Rebecca Grogan on Governance, Risk Managment & Audit

Views are my own

Risk Management and Strategy Alignment

Risk management is not about avoiding risks. It is about ensuring organisations achieve their objectives in the most effective way and therefore it should be part of the strategy setting process.

Risk management is often considered once the strategy is agreed upon. In other words, we have a strategy in place, what could affect it? To get the most out of risk management, it should be integrated with the setting of company strategy and departmental goals. The value to the company is an increased range of opportunities and a chance to identify and plan for potential issues up front.

In July 2020 the Institute of Internal Auditors updated its Three Lines Model [1]. Interestingly, the word “Defence” is now gone from the model. More emphasis is now placed on the goal of managing, assessing, and reporting on the certainty of achieving objectives as well as to matters of defense and protecting value. I believe this is a very positive step forward and have outlined below how to take such an approach.

How to align risk management with strategy and business objective setting

COSO’s Enterprise Risk Management Integrating Strategy and Performance 2017 has some good insights to aligning strategy setting and risk management. I have outlined some of these ideas below and also added my own thoughts and approaches.

Emerging Risk Analysis

Perform a forward looking risk assessment - what is happening in the next 5-10 years and beyond in the organisation’s environment that could influence a company’s strategy now? This can take the form of a PESTEL analysis, and thinking outside the box when considering the political, economic, social, technological, environmental and legal factors. The internal environment should also be considered including the core processes, people and systems central to the delivery of business strategy.

Defining an emerging risks’ characteristics and potential impact is challenging because of their uncertain nature. Unlike with many other types of risks, past experience is not a reliable guide to future potential impact; the absence of historical data makes it difficult to accurately predict the trajectory of emerging risks (think Covid-19 as an example).

Senior management with detailed knowledge of the company and industry should be involved in this analysis with their key insights. It is important to consider this analysis both in terms of risk and opportunity.

Risk Identification and Management

When a strategy starts to take shape, now is the time to consider the uncertainties/risks in achieving such a strategy. This gives an opportunity at the outset to proactively manage, mitigate, avoid or accept these risks and to amend the strategy accordingly.

Applying Risk Appetite

Risk management is not about eliminating risk. A company cannot grow and succeed without taking some risk. The purpose of a risk appetite is to set out the maximum amount of risk that a company is willing to take in pursuit of its objectives. A risk appetite can be considered in both qualitative and quantitative terms.

Strategy and risk appetite should be developed in parallel, refining each through strategy setting. The starting point to setting risk appetite is to base it on the established mission and vision of the company and prior strategies, which is refined when the organisation reviews alternative strategies and selects the optimum one. Risk appetite should seek an optimal balance between risk and opportunity. A range of key indicators should be developed to monitor the level of risk taking on risk appetite throughout the period, so that action can be taken timely should an organisation reach or exceed their risk appetite limits.

Establishing business objectives and risk performance measures

After a strategy is agreed, what naturally follows is the setting of business objectives that are specific, measurable or observable, attainable and relevant and should be linked to strategy. When performance measures are agreed they should take account of Risk Appetite indicators.

Significant business proposals

It is often the case that there are significant business proposals made outside of the strategy process that could have a material impact on Risk Appetite. Where such business proposals are made, they should include an analysis of Risk Appetite impact. Criteria should be established to define what proposals would require such an impact analysis.

These are just some approaches that can be taken to align risk management with the strategy process with many benefits for the organisation.

[1] https://na.theiia.org/about-ia/PublicDocuments/Three-Lines-Model-Updated.pdf