Organisations need to have a risk-informed strategy; it should be a board priority. “It is critical to align the organisation’s risk management with strategy,” stated Ramesh Pillai, the IERP®’s Chairman, at a recent Tea Talk. Stressing that the alignment should be from an objective-centric perspective, he emphasised that organisations needed to fully embrace the duality of strategy, balancing tactical aspects as they balanced their short-term goals against long-term considerations. These needed to be in sync and required resilient strategy focusing on delivering performance results and enabling long-term viability while leveraging risk insights gained through ERM.
Risk-taking is fundamental to economic reward; the higher the risk, the higher the reward. The challenge or opportunity is to recognise which risks offer the greatest potential to impact business outcomes; and to understand these risks can drive value creation to obtain long-term viability. Four fundamental questions to ask are:
- Are we taking the right risks, i.e., risks that create value?
- Which strategic risks should be accepted, and which should be avoided?
- Has capital been allocated on a risk-adjusted basis to optimise finite resources?
- Are we taking the right amount of risk, and are we getting appropriate returns?
People are starting to realise that the C-Suite has a big role to play in, and the C-Suite is beginning to realise the importance of the contribution of ERM to the overall process. But many conventional ERM programmes tend to be disjointed from strategic planning; there is a lack of risk opportunity discipline and integrated performance focus. Unfortunately, this disconnect means that ERM is not well-positioned to add organisational value by informing decision-making. “ERM programmes have been stunted because of disconnects in terms of capability, understanding and awareness,” Ramesh said. “We need to ensure that the organisation’s goals and objectives are harmonised.”
While most companies may maintain conventional ERM practices, these offer limited, little or no value. Risk managers need to be informed, capable and have better and relevant tools at their disposal, Ramesh said. They also need proper education, certification in risk management, networks and support. He remarked that chief strategy officers and chief finance officers may not understand or realise that ERM is positioned to help the business run the business. “The people responsible for implementing it need to up their game,” he advised. “They need to utilise ERM better and more efficiently, and show that ERM has value.”
The role of ERM is to create and protect value but most risk managers tend to look at ERM as being only about value protection. Transformative action is needed to shift from just protecting value to a strategic ‘grow and protect’ approach. “Risk management is an offensive strategic tool to move the organisation forward and create value,” Ramesh said. “When developing a risk management framework, various categories need to be understood – upside risk, outside risk and downside risk.” Upside risks include innovation, technology or expansion to new markets; they are different from downside risks because they are not inherently undesirable.
“A strategy with high expected returns generally requires us to take upside strategic risks,” he continued. “Effective management of those risks is critical to capture their potential gains. When you take higher risks, it doesn’t mean that you will automatically get higher returns with no potential downside. We take the higher risks because we want to get the higher returns but we need to manage the downside.” But upside risks cannot be managed through a rules-based control framework. The approach to managing these risks requires the proper effective selection of risk for instance strategic risks that include how to improve the organisation’s ability to manage risk events which occur.
Outside risks originate from outside the organisation and are beyond the firm’s control; some examples of outside risks are competition, legislation and natural disasters. “You cannot affect the likelihood but you can influence the potential impact or outcome of these,” he said. The way that outside risks are mitigated can give rise to opportunities. Opportunity arises from the management of risk. A slightly different approach should be applied, that may include scenario analysis and stress testing. Downside risks are generally internal risks that should be eliminated or avoided. Some examples are fraud, cybersecurity, regulatory non-compliance etc.
“The approach to managing these risks comes through active prevention and designing the controls to mitigate these risks,” he said. “It also provides structured monitoring of the threat level of the identified preventable risks.” Many leading organisations recognise shortfalls in their risk identification; subsequently, they try to educate themselves on upside and outside risks in order to leverage on these, i.e., convert unknowns into strategic opportunities.More companies are also realising that outside risks can threaten their existence although these may originate completely outside their environment.
Even so, only a few manage outside threats with rigour; most fail to recognise the forces of risk that can potentially affect their businesses. Ramesh remarked that there were many tools that could help with threats. “Most organisations focus only on outside risks that seem obvious to them,” he said. “They fail to recognise the full universe of risks which could potentially affect their business.” Systems that are developed should be able to ‘slice and dice’ and apply advanced analytics to support strategic decision-making. He cited an example of how one ERM team brought strategically useful information to the table.
