5 steps to effective strategic risk management
Strategic risk management is a crucial but often overlooked aspect of enterprise risk management (ERM). While ERM has traditionally focused on financial and, more recently, operational risk, the fact is that strategic risk is far more consequential.
Studies of the largest public companies indicate that strategic risks account for approximately 60 percent of major declines in market capitalization. Operational risks have just half that impact (about 30 percent), and financial risks generate about 10 percent.1
Why do many ERM programs seem to stand these priorities on their heads? Part of the reason is ERM’s roots in corporate finance, but it is also true that until recently, strategic risks were difficult to measure, not to mention evaluate, against one another on an apples-to-apples basis.
What is strategic risk?
It may be easiest to describe strategic risk by what it is often confused with—operational risk. Good operations mean doing things right, while good strategy means doing the right things. Strategic risk arises when a company fails to anticipate the market’s needs in time to meet them.
A company that has unmatched manufacturing processes will still fail if consumers no longer want its products. That was the lesson even the most efficient buggy whip makers learned once Henry Ford introduced the Model T in 1908. Cellphone handset makers faced a similar existential crisis when the Apple® iPhone® arrived on the scene.
What is strategic risk management?
Strategic risk management is the process of identifying, quantifying, and mitigating any risk that affects or is inherent in a company’s business strategy, strategic objectives, and strategy execution. These risks may include:
- Shifts in consumer demand and preferences
- Legal and regulatory change
- Competitive pressure
- Merger integration
- Technological changes
- Senior management turnover
- Stakeholder pressure
Strategic risk is a bell curve
Like any risk, strategic risk falls along a classic bell curve, with results along the x-axis and likelihood along the y-axis. The expected result of a given strategy would represent the peak of this curve. Most strategic planning considers only this peak while ignoring the slopes to either side.
But imagine two strategic initiatives, each with a similar expected result. One falls along a narrow, steep curve, indicating a low risk of failure and little upside opportunity. The other is represented by a wider bell, with greater chances of both under- and over-performance. Which to choose? The answer depends on an individual company’s appetite for risk.
Strategic risk management: shifting the curve
Now imagine a third curve with that same expected result. This one rises steeply from the left but slopes more gently downward on the right. Here, downside risk has been minimized, and upside opportunity increased. That is the goal of strategic risk management: to shape the curve in a way that favors success.
Measuring and managing strategic risk
As the saying goes, you can’t manage what you can’t measure. So, in order to understand how to manage strategic risk, we will begin by examining how to measure it. A key tenet of ERM is measuring risk with the same yardsticks used to measure results. In this way, companies can calculate how much inherent risk their initiatives contain.
Strategic risk can be measured with two key metrics:
- Economic capital is the amount of equity required to cover unexpected losses based on a predetermined solvency standard. Typically, this standard is derived from the company’s target debt rating. Economic capital is a common currency with which any risk can be quantified. Importantly, it applies the same methodology and assumptions used in determining enterprise value, making it ideal for strategic risk.
- Risk-adjusted return on capital (RAROC) is the anticipated after-tax return on an initiative divided by its economic capital. If RAROC exceeds the company’s cost of capital, the initiative is viable and will add value. If RAROC is less than the cost of capital, it will destroy value.
Managing strategic risk involves five steps which must be integrated within the strategic planning and execution process in order to be effective:
- Define business strategy and objectives.There are several frameworks that companies commonly use to plan out strategy, from simple SWOT analysis to the more nuanced and holistic Balanced Scorecard. The one thing that these frameworks have in common, however, is their failure to address risk. It is crucial, then, that companies take additional steps to integrate risk at the planning stage.
- Establish key performance indicators (KPIs) to measure results. The best KPIs offer hints as to the levers the company can pull to improve them. Thus, overall sales makes a poor KPI, while sales per customer lets the company drill down for answers.
- Identify risks that can drive variability in performance. These are the unknowns, such as future customer demand, that will determine results.
- Establish key risk indicators (KRIs) and tolerance levels for critical risks. Whereas KPIs measure historical performance, KRIs are forward-looking leading indicators intended to anticipate potential roadblocks. Tolerance levels serve as triggers for action.
- Provide integrated reporting and monitoring. Finally, companies must monitor results and KRIs on a continuous basis in order to mitigate risks or grasp unexpected opportunities as they arise.
Strategic risk represents the greatest dangers—and opportunities—your company faces. By taking steps to manage it at the enterprise level, companies can shape their future success while minimizing downside exposure. To learn more, download Strategic Risk Management: The Next Frontier for ERM.
1Lam, James. (2014). Enterprise Risk Management: From Incentives to Controls, Second Edition. Hoboken, NJ: Wiley.
Apple and iPhone are trademarks of Apple Inc., registered in the U.S. and other countries.
About the Author
Mike Rost is a key contributor to product strategy at Workiva and works with business leaders in the areas of financial reporting and compliance. With more than 25 years of experience assisting organizations using technology to optimize business processes, Mike has an extensive background in finance and accounting, corporate performance management, and GRC technology. Mike was a founding member of XBRL International with involvement in the XBRL initiative dating back to 1999. He has also been active in industry associations, including the Open Compliance and Ethics Group (OCEG) and the Institute of Internal Auditors (IIA). Mike has a bachelor's degree in economics and an MBA in marketing and finance from the University of Minnesota.