Skip to main content

5 Steps to Effective Strategic Risk Management

Risk Assessment
Risk Management
Tape measure analyzing risk and meter showing low risk
5 min read
Mike Rost
SVP, Investor Relations and Corporate Development
Published: September 21, 2020
Last Updated: April 25, 2023

Strategic risk management is a crucial, but often overlooked, aspect of enterprise risk management (ERM). Traditionally, ERM has focused on financial and operational risk. However, the fact is that strategic risk is far more consequential

Simply put, strategic risks are risks that a company takes that could potentially result in a major loss. 

A company that has superior and unmatched manufacturing processes will still fail if their consumers no longer want their products. This was the lesson that was learned by even the most efficient buggy whip makers once Henry Ford introduced his Model T in 1908. Cellphone handset manufacturers faced a similar crisis when the Apple® iPhone® arrived on the scene. 

Identifying strategic risks enables organizations to develop an effective strategic risk management strategy to effectively combat the root cause and mitigate risk due to competition, market or industry changes, and other external risks such as changes in customer demand.

Strategic risk management is the process of identifying, quantifying, and mitigating any risk that affects or is inherent in a company’s business strategy, strategic objectives, and strategy execution. Types of strategic risks may include: 

  • Shifts in consumer demand and preferences

  • Legal and regulatory change

  • Competitive pressure

  • Merger integration

  • Technological changes

  • Senior management turnover

  • Stakeholder pressure

As industry expert James Lam says, strategic risk is the big stuff, and prioritizing strategic risk management means sweating the big stuff first. In other words, an effective strategic risk management framework will prioritize understanding the risks that your business faces to take the necessary steps to protect your assets and your business.

Strategic risk is a bell curve

Bell curve distribution of outcomes

Like any risk, strategic risk falls along a classic bell curve, with results along the x-axis and likelihood along the y-axis. The expected result of a given risk strategy would represent the peak of this curve. Most strategic risk planning considers only this peak while ignoring the slopes to either side.

But imagine two strategic risk initiatives, each with a similar expected result. One falls along a narrow, steep curve, indicating a low risk of failure and little upside opportunity. The other is represented by a wider bell, with greater chances of both under- and over-performance. Which to choose? The answer depends on an individual company’s appetite for risk.

Strategic risk management: shifting the curve

Now imagine a third curve with that same expected result. This one rises steeply from the left but slopes more gently downward on the right. Here, downside risk has been minimized, and upside opportunity increased. That is the goal of strategic risk management: to shape the curve in a way that favors success.

As the saying goes, you can't manage what you can't measure.

In order for us to understand how to manage strategic risk, we must first take a look at how to measure it. A key tenet of enterprise risk management (ERM) is measuring risk with the same yardsticks used to measure results. In this way, companies can calculate how much inherent risk their initiatives contain, monitoring risks to inform key business decisions. 

Strategic risk can measured with two key metrics: 

  1. Economic capital is the amount of equity required to cover unexpected losses based on a predetermined solvency standard. This standard is usually derived from the company's target debt rating. Economic capital is a common currency with which any risk can be quantified. Importantly, it applies the same methodology and assumptions used in determining enterprise value, making it ideal for strategic risk. 

  2. Risk-adjusted return on capital (RAROC) is the anticipated after-tax return on an initiative divided by its economic capital. If RAROC exceeds the company's cost of capital, the initiative is viable and will add value. If RAROC is less than the cost of capital, it will destroy value. 

Managing strategic risk involves five steps which must be integrated within the strategic planning and execution process in order to be effective:

  1. Define business strategy and objectives. There are several frameworks that companies commonly use to plan out strategy, from simple SWOT analysis to the more nuanced and holistic balanced scorecard. The one thing that these frameworks have in common, however, is their failure to address internal and external risk. It is crucial, then, that companies take additional steps to integrate risk management at the planning stage by using a risk management framework, which is a template and guideline used by companies to identify, eliminate and minimize risks.

  2. Establish key performance indicators (KPIs) to measure results. The best KPIs offer hints as to the levers the company can pull to improve them. Thus, overall sales makes a poor KPI, while sales per customer lets the company drill down for answers.

  3. Identify risks that can drive variability in performance. An effective risk strategy will identify the unknowns, such as future customer demand, that will determine results.

  4. Establish key risk indicators (KRIs) and tolerance levels for critical risks. Whereas KPIs measure historical performance, KRIs are forward-looking leading indicators intended to anticipate potential roadblocks. Tolerance levels serve as triggers for action.

  5. Provide integrated risk reporting and monitoring. Finally, companies must monitor results and KRIs on a continuous basis in order to mitigate risks or grasp unexpected opportunities as they arise.

Strategic risk represents the greatest dangers—and opportunities—your company faces. By taking steps to mitigate risk at the enterprise level, companies can shape their future success while minimizing downside exposure.

To learn more, download Strategic Risk Management: The Next Frontier for ERM.

Apple and iPhone are trademarks of Apple Inc., registered in the U.S. and other countries.

Editor's note: This blog post was originally published February 14, 2017, and has been updated.

About the Author
illustration of mike rost at Workiva
Mike Rost

SVP, Investor Relations and Corporate Development


As senior vice president of corporate development and investor relations, Mike Rost is a key contributor to the organization's growth with a focus on corporate development initiatives, emerging business areas, and developing relationships with investors and key stakeholders. Since joining Workiva in 2015, he has served in various leadership roles helping to drive the organization's growth, including the scaling of Workiva’s marketing and partner & alliance functions.

With more than 25 years of experience assisting organizations to optimize business processes, Mike has an extensive background in finance, accounting, enterprise performance management and Governance, Risk and Compliance (GRC) technology. Prior to Workiva, Mike served as vice president of marketing at Metricstream and vice president of strategic marketing at Thomson Reuters. Prior to that, he spent more than a decade in product management and marketing positions for SaaS companies and held finance positions at Pillsbury and Rollerblade, Inc.

Mike has been active in industry associations, including the Open Compliance and Ethics Group (OCEG) and the Institute of Internal Auditors (IIA). He was also a founding member of XBRL International (eXtensible Business Reporting Language), the global not for profit consortium for open international standards for digital business reporting. He has also been a frequent speaker at industry conferences on subjects such as finance transformation, data and reporting, and risk and compliance technology. He received his Bachelor of Science in Economics and his MBA from the University of Minnesota.


Online registration is currently unavailable.

Please email events@workiva to register for this event.

Our forms are currently down.

Please contact us at

Our forms are currently down.

Please contact us at