Strategic Risk Management (SRM) includes the processes which can help to identify uncertainties and opportunities that can affect an organization’s strategies. SRM also supports the core Enterprise Risk Management (ERM) objective of guiding the organization’s strategic business decisions that impact business performance. However, due to lack of awareness about SRM, the capability of ERM processes is limited. The need for organizations now is to understand the important role of strategic risk as part of their overall risk management processes, and how they can leverage technology to manage and integrate SRM and ERM into key decision-making.
Many organization’s ERM frameworks have done a good job in identifying and assessing risk, developing risk treatment practices, and monitoring critical risks. However, these frameworks lack the necessary connection between risk management practices and the strategic direction of the organization. While risk management activities and corporate planning are two separate management processes, in some organizations, many of the key components within the formal risk management cycle are comparable to central elements of the strategic planning process.
Under-utilization of ERM in Strategic Planning:
An important element of the strategic planning process and risk management process is to evaluate the robustness of existing and alternative strategies within a changing risk landscape. This can be done when the ERM principles of risk identification, risk assessment, selection of risk treatment practices, and monitoring and evaluating are used in scenario planning, allowing leaders to evaluate the potential success or failure of a given strategic option.
Case Study: LEGO Group
Lego Group sets an apt example of how an effective SRM enables the organization to consider shareholder value as well as help in risk prevention and mitigation. The explicit management of strategic risks helps the company to avoid value erosion, and drive value creation.
Hans Laessoe, Senior Director, SRM at Lego, convened a group of 30 people in the company including product developers, lawyers, and marketers and asked them three questions:
1) What comprises product development and competitive pressure?
2) What comprises the operating environment?
3) What drives consumer demand?
After a half-a-day of brainstorming aimed at risk identification, 90 critical risks were identified.
Next, Laessoe stressed the importance of driving a consistent basis for financial quantification, and involved people who were well-versed in revenue forecasting. While most of the business units had already developed their strategic plans, Laessoe walked them through these plans with a perspective on strategic risks. Post the scenario and mitigation conversation, Lego Group prioritized its risks using the ‘park, adapt, prepare, and act’ (PAPA) model. This assisted managers in prioritizing their strategic responses given a risk’s likelihood of occurring and speed of change.
Today, whenever Lego adopts a new strategy — for example opening a new factory in China — the corporate management team needs to have a new strategy documented, which includes a ‘Preparing for Uncertainties’ dimension.
The Role of Technology:
A technology solution serves as the foundation for the company’s enterprise-wide risk and control activities. An integrated risk framework ensures streamlined processes for risk assessments, risk analysis and risk mitigation. It helps in accessing structured risk information and risk intelligence, thus resulting in a better understanding of the organization’s risk profile. It assists in integrating risk management into decision-making and strategic planning. This results in a more centralized view of risk that is aligned with corporate strategy and objectives, real-time information used to guide decision making processes and robust board level reporting and reviewing processes. Moreover, an integrated GRC system approach ensures enterprise-wide visibility and control and helps build a strong risk culture.
Integrated Risk Framework
Technology enables more informed decision making with the help of a structured and standardized method of reporting results. Powerful dashboards, charts and heat-maps provide real-time risk information, and strengthen transparency into the organization’s risk and control management. This also supports more effective risk monitoring, reporting, and communication.
A well-defined SRM process helps organizations to gain critical risk intelligence that is needed to protect shareholder value, drive profits, optimize costs, and tap into new opportunities. Leveraging technology highlights both key areas of uncertainty and key new areas of opportunity, and integrates it into a standard ERM process that allows the organizations to maximize profits and reduce costs.