This resulted in the permanent placement of the risk management agenda within strategic planning. “We need to find a way to move our organisations’ mindsets along the same lines,” he urged. “The measurement part is not so much about calculation or mathematics. It is about data analysis. People want to see if you can back up your decisions with useful or relevant information.” They are also talking about how strategic decisions are made and how these are linked to enhanced risk measurement. Having ERM in strategy will encompass not just a volume of management threats but also maximise value creation to enhance business performance and future resource allocations.
In turn, this will enable a better understanding of the relationship between performance drivers and the associated range of scenarios influenced by these risk drivers. A performance framework may then be developed which aligns risk and opportunities with the organisation’s strategic imperatives. Ramesh pointed out that people had now reached a level of maturity where they could understand the huge benefits of ERM, provided it was done properly. In addition to considering tangible costs when talking about cost benefit, they were also considering reputational damage, and viewing it as a cost.
Ramesh advocated using risk-reward from a wider perspective as it allowed the organisation to view the full range of potential detrimental impacts that could affect the business. “Having ERM helps you move towards the risk-reward consideration instead of the basic cost benefit consideration,” he pointed out, stressing that the advantage of applying this approach was that decision-making processes would be affected and influenced by the impacts of those decisions through a performance lens. Even so, the relationship between strategic roles, underlying value drivers and risk factors was not clearly understood, not even at board level.
“Selected risk response strategies typically tend to ignore the organisation’s risk appetite and tolerances,” he explained. “This misalignment means that the greatest potential impact through strategic initiatives or competitive viability of the business model may result in the loss of competitive advantage.” Additionally, risk appetite had to be linked to strategy because risk appetite and tactical delivery needed to be aligned with strategic intent.Organisations need ERM to inform business decision-making using data and metrics; they need to move away from qualitative to quantitative analysis when it comes to ERM.
“At the ERM level, risk professionals must help the organisation understand and analyse the risk drivers in relation to the strategic objectives,” he advised. “Strategic ERM adds value, and must help organisations identify the key metrics, financial or otherwise, and focus targeted mitigation strategies in order to reduce or minimise the volatility relating to business outcomes and financial performance.” Urging the reduction of uncertainty as much as possible, he cautioned nevertheless that uncertainty cannot be eliminated because it is part of risk-taking, but attempts should be made to control it. Organisations should start with strategic business objectives.
He suggested building a performance driver structure focusing on each strategic objective with measurements, for a more structured approach leveraging on key metrics. Appropriate risk quantification techniques and strategies will allow proper identification of critical sources of volatility that could adversely impact strategic objectives and performance outcomes. “Better risk integration gives better benefits,” he stressed. “For companies to fully leverage the benefits of risk management, they need to understand how all this quantitative information is integrated into strategic planning, and how decisions are made.
ERM must be properly and seamlessly integrated as an input and output within these existing business planning routines. Business planning routines such as strategic and annual planning – often referred to as the ‘rhythm of the business’ – serve as the conduit of how business makes capital and resource allocation decisions. Professional risk managers need to get involved in strategic management, planning and the deliverability of processes but they need to be part of the team, and must first bring value to the table. “Our processes need to add value,” he advised. “This will enhance the accuracy of risk management analysis and strengthen the overall oversight of risk across the organisation.”
Because of a constantly-evolving environment, organisations have to develop more resilient, risk-informed strategies focused on delivering performance results and enabling long-term viability. They need to understand how upside and outside risks affect strategic goals and objectives, and leverage risk measurement to make better informed decisions, including how to allocate scarce resources. “The biggest risk is ignoring risk,” Ramesh cautioned. “If we don’t develop and implement such risk-informed strategy, the organisation will be in a very precarious position. It will not be able to see the dangerous risks before they hit. The whole point of risk management is to anticipate the risk.”
Simultaneously, the firm could miss out potential opportunities that exist within outside risks, which could bring about game-changing transformation and increase its competitive advantage. “Risk is anything which prevents us from achieving our objectives,” he said. “What happens if you achieve your objectives? You achieve your performance. Effective risk management is a critical enabler of effective performance management. Similarly, if you want to achieve your ultimate objective, which is essentially your vision, mission, strategies and objectives,you need to ensure that the strategy is aligned. ERM is an enabler of performance and strategy.”
