ERM Positioned as Value-Adding

ERM differs from a traditional risk management approach, frequently referred to as a “silo” or “stovepipe” approach, where risks are often managed in isolation. In those environments, risks are managed by business unit leaders with minimal oversight or communication of how particular risk management responses might affect other risk aspects of the enterprise, including strategic risks. Instead, ERM seeks to strategically consider the interactive effects of various risk events with the goal of balancing an enterprise’s portfolio of risks to be within the stakeholders’ appetite for risk. The ultimate objective is to increase the likelihood that strategic objectives are realized and value is preserved and enhanced.

Several conceptual frameworks have been developed in recent years that provide an overview of the core principles for effective ERM processes. In 2004, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued its “Enterprise Risk Management—Integrated Framework,” with this definition of ERM (see www.coso.org):

Enterprise risk management is a process, effected by the entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

Note that ERM is directly related to “strategy setting.” For ERM to be value creating, it must be embedded in and connected directly to the enterprise’s strategy. Another part of this definition refers to the goal of ERM, which is to help the enterprise achieve its core objectives. So, to be effective, ERM must be part of the strategic planning process and strategy execution processes.

The Conference Board’s 2007 research study, “Emerging Governance Practices in Enterprise Risk Management,” notes that while many organizations are engaging in some form of ERM, only a few have full-fledged ERM program infrastructures.⁶ Many of these organizations initially launched their ERM efforts out of a compliance function, such as compliance with SOX, emerging privacy legislation, and environmental regulations. More boards and senior executives are now working to shift their ERM approach from a compliance orientation to a strategic orientation, consistent with the view that an enterprise-wide approach to risk management should be value enhancing. A 2008 survey, “The 2008 Financial Crisis: A Wake-Up Call for Enterprise Risk Management,” by the Risk and Insurance Management Society (RIMS) found that about 65 percent of the businesses surveyed have begun or plan to implement a strategic risk management system.⁷

Board Demands for More Strategic Risk Management

Boards are feeling an increasing pressure to strengthen their overall oversight of the enterprise’s risk management processes, with a stronger emphasis on strategic risk management. Recent reports, such as the Conference Board’s “Overseeing Risk Management and Executive Compensation” report issued in December 2008, note that while companies report some progress in developing an enterprise-wide risk management program, it has yet to be adequately embedded in strategy execution and entity culture.⁸

Boards are becoming more aggressive at pushing management to reassess vulnerabilities in existing risk management processes and to begin strengthening the soundness of its risk management analysis to the company’s strategic setting activities. Benchmarking surveys about the state of ERM consistently find that the launch of ERM is often tied to the board’s (more specifically the audit committee’s) demand for more robust risk management processes. Boards are now asking management about their risk oversight processes and they are adding formal risk discussions to their agendas on a regular basis.⁹ Boards are also seeking to take a strategic view of Governance, Risk and Compliance (GRC) by setting and articulating the organization’s “Enterprise Risk Policy and Appetite” and the role of each GRC function.¹⁰ Despite these emerging trends, board members still believe they need to have a better handle around issues affecting strategic risk.

Recognizing Strategic Business Risk

Strategic risk management can help companies avoid the problem of not recognizing risks soon enough and can help management take swift action to deal with those risks that do occur. What initially appeared to be a minor disruption in the value chain for Nokia and Ericsson in March 2000 turned out to be a critical event for both companies. On Friday, March 17, 2000, a line of thunderstorms appeared in Albuquerque, New Mexico. A lightning bolt struck a Philips semiconductor plant, causing a fire in a plant that made chips for both Nokia and Ericsson and presented similar risks to both companies. The fire was minor, lasting only 10 minutes, and the damage at first appeared to be limited, so Philips expected to be back in operation within a week. As it turns out, the disruption to the plant was months rather than weeks, and the impact on production was significant.

Nokia quickly noticed the problem with the supply of the parts even before Philips told them there was a real problem. They took fast action to address the situation once they determined that the potential impact of the disruption in the supply of chips from the Philips plant could translate into an inability to produce 4 million handsets, representing 5 percent of the company’s sales at the time.

