Always-On risk and strategy management
I like the idea of “always-on” strategy and performance management, as discussed in a piece by members of the BCG consulting firm.
Always-On Strategy hardly mentions the word “risk”, but it’s there in a major way.
Consider this:
To increase the odds of success in today’s turbulent environment, leading companies are complementing their annual strategy-setting process with something more dynamic. We call it always-on strategy.
Always-on strategy gives companies a systematic way to scan for signs of disruption and explore unexpected changes to the strategic environment. Companies identify the most pressing strategic issues and regularly engage senior leaders in formulating a response.
Doesn’t this sound like risk identification, assessment, monitoring, and response?
Aren’t “issues” the same as risks?
Later, the authors say:
Always-on strategy complements the annual [strategy] process by giving senior leadership a regular forum in which to monitor and discuss issues that warrant continual attention, including those identified during the annual process and during the course of the year.
Isn’t this what we strive to achieve with risk management, addressing the issues that might affect the achievement of strategies and objectives?
But the authors see issue or risk monitoring as the responsibility of the Chief Strategy Officer:
The chief Strategy Officer (CSO) and the strategy team are ideally positioned to identify issues from the top down, both in the business units and externally. They can provide a structure and tools to capture and filter information from the broader organization.
CSO doing this instead of the CRO?
What does this mean?
If the language of strategy and issues resonates with leadership, use it instead of the technobabble of risk.
I met one CRO who reports to the CSO.
Is that a model that makes sense (in non-regulated industries – because the regulators have a risk-averse view of risk management)?
Maybe it does.
Maybe it allows and stresses an emphasis on achieving objectives instead of ‘managing risk’.
What do you think?
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Norman, I couldn’t agree more. Effective integration of risk with core management processes implies adoption of language that resonates with executive management. In raising the line of sight to strategic risk, the CSO must be engaged. This “always-on strategy” lmessage is essentially what we’ve been saying for years of the need to position the organization as an early mover. Good stuff!
A specific topic close to my heart. In non regulated industries, indeed getting risk and strategy closer together makes perfect sense. For a risk mgt function to optimise value in non FS sector, its through the strategic planning or always on type approach, where this is obviously most able to occur. If you have a Strategy head who “gets” risk, and who is not a “yes” man, having the risk function reporting through him therefore can be good for lots of obvious reasons. But what if the strategy function see their role as one which expedites getting investment proposals approved to make the overall strategy happen?. Can and does this mean they do not always cimprehensively assess all the issues/risks associated with proposals?. In my organisation, this is clearly the situation so having risk reporting through to strategy would not work effectively, despite this having some benefits.. ie there needs to be a balancer who attempts to work with strategy in a close and collabirative way…and yes this does mean to some extent we are playing the stereotyped good cop v bad cop roles in formulating investment proposal papers (with the bad cop mature enough to recognise it needs to factor in the opportunities/benefits into the risk analysis), it can still work. So long as the papers overall provide a balanced view is what matters. Whats going on in people’s heads at the end of the day trumps formal org structural arrangements and you need to find an arangement where this is optimised which may mean org arrangements need to differ across organisations to some extent. The other factor to consider is that some risk functions may also play a significant role in more operational risk matters, and the risk function reporting through to strategy, may not lend itself well for this role to be undertaken robustly. Horses for different types of courses in regards to org structure arrangements!. Rgs
Agree with Glenn’s comments especially when it comes to operational risk management, the importance of which may be diluted if reported through strategy. On the other hand it may bring strategy to life (if its sitting there in a non-dynamic way) to have risk directed through it. But the functionality and responsibilities of strategy would have to be reviewed and revised.
Chief Risk Officer, (who isn’t responsible for risk – all employees are); Chief Strategy Officer (who isn’t responsible for strategy: the Board decide it, management deliver it). Aren’t we in danger of diluting responsibilities to the extent that everyone can pass the buck to somebody else?
Organisations have structures in place with people in specialist roles to help board set strategy and management deliver it. Chief Strategy Officers, Chief Risk Officers etc are some of these people. Sure everyone is responsible for delivering the strategy and for risk, but some organisations feel the need to have some guys to coordinate things a bit…nothing wrong with this from my perspective….so long as they have the right things going on around in their heads…and that is where the problem can be sometimes.Having the right org reporting relationships cannot be ignored though as it can sometimes impede people doing their roles effectively. From the risk perspective, the org set up has to vary a bit as it depends on what type of role they are undertaking, how others in their roles perceive their roles etc. Those advocating one only set up (ie consultants) live in a different world to me.
Agreed Norman, I was with a CRO recently who raised his collaboration with his CSO. I shared the BCG paper and his comments resonates with yours.
Agreed. However, shouldn’t the CRO and the CSO be one and the same person?