An organization’s approach to integrating strategy and risk management is driven by both the nature of the organization itself and the environment it operates within. Here are six common factors affecting organizational ability to achieve integration.
1. Enterprise Risk Management is not a luxury… It’s a matter of survival.
Improving Enterprise Risk Management (ERM) maturity, building the correct risk management culture and instilling key values across the organization will lay the foundations for success. ERM should:
Be an independent, empowered function that is also embedded within all areas of the organization.
Ensure the corporate appetite for risk is clearly identified and matched by its own ability to manage those risks.
Ensure risk triggers and risk responses are identified to maximize exploitation of opportunities and mitigation of threats.
Be subject to ongoing review and improvement.
2. Question your assumptions.
A rapidly changing environment requires a responsive organization. Businesses are often held back by what I term “strategitis,” where the management resolutely refuses to accept that their practices are no longer relevant to the changing operational environment. Living in a state of denial increases contagion of the risk (risk exposure). “Strategitis” ensures the propagation of bad practices by masking the organization’s “immune response” thereby thwarting implementation of a revised strategy relevant to the prevailing business landscape.
3. Anything that can go wrong will go wrong…are you ready?
Planning for “what ifs” is mandatory. Having a plan B, exploitation or exit strategy prepared ensures knee-jerk decisions will not compromise long term strategic goals. If you are too busy to proactively manage risks today, you will
be too busy managing crises tomorrow. The impact of the negatives that we don’t know could be much more significant than the positives that we do know. War-gaming and scenario planning can be valuable tools here.
4. Do it top-down but do it right.
Simply reporting operational risks from each organizational unit to the OSM (Office of Strategy Management) can distract attention from the bigger, strategic risk picture. Risk must be viewed at the strategic level and operational risks must also be considered within the strategic context. Some risks will require detailed assessment at the operational level. The output of this review should then be reassessed at the strategic level.
5. It’s all about risk appetite.
Risk appetite shapes the organizational strategy, so it should always be considered first. Unfortunately most of the organizations that have a low level of ERM maturity also have no defined or widely communicated risk appetite. Conflicting attitudes towards risk by senior and middle management will compromise overall strategic objectives. Risk appetite simply dictates the DOs and DON’Ts in the day-to-day business as well as over the long term.
6. Measure – do not count.
Albert Einstein famously warned,
“Not everything that counts can be counted, and not everything that can be counted counts.”
Gathering the right information (that counts) and using the right metrics is not easy, so available information tends to be gathered and easy metrics (that can be counted) are used instead. This leads to ineffective measurement of risk. Moreover, there’s a pervasive failure to understand that decision-making support is the real objective of the risk function, not simply data gathering and reporting.
A strategic aim that was appropriate in the past may not be appropriate now, so recognize that change is inevitable and be ready to adapt. Clearly communicated policies on risk supported by relevant and timely data to facilitate decisions will also help ensure that the organization’s strategic goals are met, even in a rapidly changing operational environment.
This article was originally appeared in October 2015 issue of Strategically Speaking issued by the Palladium Group, You can access the full issue here Strategically Speaking October 2015
It was my pleasure to be invited to contribute to October 2015 issue of Strategically Speaking among other great strategy and risk management thinkers and leaders like Professor Dr. Kaplan , Marvin Bower Professor of Leadership Development, Emeritus, Harvard Business Schoo and co-founder of the Balanced Scorecard; James Creelman, Director, Research & Intellectual Property at Palladium; Andrew Smart, CEO, Manigent and others.
I would like to thank my friend Gareth Watkins, Senior Consultant at EC Harris, for reviewing and editing this article.