In contrast, Ericsson responded slowly and didn’t have alternative sourcing options. By the time management realized the extent of the problem, they had nowhere else to turn for several key parts. This partly stemmed from the company’s strategy in the mid-1990s, when it simplified its supply chain to cut costs and in the process weakened its supply backup. One manager at Ericsson said: “We did not have a Plan B.” Underestimating the risk of the disruption in supply from the Philips plant and being unable to manage the problem were major factors that led to Ericsson exiting the phone headset production market in 2001.¹¹

What lessons do these contrasting cases offer about integrating strategies and risk management surrounding the supply chain?¹²

• Link the potential impact of supply chain disruptions to revenue and earnings to prioritize and manage risk.
• Build in the necessary levels of redundancy and backup and maintain supply chain intelligence and relationships.
• Continuously monitor supply chain performance measures to quickly identify problems so that countermeasures can be taken.
• Share information and foster communication at the first instance of a problem.

Evaluating Strategic Business Risk

The first step in strategic risk management is finding a way to systematically evaluate a company’s strategic business risk. That has to begin with first making sure that management and the board understand the entity’s key strategies that are designed to preserve and create stakeholder value. For a for-profit entity, key strategies are generally linked to increasing shareholder value through initiatives designed to boost revenues, to maintain or reduce costs, or to pursue growth through mergers and acquisitions. A thorough understanding of specific drivers of shareholder value that management and the board are pursuing is necessary before risks surrounding those drivers can be accurately and completely considered. And, that understanding of specific strategy drivers has to permeate leadership across the organization if risks are to be managed effectively.

The next step to strategic risk management surrounds defining the entity’s use of the term “risk.” Michael Porter’s definition in his landmark book, Competitive Advantage, is useful: “Risk is a function of how poorly a strategy will perform if the ‘wrong’ scenario occurs.”¹³ Thus, strategic risk management begins by identifying and evaluating how a wide range of possible events and scenarios will impact a business’s strategy execution, including the ultimate impact on the valuation of the company.

Before management can effectively manage risks that might be identified by various scenario analyses, they need to define an overriding risk management goal. Risk appetites can vary across industries and entities. Without an understanding of stakeholder appetites for risks, neither management nor the board know what strategic risks are to be managed and what risks are to be accepted.

The Return Driven Strategy framework is an effective tool for integrating strategic goals and risk management goals. The framework is the result of more than a decade of research and application, involving the study of thousands of companies and the identification of strategic activities that separate the best performers from the worst. The Return Driven Strategy framework describes the hierarchy of strategic activities of best performing companies in terms of financial impact and shareholder value.

The Return Driven Strategy is comprised of 11 core tenets and 3 foundations that together form a hierarchy of interrelated activities that companies must perform to deliver superior financial performance. These tenets and foundations summarize the common activities of high-performance companies and identify flawed strategies of marginal performers. Here is a list of the 11 tenets and 3 foundations of Return Driven Strategy.¹⁴

11 Tenets of the Return Driven Framework

1. The Commitment Tenet

1. Ethically maximize wealth.

   Management must understand, define, and then align all activities toward the shareholder wealth creation objectives and ensure that the business operates within the ethical parameters set by its communities.

   Two Goal Tenets

2. Fulfill otherwise unmet customer needs.
3. Target and dominate appropriate customer groups.

   To avoid commoditization, management must focus on fulfilling otherwise unmet customer needs. The path to business success is through the customer—sufficiently large enough groups of customers. This means targeting economically profitable customer groups that have sufficient size and growth opportunities while fulfilling otherwise unmet needs which are not commoditized.

   Three Competency Tenets

4. Deliver offerings.
5. Innovate offerings.
6. Brand offerings.

   Through synchronization of these three competency tenets, offerings are created that target customer needs. Management needs to consider the executability of plans at the outset, with the three higher tenets as primary goals. Continuous innovation of the entirety of the offerings to develop offerings designed to enhance needs currently unfulfilled. Branding of the offerings to bridge the customer’s explicitly understood need to the offering that uniquely fulfills it.

   Five Supporting Tenets

7. Partner deliberately.
8. Map and redesign processes.
9. Engage employees and others.
10. Balance focus and options.
11. Communicate holistically.

    The supporting activities are done to support the achievement of the higher level tenets: the competency tenet, goal tenet, and commitment tenet.

