10 lessons for integrating risk management with strategy

Organizations are better equipped to be successful in strategic initiatives when risk considerations are embedded.

June 5, 2014
by Neil Amato

Reliable traffic cameras are a great way for commuters to integrate risk management into strategy—in this case, the strategy of getting to work on time. A quick look online or a glance at the morning news, and a commuter is able to assess the situation and pick the best path. The driver who unwarily gets in the car, assuming that the go-to route is going to be traffic-free, is bound to encounter serious delays more often than the strategic commute manager.

The importance of what we don’t know is one lesson for integrating risk with strategy. Jim DeLoach, managing director at business consulting firm Protiviti, spoke recently about enterprise risk management and focused on 10 lessons:

  1. What we don’t know may be more important than what we do know. Adaptability is a key trait for organizations in an ever-changing environment. Companies should be aware of, to name a few obstacles and opportunities, the potential impact of disruptive technology, demographic changes, and even large-scale weather events. Focusing on the unknown, DeLoach said, requires a process. An organization should define the assumptions it has made based on management’s view of the expected business environment during the planning horizon and then consider the impact of one of those assumptions changing. The organization should then discuss the plausible scenarios and the extreme ones that could affect those assumptions, DeLoach wrote in a Protiviti bulletin. This analysis helps identify what needs to be monitored to detect changes in the environment that could render one or more critical assumptions invalid.

  2. Sooner or later, something fundamental in your business will change. DeLoach cited the example of Borders, the bookstore that filed for bankruptcy in 2011. He mentioned the company’s belief, in its annual report for the fiscal year ended Jan. 25, 2004, that it could continue to grow brick-and-mortar stores domestically and internationally. Instead, it fell behind when it failed to invest heavily in online sales or digital readers as Barnes & Noble, which developed the Nook e-reader, did. Organizations face extinction if they do not embrace change.

  3. Failure to attain “early-mover status” can threaten an organization’s viability. Companies “fall so in love with their business model and strategy” that they are too late when trying to change, DeLoach said. Companies that tend to be comfortable with the status quo fail to recognize and react to their market changes. Early movers not only stay abreast of risks but jump at opportunities.

  4. Reputation is a precious asset—lose it, and it’s game over. Companies have more at stake these days, and they have more and faster ways to suffer dents to their reputation. More than three-quarters of respondents in a 2013 CGMA survey said businesses were putting more focus on reputational risk than in the past. What many agree on is this: Sooner or later, your organization will experience a hit to its reputation. The key is being ready for such an event.

  5. Occasionally, a contrarian voice is needed at a crucial moment. Do you have one? Some financial institutions could have used more contrarian voices around 2007, or they could have listened better. The full-speed-ahead mentality won out over those who saw trouble ahead. DeLoach recommended a clearly defined role for the risk management or compliance functions in terms of how they interact with business lines, management, and the board of directors.

  6. Every organization can expect to be tested eventually. Are you ready? Where applicable, organizations need to think about their value chains when formulating risk management practices. For example, looking “upstream” to suppliers and “downstream” to customers can help assess potential disruptions. Among the questions organizations should ask: Have our key suppliers performed their own risk assessments? Do they have effective plans for taking corrective action in times of disaster?

  7. Managing a single view of the future can be a fool’s errand. Similar to listening to the contrarian voice, organizations shouldn’t rely on a narrowly interpreted version of the future. Scenario planning is vital to coping with uncertainty. DeLoach said executives should avoid overconfidence based on previous success. Past performance, as the disclaimer goes, is no guarantee of future success.

  8. Managing the tension between creating and protecting enterprise value is the toughest risk management task. While sticking with the status quo can be troublesome, so, too, can taking too many risks. Organizations must be aware of their risk appetite before pursuing new opportunities, balancing entrepreneurial and control functions “so that neither one is too disproportionately strong relative to the other.” Among the questions DeLoach suggested asking: Are there certain aspects of the strategy that may be unrealistic and result in unacceptable risks if managers are stretched to achieve established performance goals?

  9. Focus the board’s risk oversight on the critical enterprise and emerging risks. The National Association of Corporate Directors names five risk categories: governance risks, critical enterprise risks, board-approval risks, business management risks, and emerging risks. Of those, an organization’s board should be primarily focused on critical enterprise risks and emerging risks, DeLoach said. The board should be assured that management “has in place effective processes that (1) identify the organization’s critical enterprise risks and evaluate how they are managed so that the board’s risk oversight is properly focused, and (2) identify and communicate emerging risks on a timely basis.”

  10. The rearview mirror doesn’t help much when you’re going forward. While lagging indicators are useful for measuring performance, companies must spend time looking forward when setting strategy and integrating that strategy with risk. These activities include implementation of a response plan in the event of a crisis and stress-testing business models against multiple views of the future.
 Rate this article 5 (excellent) to 1 (poor). Send your responses here.

Neil Amato is a senior editor with the AICPA Magazines & Newsletters Team.