5 Steps to Effective Strategic Risk Management
Strategic risk management is a crucial, but often, overlooked aspect of enterprise risk management (ERM). Traditionally, ERM has focused on financial and operational risk. However, the fact is that strategic risk is far more consequential.
What is strategic risk?
Simply put, strategic risks are risks that a company takes that could potentially result in a major loss.
A company that has superior and unmatched manufacturing processes will still fail if their consumers no longer want their products. This was the lesson that was learned by even the most efficient buggy whip makers once Henry Ford introduced his Model T in 1908. Cellphone handset manufacturers faced a similar crisis when the Apple® iPhone® arrived on the scene.
What is strategic risk management?
Strategic risk management is the process of identifying, quantifying, and mitigating any risk that affects or is inherent in a company’s business strategy, strategic objectives, and strategy execution. These risks may include:
- Shifts in consumer demand and preferences
- Legal and regulatory change
- Competitive pressure
- Merger integration
- Technological changes
- Senior management turnover
- Stakeholder pressure
Strategic risk is a bell curve
Like any risk, strategic risk falls along a classic bell curve, with results along the x-axis and likelihood along the y-axis. The expected result of a given strategy would represent the peak of this curve. Most strategic planning considers only this peak while ignoring the slopes to either side.
But imagine two strategic initiatives, each with a similar expected result. One falls along a narrow, steep curve, indicating a low risk of failure and little upside opportunity. The other is represented by a wider bell, with greater chances of both under- and over-performance. Which to choose? The answer depends on an individual company’s appetite for risk.
Strategic risk management: shifting the curve
Now imagine a third curve with that same expected result. This one rises steeply from the left but slopes more gently downward on the right. Here, downside risk has been minimized, and upside opportunity increased. That is the goal of strategic risk management: to shape the curve in a way that favors success.
How do you measure and manage strategic risk?
As the saying goes, you can't manage what you can't measure.
In order for us to understand how to manage strategic risk, we must first take a look at how to measure it. A key tenet of enterprise risk management (ERM) is measuring risk with the same yardsticks used to measure results. In this way, companies can calculate how much inherent risk their initiatives contain.
Strategic risk can measured with two key metrics:
- Economic capital is the amount of equity required to cover unexpected losses based on a predetermined solvency standard. This standard is usually derived from the company's target debt rating. Economic capital is a common currency with which any risk can be quantified. Importantly, it applies the same methodology and assumptions used in determining enterprise value, making it ideal for strategic risk.
- Risk-adjusted return on capital (RAROC) is the anticipated after-tax return on an initiative divided by its economic capital. If RAROC exceeds the company's cost of capital, the initiative is viable and will add value. If RAROC is less than the cost of capital, it will destroy value.
Five steps to becoming effective
Managing strategic risk involves five steps which must be integrated within the strategic planning and execution process in order to be effective:
- Define business strategy and objectives. There are several frameworks that companies commonly use to plan out strategy, from simple SWOT analysis to the more nuanced and holistic balanced scorecard. The one thing that these frameworks have in common, however, is their failure to address risk. It is crucial, then, that companies take additional steps to integrate risk at the planning stage.
- Establish key performance indicators (KPIs) to measure results. The best KPIs offer hints as to the levers the company can pull to improve them. Thus, overall sales makes a poor KPI, while sales per customer lets the company drill down for answers.
- Identify risks that can drive variability in performance. These are the unknowns, such as future customer demand, that will determine results.
- Establish key risk indicators (KRIs) and tolerance levels for critical risks. Whereas KPIs measure historical performance, KRIs are forward-looking leading indicators intended to anticipate potential roadblocks. Tolerance levels serve as triggers for action.
- Provide integrated reporting and monitoring. Finally, companies must monitor results and KRIs on a continuous basis in order to mitigate risks or grasp unexpected opportunities as they arise.
Strategic risk represents the greatest dangers—and opportunities—your company faces. By taking steps to manage it at the enterprise level, companies can shape their future success while minimizing downside exposure.
To learn more, download Strategic Risk Management: The Next Frontier for ERM.
Apple and iPhone are trademarks of Apple Inc., registered in the U.S. and other countries.
Editor's note: This blog post was originally published February 14, 2017, and has been updated.
About the Author
Mike Rost is a key contributor to product strategy at Workiva and works with business leaders in the areas of financial reporting and compliance. With more than 25 years of experience assisting organizations using technology to optimize business processes, Mike has an extensive background in finance and accounting, corporate performance management, and GRC technology. Mike was a founding member of XBRL International with involvement in the XBRL initiative dating back to 1999. He has also been active in industry associations, including the Open Compliance and Ethics Group (OCEG) and the Institute of Internal Auditors (IIA). Mike has a bachelor's degree in economics and an MBA in marketing and finance from the University of Minnesota.