There are three foundations that are critical to the Return Driven Strategy:

1. Genuine assets.

   The 11 tenets are the “verbs” of strategy. Genuine assets are the “nouns.” Genuine assets are the building blocks of sustainable competitive advantage. Activities are copied by competitors, leading to price competition and reduced cash flow returns. This can be defended only by leveraging unique assets to create unique offerings that cannot be copied (patents, brands, scale and scope, etc.).

2. Vigilance to forces of change.

   The ability and agility to capitalize on opportunities and avoid threats is foundational. Management must take advantage of opportunities and avoid threats in each of the three tenets arising from (1) government, legal, and other regulatory change, (2) demographic and cultural shifts, (3) scientific and technological breakthroughs.

3. Disciplined performance measurement and valuation.

   A discipline that links strategy to ultimate financial results is necessary for measuring the achievement of strategic goals. Performance measures must be in place to support the achievement of the strategy and its resulting value creation.

This framework describes how an enterprise’s strategy can be aligned with the ultimate objective to “Ethically Maximize Shareholder Wealth.” This is a valid goal for a business entity: to create shareholder wealth, to strive to maximize it, and to do so while adhering to the ethical parameters of stakeholders and communities.¹⁵

That ultimate strategic goal can work simultaneously as the entity’s risk management goal as well. That is, management must understand, define, and then align risk management activities toward ethical shareholder wealth creation objectives. In doing so, risk management activities must be justified in terms of shareholder wealth creation. If wealth preservation or creation isn’t linked to risk management activities, then particular risk management activities should be challenged.

We believe that, to be effective, a framework for strategic risk management needs to include these three characteristics:

1. Alignment with a commitment to ethically create shareholder wealth. Risk management must have a strong alignment with protecting and creating shareholder value. Rule No. 1 of strategic risk management should read: “First, don’t destroy shareholder value.” But to add value, strategic risk management should be firmly aligned with the creation of shareholder wealth and have a focus on risk opportunities (e.g., the “upside” of risk). Of course, shareholder wealth should be created within the ethical parameters of the constituents and the communities in which the company operates. Any framework for strategic risk management should have the ability to make the connection among the strategy of the organization, its execution and related risk management, and the valuation of the entity.¹⁶
2. Holistic. Strategic risk management should be holistic and broad enough to encompass the spectrum of entity-wide activities needed to achieve an organization’s strategy. A framework for strategic risk management needs to be integrated so that various facets of strategic business risk can be linked with the overall goals of the business. This is where an ERM approach to risk management helps provide value through its emphasis on viewing risk-related scenarios using a top-down, holistic portfolio approach to determining how various silo risk events might interact to limit or destroy value. A holistic approach to strategic risk management helps connect various business unit goals and objectives and related risks to the overall goal of maximizing shareholder wealth. Without a holistic view, strategic activities within one aspect of the enterprise may be creating strategic risks for another part of the business.

   For example, Harley Davidson’s recent letter to shareholders describes one of its strategic goals to expand into international markets, particularly China and Japan. The letter also describes another strategic goal to enhance its “H.O.G.” brand mystique and motorcycling lifestyle. In this case, the strategic desire to expand into Asian cultures, if left unmanaged, has the potential to create risks associated with its strategic desire to expand the Harley mystique if changes are made to Harley products to satisfy the motorcycling preferences of riders in different cultures. To effectively manage strategic risks, management needs to monitor how each strategic initiative might be throwing off counterproductive risks impeding other strategic objectives.¹⁷

3. Capable of identifying and evaluating events and forces of change. Strategic risk management has to be an ongoing, continual process. It can’t be an activity that happens only occasionally. Risks are constantly evolving, which means an organization’s strategies may need to evolve as well, so effective strategic business risk management must be capable of regularly identifying and evaluating how events, scenarios, and forces of change will impact the business strategy and its performance. Management’s dashboard of key performance metrics should also include key risk indicators that provide leading information about changing risk conditions so that management is better prepared to adjust strategies ahead of the risk curve in a proactive manner, rather than be blindsided by shifting risk conditions that are realized too late to adjust deployments of key strategies, such as the situation at Ericsson. Robust management scorecard-reporting systems that include key strategy and risk management metrics can help strengthen management’s effectiveness at staying on top of key changes that may impact the entity’s strategic goals.

