At its core, strategic risk management is about examining the organisation’s strategy for any risks that may affect it, how to mitigate them and to identify and manipulate opportunities arising. In the process, strategic risk management has to look at a multitude of issues, including the firm’s current business strategy, market trends, internal and external factors – and how business may be affected as a result of risks related to any of these.
There needs to be a holistic process to deal with the management of strategic risk because it has a long-term effect on the viability of the business. Strategic risk is not in itself a source of risk. Rather, it is a result of risk, and is quite similar to reputational risk in that respect. With reputational risk, even minor issues can blow up and adversely affect both the firm’s reputation, and the confidence of stakeholders in its management. Strategic risk identifies and assesses the risks which could impede the organisation from attaining its strategic objectives.
As the firm identifies and assesses the risks that it faces, it can strategise how to manage them in parallel by evaluating a range of events and scenarios which impact on the business. These risks could be anything from financial to supply chain risk, or anything else. In the process of identification, the firm also has to determine what levels of risk it wants to bear. No business is completely without risk; this is universally accepted.
Varied perspectives are necessary as strategic risk management involves analysis of how internal and external events impact the organisation. As such, data collection and feedback from as many parties as possible is desirable in its formulation and implementation. The process of obtaining data and feedback to strengthen and continually realign the organisation’s strategy – and therefore its strategic risk – should be an ongoing one and should, as far as possible, be embedded or integrated into the organisation’s operations. In an increasingly complex environment, the need for constant close monitoring and re-evaluation has grown critical.
Regulatory requirements, the speed of change and variability of conditions all increase risk, and make structured risk management a necessity. Regardless of all this, compliance and the need to follow regulatory guidelines is critical. Strategic risk management deals with risks in a holistic way and is intended to ensure that the company’s strategy remains relevant and effective. Firms also should be aware that strategy risks are not undesirable. High risks bring high returns; the company may take on significant risk, but with appropriate risk management strategies in place, it may be able to leverage on lucrative opportunities.
Strategic risk management is also about smooth operationalisation and stakeholder satisfaction; stakeholders include staff, regulators and other interest groups in the wider community. Not only does the firm need to anticipate the different requirements of each stakeholder group, it needs to provide proper documentation of the course of action it has taken or intends to take, to demonstrate its commitment. It must thus consider the risks inherent in the strategy it is formulating, and how these will play out in the operationalisation process. Strategic risk should be managed through a risk management system which identifies and mitigates the risk, or improves the company’s ability to contain it, should an untoward event occur. A business which is unable to manage its strategic risks will fail if those risks materialise and will be unable to leverage on any opportunities arising.
Probability, impact and velocity figure largely in these deliberations. Velocity, especially, is gaining in importance and prominence; the organisation may find itself having to choose between a smaller loss over a short period, or a larger one over a longer period when determining its strategy.
The decision will depend on its risk appetite and risk tolerance, i.e., how much risk the organisation is willing and able to take on. The organisation’s risk appetite is influenced to a great extent by the environment it operates in, including its own culture and its competitive landscape. The firm needs to steer a path between being overly risk-averse and conservative, and missing out on potentially lucrative opportunities. Not all risk is bad; sometimes taking risks can lead to positive outcomes, thus increasing the value of the firm.
Harmonisation of strategies across the organisation is another area for close consideration. What may work for one business unit may not be as effective for another. Also, there may be existing effective business strategies that need to be aligned newly-formulated ones. An organisation’s strategy should not remain static. Environments are dynamic, and strategies should be formulated to allow the organisation to pivot accordingly to meet its ever-changing challenges.
Strategic risk management is an ongoing process; it has to be constantly aligned (or realigned) to be effective. Together with this alignment, a deep understanding of the needs of the organisation and engagement with the organisation’s stakeholders should be developed. Risk can have far-reaching, unanticipated, ripple or knock-on effects that reverberate for a long time; hence the need for constant monitoring. Strategy is intended to achieve certain levels of performance. Measurement of this performance will indicate the effectiveness of the strategy, and show where adjustments need to be made.
As much as formulating strategy for the organisation is the province of the Board, the level of its success is also tempered by the kind of culture which exists in the organisation. While the people in the organisation – and its stakeholders – need to support its efforts, they need to be convinced by the tone at the top, and to see the Board and senior management “walking the talk.” The focus of culture is core values; these same values must permeate throughout the firm, and there should be channels for staff and stakeholders to express their dissatisfaction.
An organisation’s strategies are customised after taking into account its particular needs; its strategic risk management has to be set in place likewise. Processes that facilitate this will require monitoring and evaluation, realignment and readjustment. The Board provides oversight over the objectives and direction of the organisation, and therefore its strategic planning and decision-making processes need to be robust. Automating some strategic risk management processes may be helpful for tracking business performance, testing decisions and providing information in real time to help in decision-making. Human error may be reduced, and documentation can be made more robust. But for long-term effectiveness, strategic risk management has to be embedded in the structure of the organisation and its functions, right from the initial development stage.
Anything that threatens an organisation’s strategic objectives can be considered a strategic risk. The reasons for implementing strategic risk management should therefore be communicated to all stakeholders; staff should be trained and encouraged to apply measures that will help mitigate or monitor risks as a means of empowerment. Existing processes and procedures should be reviewed for suitability, and updated or upgraded accordingly. Results of monitoring, analysis and feedback should be carefully considered; and a close eye kept on the system so that quick changes and adjustments can be made when necessary.
Good strategic risk management means doing the right things from the beginning. Organisations should implement KPIs to measure results and further inform their future decisions. They should apply KRIs so that risk events may be identified in the future, and mitigative efforts inserted where required. It may be the case that management is “too close” to certain risk, and fail to notice them; external perspectives are therefore helpful. Other areas to take cognisance of include market trends; competitors’ moves; even geopolitical or socio-political shifts, particularly if there are subsidiaries operating in other jurisdictions.
Many businesses fail to assess their exposure to strategic risk appropriately. Preoccupied with managing, firms often overlook the necessity of expending the effort to do a thorough strategic risk assessment. Strategic risk management is critical in the light of increasing globalisation, and an increasingly competitive environment. Some risks should be avoided because the firm may not be able to tolerate the impact but some should be explored in depth because of their potential value. Either way, the firm’s strategy needs to be managed from the outset, so that negative outcomes may be avoided or at least be less detrimental to the ultimate value of the firm.
