Reflections on Strategic Risk
Surveys say people are paying more attention to so-called “strategic risk”. The latest from Deloitte, called Risk Angles, says:
“Strategic risk is not new; however, in a world where risks are hastened along by business trends and technological innovations, strategic risk management has taken on new urgency. In fact, according to a recently published global survey of more than 300 companies, conducted by Forbes Insights on behalf of Deloitte, 94% say they aren’t just increasing their focus on managing strategic risks; they are changing how they do it – most often by incorporating strategic risk management into their business strategy and planning processes.”
There’s a Strategic Risk Management magazine, my friends at RIMS (the risk management society) have a paper and web page on strategic risk management, and according to a report from IIA, internal auditors in the USA need to pay more attention to strategic risks. In fact, earlier this year the IIA released a Practice Advisory (which is considered “strongly recommended guidance”) on “Internal Audit Coverage of Risks to Achieving Strategic Objectives”.
This sounds right, but it is worth exploring further.
For a start, just what is “strategic risk”?
RIMS says that “Strategic Risk Management (SRM) is a business discipline that drives deliberation and action regarding uncertainties and untapped opportunities that affect an organization’s strategy and strategy execution”.
A 2011 article by (originator of Deloitte’s excellent Risk Intelligence series) Mark Frigo and Richard Anderson, “What is Strategic Risk Management”, defines SRM as “a process for identifying, assessing and managing risks and uncertainties, affected by internal and external events or scenarios, that could inhibit an organization’s ability to achieve its strategy and strategic objectives with the ultimate goal of creating and protecting shareholder value. It is a primary component and necessary foundation of Enterprise Risk Management”.
The IIA doesn’t really define strategic risk, but says “Executive management is responsible for identifying and managing risk in pursuit of the organization’s strategic objectives. It is the board’s responsibility to ensure that all strategic risks are identified, understood, and managed to an acceptable level within risk tolerance ranges. Internal audit should have an understanding of the organization’s strategy, how it is executed, the associated risks, and how these risks are being managed.”
In Risk Angles, Deloitte defines strategic risks as “risks that have a major effect on a company’s business strategy decisions, or are created by those decisions. So they tend to have a larger and more widespread impact than the other types of risk that businesses have traditionally focused on, in areas such as operations, finance and compliance.”
Leaving aside the error in some of these definitions that risk management is only about the downside and not the seizing of opportunities, there is a larger question:
If risk is the effect of uncertainty on objectives (the ISO definition, but if you read COSO ERM carefully, you will see they essentially say the same thing), then how is “strategic” risk different?
In fact, if a risk doesn’t have a significant potential effect on the organizations strategies and goals, why should we worry about it?
Aren’t all risks that matter therefore “strategic risks”?
A compliance risk can significantly affect an organization’s ability to achieve its strategic goals. Just ask JP Morgan Chase as they consider their multi-billion dollar fines.
An operational risk, such as the floods in Thailand that shut down hard drive manufacturers, can cripple an organization.
We could stop there and conclude that the concept of something separate and distinct “strategic risk” is nonsense. But, I have a proposition for you to consider.
In the Introduction to the ISO 31000:2009 global risk management standard, there is this paragraph:
“Risk management can be applied to an entire organization, at its many areas and levels, at any time, as well as to specific functions, projects and activities.
You can (and should, in my opinion) take all your organization’s defined business strategies and goals and take a top-down approach to understanding and assessing the uncertainties surrounding achievement of each of those strategies. That should include assumptions that have been made, the things that need to go right, the things that could go wrong, and the events and circumstances that could lead you to surpassing your objectives. All of those uncertainties should be understood, an assessment made as to whether the risks are at acceptable levels, and actions taken as necessary to optimize outcomes.
I would call this top-down approach strategic risk management. It doesn’t preclude the individual risks being financial, compliance, green, blue, or whatever you want to name them.
At the same time, there is nothing fundamentally wrong with understanding and assessing risks at lower levels of the organization, such as those surrounding the use of technology. The key is to prioritize resources on the risks that matter to the organization as a whole over those that only matter to one department, business unit, or location.
In other words, if you are assessing risks within an area such as IT, Finance, or Human Resources, consider whether they will have an effect of any significance on the success of the organization as a whole in achieving its strategies and strategic goals in the pursuit of value.
If they would, then you can choose to call them strategic, red, blue, or whatever. If not, perhaps they relate to activities that are not relevant to the organization’s objectives and which can be cut back.
Personally, I prefer to focus on the risks that matter to the organization’s success. I just call them risks.
What do you think?
Recent Posts on this Blog
- Is a new maturity model for GRC the right model? September 25, 2016
- The Wells Fargo “Staff Scam”: More questions and fewer answers September 16, 2016
- The astonishing Wells Fargo fraud September 10, 2016
- Leading an effective information security capability September 4, 2016
- Have your provided comments on the COSO ERM draft? August 31, 2016
- How to do your internal audit risk assessment August 27, 2016
- Do techies really understand cyber risk? August 20, 2016
- Continuing to learn about culture from Toyota August 13, 2016
- The danger of an arrogant board August 7, 2016
- The Board and Technology: Questions to ask the management team July 31, 2016
- IIA Insights on Internal Audit Effectiveness July 22, 2016
- Deloitte predicts change for Internal Audit July 20, 2016
- Risk and Opportunity Management July 2, 2016
- Risk reporting to the Board June 26, 2016
- We need to review and provide feedback on the COSO ERM Exposure Draft June 19, 2016
- Fraud, Abuse, and Corruption September 26, 2016
- Reconsidering the Board: Its Composition and Oversight of Management September 19, 2016
- Time for the Board to Take a Deep Dive Into Risk Management and Risks September 12, 2016
- Oversight of the External Auditor September 6, 2016
- Signs of a Failing Board August 29, 2016
- Contrasting Comments on Internal Audit From a CAE and a Consultant August 23, 2016
- Asking the Tough Questions About Internal Audit August 15, 2016
- When Risk Management Fails August 8, 2016
- An Internal Audit Ambition Model August 1, 2016
- Understanding and Assessing Governance Risk July 25, 2016