Using a Framework to Build a Strategic Risk Management Mindset

Executive teams have used the Return Driven Strategy as a holistic framework to set, evaluate, refine, and execute strategy. It also has been integrated into strategic planning processes and used as a way to evaluate the impact of events and scenarios, including merger-and-acquisition scenarios, on a strategy’s performance. As directors and management have used the framework to evaluate the business strategy, they have been able to hone in on key risks that could destroy shareholder value while considering the upside of risk in terms of the opportunities, thereby using it as a strategic risk management framework.

A Strategic Risk Management Mindset

A strategic risk management mindset focuses on examining how well a business strategy will perform under different scenarios and events. It encourages and supports thinking about scenarios where the strategy could perform so poorly that it could potentially result in significant losses, destruction of shareholder value, or a damaged corporate reputation. For example, management at Fidelity Investments knows that their strategy of providing investment services to an investor base all across the globe creates unbelievable demand for resiliency in its information technology functions. The tolerance for information systems outages or lack of access to pricing information approaches zero. They know that customers have little appetite for Fidelity to say their “systems are down.” Thus, one of the key areas of focus of Fidelity’s Risk Advisory Services Group is to oversee the business continuity planning processes at Fidelity.

A strategic risk mindset should also consider the “upside” of risk.¹⁸ For example, the Target Corporation sidestepped the competitive threat from Wal-Mart by focusing on a customer segment different from Wal-Mart’s and achieved profitable growth opportunities in the process. As another example, Samsung, confronted with serious brand erosion and commoditization risk, turned its attention to build on product innovation, speed to market, and a strong brand to turn a position of weakness into a position of market strength.

Risk can include loss of tangible assets, and it can also mean the potential loss of one of the company’s most valuable assets—its reputation.¹⁹ The H.J. Heinz Company has centered its enterprise risk management function on supporting an ultimate goal of protecting the Heinz reputation. In fact, its ERM program is formally known within as “Enterprise Reputation and Risk Management (or ER²M).” Heinz’s ER²M helps the company meet two primary reputation related goals: (1) to further support doing the common thing uncommonly well, and (2) to help Heinz become the most trusted packaged food company. To help management see the importance of thinking about risk and reputation, Heinz defines risks as “anything that can prevent the company from achieving its objectives.” They recognize that any event that affects the Heinz reputation in the food industry will directly impact its ability to achieve its objectives.

Ultimately, strategic risk management and ERM need to be connected with the potential impact on shareholder value. Effective strategic risk management should provide a way for identifying and evaluating how a wide range of possible events and scenarios will impact a business’s strategy execution, including the impact on the assets and shareholder value of the company. That’s how risk management is positioned at the Dow Chemical Company. The objective of effective enterprise risk management at Dow is to improve management’s ability to run its business with the view that if they can manage risks better, they can be more competitive. Management and the board realize they have the responsibility to pursue opportunities, which will require the assumption of risks. They seek to assume those risks in a well-managed, controlled manner that recognizes the reality that as new strategies are created, new risks arise that need to be managed.

The Return Driven Strategy framework provides a way to evaluate the strategic risks of a company from the perspectives of shareholder value risk, financial reporting risk, governance risk, customer and market risk, operations risk, innovation risk, brand risk, partnering risk, supply chain risk, employee engagement risk, R&D risk, and communications risk. It also provides a useful framework for understanding the cause-and-effect linkages in critical risk scenarios and explains how those scenarios would play out in the business strategy and impact profitability, growth, and shareholder value.²⁰

The framework encourages thinking around these risk categories:

