I say:
1. Identification of Risks comes first
2. Identification of Strategy alternatives
3. Assessment of the potential changes in the Risks Identified under the various Strategy alternatives
4. Selection of Strategy
5. Determination of Objectives to achieve Strategy that INCLUDES the Identification of Mitigating Actions and Risk Tolerances given the expected effects on these on the Identified
6. Management of Mitigating Actions
7. Monitoring of actual changes in Risks
and the cycle starts again with identification of alternative choices of Strategy etc.
Of course the speed of the cycle depends on the circumstances. In the Aviation sector, strategy for investment in terminals etc is long term but risk management around aircraft and passenger movements is real-time. That is why I believe that ISO31000 was a missed opportunity as it set out a process rather than stressing that risk managment is all about attitudes – of People and how they differ and chnage – what seemed a rational choice during boom times is often seen as reckless in slumps.
Norman, you are asking an important question. Five years ago, I published two articles on this topic. The first was entitled, “Which Comes First: Managing Risk or Strategy Setting? Both!”, published in Financial Executive in January 2006 and available on the FEI website. The second had a similar title and was published by Investor Relations in June 2006. In each article, I came to the same conclusion you did on the question of which comes first, strategy or risk? My answer was they both come first.
The supporting discourse in both articles picks up on the integration theme, as you’ve noted in your blog. Enterprise value is the value placed upon an organization by its stakeholders. While value can be expressed in different ways, we presume that shareholder value is a measure of choice for executives of public companies. Using enterprise value as a context, we can better understood how integrating risk with strategy-setting can make a difference. There are at least four broad choices available to management when protecting and enhancing enterprise value:
(1) Create new opportunities. The enterprise invests in new business activities promising attractive returns expected to exceed the cost of capital.
(2) Improve performance. The enterprise improves performance and increases returns of existing business activities by improving policies, processes, competencies, reporting, technology and/or knowledge in ways that achieve this desired result.
(3) Harvest existing value. The enterprise withdraws from existing business activities with inadequate returns. For example, these activities have generated (or are expected to generate) returns that do not exceed the cost of capital.
(4) Align risk-taking with risk appetite. The enterprise takes specific steps to align its risk taking with its core competencies.
The point is twofold: First, for strategy-setting to be effective, it must focus on the above four choices. Second, the relative risks inherent in individual business units and activities vary, as do expected returns.
In January 2007, Protiviti published Issue 10 of Volume II of The Bulletin to discuss the two articles’ premise of four choices available to management for enhancing and protecting enterprise value with the point of view that risk is inherent in all four of these choices. Last year, we published two issues of The Bulletin (Issues 1 and 2 of Volume IV) to focus on the process of integrating risk in strategy setting. One issue featured Protiviti’s PRIM2 thinking. The other issue picked up on an approach to contrarian thinking which has been written about by several people, including Rick Funston and Gary Klein. I believe that this approach supports your blog and resonates well with C-level executives and directors.
Norman – Good thread. Both are interlinked like the black and white cells in the chessboard. Though ‘it depends’ view may also come out based on why we want to analyze this, both aspects – Strategy and risk go hand in hand in major decisions. It is just that this may be done unconsciously. Both are crucial elements of Organizational survival and growth. The analysis of one will bring out action items on the other ; Be it at the Org, State or Governmental level. They both are interlinked and required for making critical decisions!
I fall in line with the consensus in this discussion string, further noting risk is the essence of business. An entrepreneur must immediately confront the risks of opportunity costs when committing time to developing a business strategy. Every decision from the point of a business’ genesis has embedded risks. The variation actually comes in the context of business decision makers either explicitly or implicitly addressing risks when setting strategy.
A more pointed question is which is formally addressed first in a business planning process. Or, alternatively, which should be addressed first? I think it is safe to say that the majority of organizations of all sizes formally set their strategy first before considering risks (or in many cases they don’t formally assess risks). Most of us in this forum would probably agree that strategy should explicitly integrate risk analysis. The line where organizations implicitly address risks in strategy planning is the warfront for those of us trumpeting the value of risk management.