5 Steps to Effective Strategic Risk Management

Strategic risk management is a crucial, but often overlooked, aspect of enterprise risk management (ERM). Traditionally, ERM has focused on financial and operational risk. However, the fact is that strategic risk is far more consequential. 

What is strategic risk? 

Simply put, strategic risks are risks that a company takes that could potentially result in a major loss. 

A company that has superior and unmatched manufacturing processes will still fail if their consumers no longer want their products. This was the lesson that was learned by even the most efficient buggy whip makers once Henry Ford introduced his Model T in 1908. Cellphone handset manufacturers faced a similar crisis when the Apple® iPhone® arrived on the scene. 

Identifying strategic risks enables organizations to develop an effective strategic risk management strategy to effectively combat the root cause and mitigate risk due to competition, market or industry changes, and other external risks such as changes in customer demand.

What is strategic risk management? 

Strategic risk management is the process of identifying, quantifying, and mitigating any risk that affects or is inherent in a company’s business strategy, strategic objectives, and strategy execution. Types of strategic risks may include: 

• Shifts in consumer demand and preferences

• Legal and regulatory change

• Competitive pressure

• Merger integration

• Technological changes

• Senior management turnover

• Stakeholder pressure

As industry expert James Lam says, strategic risk is the big stuff, and prioritizing strategic risk management means sweating the big stuff first. In other words, an effective strategic risk management framework will prioritize understanding the risks that your business faces to take the necessary steps to protect your assets and your business.

Strategic risk is a bell curve

Like any risk, strategic risk falls along a classic bell curve, with results along the x-axis and likelihood along the y-axis. The expected result of a given risk strategy would represent the peak of this curve. Most strategic risk planning considers only this peak while ignoring the slopes to either side.

But imagine two strategic risk initiatives, each with a similar expected result. One falls along a narrow, steep curve, indicating a low risk of failure and little upside opportunity. The other is represented by a wider bell, with greater chances of both under- and over-performance. Which to choose? The answer depends on an individual company’s appetite for risk.

Strategic risk management: shifting the curve

Now imagine a third curve with that same expected result. This one rises steeply from the left but slopes more gently downward on the right. Here, downside risk has been minimized, and upside opportunity increased. That is the goal of strategic risk management: to shape the curve in a way that favors success.

How do you measure and manage strategic risk? 

As the saying goes, you can't manage what you can't measure.

In order for us to understand how to manage strategic risk, we must first take a look at how to measure it. A key tenet of enterprise risk management (ERM) is measuring risk with the same yardsticks used to measure results. In this way, companies can calculate how much inherent risk their initiatives contain, monitoring risks to inform key business decisions. 

Strategic risk can measured with two key metrics: 

1. Economic capital is the amount of equity required to cover unexpected losses based on a predetermined solvency standard. This standard is usually derived from the company's target debt rating. Economic capital is a common currency with which any risk can be quantified. Importantly, it applies the same methodology and assumptions used in determining enterprise value, making it ideal for strategic risk. 

2. Risk-adjusted return on capital (RAROC) is the anticipated after-tax return on an initiative divided by its economic capital. If RAROC exceeds the company's cost of capital, the initiative is viable and will add value. If RAROC is less than the cost of capital, it will destroy value. 

Five steps for Effective Risk Mitigation Strategies

Managing strategic risk involves five steps which must be integrated within the strategic planning and execution process in order to be effective:

1. Define business strategy and objectives. There are several frameworks that companies commonly use to plan out strategy, from simple SWOT analysis to the more nuanced and holistic balanced scorecard. The one thing that these frameworks have in common, however, is their failure to address internal and external risk. It is crucial, then, that companies take additional steps to integrate risk management at the planning stage by using a risk management framework, which is a template and guideline used by companies to identify, eliminate and minimize risks.

2. Establish key performance indicators (KPIs) to measure results. The best KPIs offer hints as to the levers the company can pull to improve them. Thus, overall sales makes a poor KPI, while sales per customer lets the company drill down for answers.

3. Identify risks that can drive variability in performance. An effective risk strategy will identify the unknowns, such as future customer demand, that will determine results.

4. Establish key risk indicators (KRIs) and tolerance levels for critical risks. Whereas KPIs measure historical performance, KRIs are forward-looking leading indicators intended to anticipate potential roadblocks. Tolerance levels serve as triggers for action.

5. Provide integrated risk reporting and monitoring. Finally, companies must monitor results and KRIs on a continuous basis in order to mitigate risks or grasp unexpected opportunities as they arise.

Strategic risk represents the greatest dangers—and opportunities—your company faces. By taking steps to mitigate risk at the enterprise level, companies can shape their future success while minimizing downside exposure.

To learn more, download Strategic Risk Management: The Next Frontier for ERM.

Apple and iPhone are trademarks of Apple Inc., registered in the U.S. and other countries.

Editor's note: This blog post was originally published February 14, 2017, and has been updated.