• Shareholder value risk provides a high-level overview of risk and is driven by future growth and return on investment as reflected in the plans of the company and the company’s perceived ability to execute on them. Anything that will impede growth and returns, including the risk of unethical activities of the company, should be considered in assessing shareholder value risk using the first tenet of Return Driven Strategy, “Ethically Maximize Wealth.”
• Financial reporting risk is driven by reporting irregularities in areas such as revenue recognition, which can result in restatements of financial reports and be devastating to shareholder value.
• Governance risk is driven by factors such as controls and governance capabilities, including the need for compliance with laws and regulations.
• Customer and market risk is driven fundamentally by the extent to which a company’s offerings fulfill otherwise unmet needs, and this provides protection against competition.
• Operations risk can be driven by any part of the value chain and often surfaces with the inability to deliver offerings, which is at the heart of Return Driven Strategy.
• Innovation risk is driven by the inability to change or create offerings that fulfill customer needs better than your competitors do.
• Brand risk includes the risk of brand erosion and damage to a company’s reputation.
• Partnering risk is driven by the activities of your partners, from vendors to joint ventures, to other associations, including counterparty risks.
• Supply chain risk focuses on the increasing risk in outsourcing and global supply chains.
• Employee engagement risk is driven by the employment practices of the company.
• R&D risk is driven by the processes and pipeline of options for new offerings for future growth.
• Communications risk is driven by how well your company communicates internally and externally.

Recognizing Value of Strategic Risk Management at High-Performance Companies

Research on high-performance companies can provide valuable insights about risk management. High-performance companies are vigilant to forces of change, and they manage risks and opportunities better than other companies. By better understanding how the success or failure of a business is driven by its plans and actions, we can improve how we value companies—and run our businesses.

Research about high-performance companies highlights that one of the challenges facing management teams is how to link business plans and enterprise risk management. There are three approaches for effective strategic risk management to consider: (1) a strategic risk assessment process, (2) a process to identify and protect Genuine Assets that are at risk, and (3) strategic risk monitoring and performance measurement.

Strategic Risk Management Processes

There are several approaches to building a strategic risk management process. Several are described next.

• Risk assessments. One approach is to regularly assess strategic risks from three perspectives: risks, opportunities, and capabilities (ROC). Risks are about risk of loss—the downside of risk, such as loss of revenue or loss of assets. Opportunities are about the upside of risk, such as opportunities for gains in revenue, profitability, and shareholder value. Capabilities are about distinctive strengths of an organization that can be used to manage the risks and opportunities.
• Tools for risk assessment. There are many tools that can be useful in strategic risk assessment, including brainstorming, analysis of loss data, self-assessments, facilitated workshops, SWOT (strengths, weaknesses, opportunities, threats) analysis, risk questionnaires and surveys, scenario analysis, and other tools.
• Competitive intelligence. The area of competitive intelligence (CI) can be a valuable part of strategic risk management. CI is an integral component of fact-based strategic planning processes. It should definitely be part of strategic risk management and ERM. “The ethical collection and analysis of CI can reduce the risk associated with strategic decision making,” says Gary Plaster of the Landmark Group and a founding member of the Society of Competitive Intelligence Professionals. Around 400 BC, Sun-tzu in The Art of War wrote “Keep your friends close and your enemies closer,” which is one way of thinking about CI. For example, pharmaceutical companies are vigilant about being at trade shows and scientific meetings, and they monitor clinical trials in the industry. “War games” are used at pharmaceutical companies like Wyeth to develop plans to counter potential market moves by competitors.²³ Competitive intelligence is an asset that can be used to manage customer and market risks.
• Corporate sustainability risk. One of the areas often overlooked in risk management is related to corporate sustainability and corporate social responsibility (CSR). Connecting strategy and CSR is a challenge for executive teams, as Debby Bielak, Sheila Bonini, and Jeremy Oppenheim wrote in their October 2007 article, “CEOs on Strategy and Social Issues,” in the McKinsey Quarterly. The risks and opportunities facing companies in the area of corporate sustainability are more complex and have greater potential impact than ever before, and senior executives, board members, and managers are seeking better ways to manage these challenges and opportunities. In his book Making Sustainability Work, Marc Epstein presents a definition for corporate sustainability that’s useful in strategic risk management. He focuses on nine principles of sustainability: (1) ethics, (2) governance, (3) transparency, (4) business relationships, (5) financial return, (6) community involvement/economic development, (7) value of products and services, (8) employment practices, and (9) protection of the environment. Each of these areas can be assessed as part of strategic risk management. For example, changes in environmental regulations and expectation of environmental standards for companies in a global business environment should be considered in risk assessment and risk management strategies.
• Risk transfer and retention strategies. One of the basic countermeasures for managing and mitigating risk involves risk transfer and retention strategies. After identifying critical risk scenarios, which include the potential effect on company assets and shareholder value, management must determine how much should be retained or transferred. The risk management strategy should consider whether to protect corporate assets by purchasing insurance, self-insuring, or creating a captive. This assessment requires a deep understanding of the types and limits of insurance and consideration of emerging legal, regulatory, and political trends; damage awards; geographic locations; available insurance products; and options as well as coverage law.

