Strategic risk management 101: The director’s guide

Strategic risk is occupying more of board directors’ time and headspace than ever. The need to identify and tackle the significant risks your organization faces is a priority action for all directors. To do this effectively, you need a thorough understanding of strategic risk, what it is and how you can respond to the strategic threats you face. You need to understand the latest approaches to strategic risk management and the board’s role in creating a strategic risk management plan. Here, we explore the essentials of strategic business risk.

What Is Strategic Risk?

Pinning down a strategic risks definition can be a challenge, as there are different understandings of what comprises a “strategic” risk.

The Association of Chartered Certified Accountants (ACCA), who identify as the global body for professional accountants, defines strategic risks as “those that arise from the fundamental decisions that directors take concerning an organization's objectives.”

Deloitte looks further than this; their definition of strategic risk encompasses risks that threaten business strategy decisions as well as those that arise from them. Deloitte defines strategic risks as “those that either affect or are created by business strategy decisions.”

A paper published by a panel of US academics agrees. The paper notes that a definition of strategic risk that focuses only on risks generated by external factors “creates… problems.”

This approach neglects the significant risks that can originate within the organization; for example, quality failings are brought about through poor governance, risk and compliance processes.

It also includes trends in external factors as a source of strategic risk, something the paper’s authors take issue with, arguing that predictable trends shouldn’t be a source of risk; instead, it is deviations from these trends that can cause risks.

Of course, defining trends as a non-risk assumes that organizations have the insight and data to identify these trends and spot any deviations. Being able to achieve this demands that you adopt best practice governance intel strategies and understand the broader risk landscape.

Whatever the finer details of your strategic risk definition, there is no doubt that when we seek to answer “What is strategic risk?” the response is that these are the big picture risks with a significant impact on an organization’s ability to deliver.

Strategic risks are the significant risks that need to sit at the top of every board’s priority list.

Examples

The types of risk typically defined as “strategic” include:

• Competitive risk
• Change risk
• Regulatory risk
• Reputational risk
• Political risk
• Governance risk
• Financial risk
• Economic risk
• Operational risk

You can read more about different examples of strategic risk in our article on strategic risk examples.

How Are Approaches to Strategic Risk Changing?

The types of strategic risk, as above, may be fairly unchanging. But as with everything, the devil is in the detail, and the nuanced threats your organization faces will shift constantly. Strategic risk analysis and mitigation demand that your approach keeps pace with these changing threats. Risk management approaches have traditionally been backward-looking — examining financial indicators and the existing regulatory landscape. As a result, they can lag behind any new risks the business faces. As Deloitte noted as long ago as 2013, companies are now “making a deliberate effort to improve” their proactive strategic risk management capabilities. Some of the ways that strategic risk management frameworks have evolved in recent years include:

• A move from purely quantitative to qualitative risk management. Historically, strategic risk assessment was based purely or largely on quantitative factors; financial indicators, for instance, as we’ve noted above.

Increasingly, organizations have realized that some of their most relevant risks may only show a financial impact several years down the line or that the risk may be significant in some ways but the direct financial impact minimal. As a result, boards have started to measure strategic risk in purely financial terms and the context of softer metrics like reputation. As ethical considerations and broader CSR and ESG move up the corporate agenda, these metrics drive customer and stakeholder decisions and play an increasing role in the strategic risk matrix.

• A shift from defining process to usable insight. As companies tackled the issue of strategic risk management for the first time or upped their focus on strategic risk, they concentrated on the process. There’s no doubt that implementing the right processes forms an essential bedrock for your strategic risk management program. But once these are in place, your focus can evolve. With the right processes underpinning your approach, directors can turn attention to how they use the actionable insights they gain from the data and insights their process delivers. This is the next step in the strategic risk planning journey.
• Integrating strategic risk management with business strategy. The concept of integrated risk management (IRM) isn’t new, but organizations today are integrating strategic risk assessment and analysis more into their overall business strategy and planning.

Strategic decision and risk management approaches are increasingly interwoven, with risk management programs being used to inform the design and execution of business strategy. Again successfully doing this is contingent upon having the right processes in place and drawing on the data that these processes deliver to inform your decision-making.

How To Build a Strategic Risk Plan

What organizations really need to know, though, is how to build a plan to tackle strategic risk; what are the steps, what do best practices look like, and who should be involved?

6 Steps to Building a Strategic Risk Plan:

1. Define your business’s objectives and strategy. As above, some of your risks will stem from your strategic decisions; others may impact them. Identifying your strategy and aims is an essential first step.
2. Determine the measures you will use to monitor performance. How will you measure compliance with your strategic processes and progress towards your goals? Establish the performance indicators you will use to define success.
3. Identify the risks that may impact your ability to achieve the KPIs in step 2. What factors threaten your success? These could be internal, like the failure of a core piece of equipment, or external, like a breakdown in your supply chain.
4. Prioritize these risks; which are critical, and which can be circumvented? What tolerance is there to results outside of your ideal?
5. Put in place reporting that measures your strategic risks and response to them. Best practice reporting on governance, risk and compliance gives you the insight you need to defend your organization against strategic risk. Assess the processes, software and measures you have in place to gather this reporting and monitoring.
6. Revisit and refresh your plan regularly. Implementing a strategic risk plan isn’t a “one time” job but needs regular review, in tandem with strategic risk assessment. As internal processes and the external landscape evolve, so should your approach to mitigating and managing your strategic risks.

Follow these six steps, and you will be well on the road to adopting some best practices for strategic risk management.

The Board’s Role in Strategic Risk Management

According to Harvard Law School, strategic risk management is “a necessary core competency” for the board. Every company’s strategy includes an element of risk; the board plays a crucial role in working with the CEO to identify these risks, stress-test the strategy against them and ensure mitigation plans are in place. In a world of ever-increasing board accountability, directors have a responsibility to ensure that risk is considered as part of the business plan. But their role doesn’t end there. In his book, Owning Up: The 14 Questions Every Board Member Needs to Ask, business advisor and corporate governance expert Ram Charan says boards must also “watch for a toxic culture that enables ethical lapses throughout the organization.” Corporate culture plays a key role in strategic risk management and should be at the heart of any strategic risk assessment. The board is central to setting the organization’s cultural tone and building an ethos of compliance, ethics and good corporate behavior. Directors must put culture at the heart of any strategic risk management framework.

Strategic Risk Solutions

Tackling strategic risk requires a range of solutions, from the strategic, via the operational to the technological. It demands a board that takes the lead in building a culture of compliance. It requires a rigorous approach to monitoring and data, enabling you to capture the metrics you need to support strategic risk management. And your approach can be transformed by harnessing leading-edge technologies that provide a 360-degree view of the risks your organization faces. Keeping track of the risks you face can feel like a full-time job — and for busy directors, a huge challenge. But keeping abreast of upcoming regulatory change, shifts in political and economic landscapes, and best practices is vital for boards wanting to be proactive on strategic risk.

Stay Abreast of GRC Industry News and Insights

Signing up to Diligent’s GRC Newsletter gives you instant access to the latest insights, delivering a snapshot of current news and sharing examples of best practices in strategic risk mitigation. And you can read more about the issues and factors that underpin strategic risk management in our article on governance, risk and compliance.