Enterprise Risk Management (ERM) encompasses many components, one of which is Corporate Strategic Risk Management (CSRM) but CSRM often does not show up as anything more than a blip on the radar because some organisations may confuse it with operational risk. One strategy expert explained it thus: “Good operations means doing things right; good strategy means doing the right things.” But what does it actually mean? In a nutshell, it’s when an organisation does not adequately consider what the unanticipated can mean to its sustainability, risk-wise. Corporate strategy is at risk, for instance, when the company does not include in its planning, the possibility that its market will not want its products.
For instance, with the advent of the digital camera, the need for film declined, as did the need for the chemicals and services needed to develop photographs from film. When a company looks at strategic risk management, it has to identify the risks that may eventuate, and think about what strategies to apply, to mitigate them. It goes without saying that this is an unenviable job because there are as many risks as there are companies in the business environment. Besides changes in demand for goods, other risks could be anything from changes to legal and statutory requirements, advances in technology and increased market competition, to labour shortages, unkind press reports or even the death of the company’s founder.
In today’s business environment, risk is a given. There is no business completely without risk of some kind. Identifying, assessing and mitigating risk is no longer a luxury that only larger businesses can afford, but a necessity if even the smaller ones want to remain a going concern. Managing strategic risk therefore encompasses formulating what action is necessary in the face of the challenges the business must come to grips with, in addition to running it. It is important to understand that risks are not exclusively related to operations but extend to the organisation’s competitiveness, sustainability and growth. Faced with a task of this magnitude, where does the person in charge of risk start?
The conversation about corporate strategic risk management has to start at the top – which means that the Chief Risk Officer, under whose purview risk falls, will have to broach the subject with the Board, if it has not already been broached. It will be helpful if the CRO already has an idea of where the organisation’s risks lie, but for that, she/he will have to have a thorough understanding of the business to begin with. But where to start? With measurement – because what can be measured, can be managed, and corporate strategic risk management is nothing if not about managing how the corporation runs, and keeping it running.
What should be measured, in order to be managed? First, identify the current business strategy, if any, and how it is aligned to the objectives of the organisation. Key performance indicators (KPIs) can be instituted as a means of measurement. Identify risks using an objective centric approach, and prioritise them. Get the conversation going about how well the organisation can tolerate risk, i.e., identify its risk appetite, and determine the point at which it should not be exceeded. It is worth noting that not all risk needs to be measured; strategic risks are usually those risks which present the biggest threat to the organisation and are a significant barrier to the achievement of its objectives.
The biggest threats to any organisation are probably those which will cause it to lose value, or lose its ability to create value, thereby jeopardising the investment of shareholders. Some threats, of course, will be totally beyond the control of the organisation, but some, if appropriately anticipated, may be successfully mitigated – provided they have been identified and properly assessed. Having identified what constitutes risk to the organisation, how should an assessment be made? This needs to be done by a competent Senior Management Team, supported by a qualified Chied Risk Officer, and reported to the Board. In fact, at Board level, strategic risk management should be a core competency because strategy and all elements pertaining to it, are the responsibility of the Board.
It is the Board that should determine if the risks confronting the organisation are being adequately addressed because it is ultimately answerable to the company’s shareholders. There should also be the understanding that while risks tend to be viewed as dangerous or undesirable, there is nevertheless a positive side to them. In fact, higher risk can mean higher returns which in turn create more value for the company – but whether the company can tolerate the higher risk of failure which is inevitable with riskier ventures, will depend on its risk appetite, tolerance and capacity. Again, this is something only the Board can determine.
Throughout the process of corporate strategic risk management, those involved will become aware that there are many areas that actually remain grey, despite their best efforts to clarify them. This, too, can be expected but the upside to it is that the problem itself has been identified, which can partially mitigate the disruption that may ensue should the risk event actually occur. The most important thing for an organisation which desires effective corporate strategic risk management is to understand itself, and be transparent about it.