Focus on Genuine Assets at Risk

Some of the most valuable assets of an organization aren’t on the balance sheet. Genuine assets include the most valuable tangible and intangible resources and capabilities of an organization and must be protected because some of them may be at risk.²⁴ Companies routinely insure tangible assets on the balance sheet to protect against loss. But what about protecting the genuine assets?

Genuine assets are the tangible and intangible resources, capabilities, and traits that make an organization and its offerings unique, such as employee expertise, brand, reputation, and so on. As mentioned, some genuine assets appear on the balance sheet, but many don’t. As the “building blocks” of strategy, genuine assets form the basis for creating sustainable competitive advantages. And only through these advantages can you plan and execute business strategy that leads to higher returns, higher growth, and, ultimately, increased market value.

When identifying these assets, management should be very specific as to what the genuine asset is. They should think specifically about how it allows the company to accomplish its strategy in ways other firms couldn’t, thereby leading to higher performance. How difficult would it be for another firm to develop a similar genuine asset, allowing it to copy the activity that led to high performance? How long would it take? How much money would it cost?

To help identify and manage the risks to genuine assets, management should ask three questions:

1. What are the most valuable and unique capabilities and resources (genuine assets) of the company?
2. What scenarios and events could put the most valuable genuine assets at risk?
3. What countermeasures can be developed to protect these assets?

Examples of genuine assets to consider in a risk assessment would include corporate reputation, customer information, competitor intelligence, vendor intelligence, specialized processes and capabilities, existing patents and trademarks, and intellectual property that should be protected with patents, trademarks, and other means.

Customer information is an example of a genuine asset that must be protected. Information security is a big issue at most companies, yet breaches occur, sometimes with significant potential impact. For example, the British government recently announced that government workers lost two computer disks containing names, addresses, dates of birth, national insurance numbers, and banking information for approximately 25 million residents of the United Kingdom, almost half its population. Effective risk management in the area of data security requires the right mindset and attitude toward information security among employees. It requires an understanding and awareness that the information on a $20 storage device or a $1,000 laptop, if not protected, could result in potential loss of customers, corporate reputation, and shareholder value.

Some genuine assets can support and be part of an effective risk management strategy and can help protect a company against risks. For example, having a “Plan B” in place for potential disruptions in critical parts of the supply chain is an example of a genuine asset for effective strategic risk management. Another example is employees having a risk mindset and risk attitude that support the organization’s strategy and risk appetite.

Strategic Risk Management and Performance Measurement

Many people believe that the recent financial crisis is largely attributable to the failure to link performance incentives with the risk management activities within the enterprise. Many of the executive compensation packages provide numerous unintended incentives for management to assume excessive amounts of risk exposures to achieve specific performance compensation targets.

Compensation incentives are typically designed to encourage executives to achieve strategic goals and initiatives and boards have typically evaluated those executives on whether they successfully achieve specific targets. Unfortunately, for many, risks associated with those compensation packages are overlooked. Boards are sometimes unaware of the nature of all risk exposures to the organization created by the executives. As long as the expected returns are achieved, few questions about the amount and types of risks being assumed are voiced.

The recent crisis is now placing greater light on the risks inherent in these executive compensation packages, and regulations are now being established to shed more insight into the risks associated with performance incentives. For example, the U.S. Treasury Department announced in January 2009 a new requirement for the chief executive officer (CEO) of financial institutions that receive federal funding under the Troubled Asset Relief Program’s (TARP) Capital Purchase Program. For those entities, the CEO must certify within 120 days of receiving the funding that the entity’s compensation committee has reviewed the senior executive’s incentive compensation arrangements with the senior risk officers to ensure that these arrangements do not encourage senior executives to “take unnecessary and excessive risks that could threaten the value of the financial institution.”

Effective strategic risk management should be a continual process that includes metrics for continuous monitoring of risk. An organization’s key risk indicators and metrics should link to the potential impact of risk on shareholder value. Holistic performance management systems such as the Balanced Scorecard give organizations an unprecedented opportunity to align strategy and performance measures with risk management—and to achieve integrated, strategic risk management.

The Balanced Scorecard focuses on strategy and accountability and fosters a continuous process for risk assessment and risk management. The Balanced Scorecard framework can help management develop and use these risk metrics. With its focus on strategy and accountability, the Balanced Scorecard can foster a continuous process for risk assessment and risk management.

Strategy maps also can provide a useful way to understand the cause-and-effect relationships in critical risk scenarios and can suggest risk metrics that would be valuable in effective risk management. Risk dashboards can also provide a way to monitor key metrics and trends.

Kaplan and Norton’s closed-loop management system (the Execution Premium model) provides another useful platform for a systematic approach to strategic risk management that integrates with overall management.²⁵ The Strategic Risk Management Lab at DePaul University has been working with management teams to help them embed strategic risk management into each stage of the management system.

• In Stage 1, “Develop the Strategy” involves defining mission, vision and values; conducting strategic analysis and formulating strategy. This stage is where companies can conduct strategic risk assessments and formulate strategic risk management plans as part of their strategy. This can be done using a variety of tools and frameworks including the Return Driven Strategy framework.
• In Stage 2, “Translate the Strategy” involves defining strategic objectives and themes; selecting measures, targets and strategic initiatives. In this stage, management can identify strategic risk management objectives and measures that could be included in Balanced Scorecards. Risk management objectives can be incorporated in the financial perspective and internal process perspective of Balanced Scorecards and Strategy Maps. They can also use strategy maps to identify the cause-and-effect linkages and root causes of key strategic risks.
• In Stage 4, “Monitor and Learn” involves holding strategy reviews and operational reviews. In this stage management teams can hold strategic risk management reviews.
• And in Stage 5, “Test and Adapt” management conducts strategic risk analysis.

These are just a few examples of using the closed-loop management system to drive better strategic risk management.

Critical Steps for Value-Added Strategic Risk Management

Strategic risk management is increasingly being viewed as a core competency at both the management and board levels. In fact, board members are increasingly focused on strategic risk management, asking executives such questions as “Of the top five strategic business risks the company faces, which ones are you looking at, and what countermeasures are you devising?” The Strategic Risk Management Lab in the Center for Strategy, Execution, and Valuation at DePaul University is sharing with management teams and boards emerging best practices gleaned from its research. Consider the following list of 10 practices worth striving toward.²⁶

1. Communicate and share information across business and risk functions—and externally. This is considered by some to be the ultimate risk management “best practice.”
2. Break down risk management silos. Establish interdisciplinary risk management teams, so that each functional area can understand where it fits into the entire company strategy and how it affects other areas.
3. Identify and, where possible, quantify strategic risks in terms of their impact on revenue, earnings, reputation, and shareholder value.
4. Make strategic risk assessments part of the process of developing strategy, strategic plans, and strategic objectives. Again, this requires a combination of skills that can be achieved by creating interdisciplinary teams.
5. Monitor and manage risk through the organization’s performance measurement and management system, including its Balanced Scorecard.
6. Account for strategic risk and embed it within the strategic plan and strategic plan management process. Wherever scenario planning is included in developing the strategic plan, there should also be a discussion of countermeasures in the event that a risk event occurs.
7. Use a common language of risk throughout your organization. Everyone must understand the organization’s particular drivers of risk, its risk appetite, and what management considers acceptable risk levels.
8. Make strategic risk management, like strategy management itself, a continual process. Risk is inherently dynamic, so risk management and assessment must evolve from being an event to being a process—and must include regular analysis and critical risk information refreshes. Strategic risk management reviews should be conducted as part of regular strategy reviews.
9. Develop key risk indicators (KRIs) to continuously monitor the company’s risk profile. Like the Balanced Scorecard with its measures, targets, and initiatives, the risk management system should include KRIs, thresholds and trigger points, and countermeasures to mitigate or manage the risk.
10. Integrate ERM into Strategy Execution Systems. This means integrating ERM into the entire management system. This will require strategic risk management as a core competency in organizations and a commitment to continuously monitor and manage risk in the strategy and its execution.