In today’s current business climate, both local and global events have the potential to significantly impact your organisation and how it operates. With the watchword for the contemporary climate being agility, the necessary steps to bring your organisation’s strategy and risk management aspects together can have a lasting benefit in securing the successful attainment of both short-term and long-term organisational goals and objectives.
With globally connected economies, organisations face major strategic risks, including the current global pandemic, economic change, political change, climate change, disruptive technologies and highly competitive markets. Identifying, assessing and managing these risks is essential in the development and execution of an organisation’s strategy.
How can organisations integrate strategy management and risk management to strengthen the likelihood of successful strategy execution? And how can organisations’ exploit positive opportunities from risk as well as mitigate the potential downside?
This blog will explore the best way for an organisation to bring these two equally important processes centred around performance measurement, monitoring and reporting under one coherent and cohesive framework to drive strong business performance and resilience.
Why Integrate Risk into Strategic Planning and Embrace ERM?
In the age of intense volatility, uncertainty, complexity and ambiguity, business success hinges on making intelligent and informed risk decisions through integrating corporate strategy and risk management. Overlooking risks associated with strategies or ineffectively managing them is a recipe for failure.
By integrating enterprise risk management with strategy development and execution, your organisation will be best positioned to create and achieve sustainable value. Although research has shown the benefits of such integration, why has there been a slow up-take in risk-strategy integration across many sectors? Common reasons include:
- Adoption of either too simplistic or overly complex risk management models.
- Treating ERM as primarily a compliance activity, rather than an integral part of strategic and operational planning.
- Lack of understanding of how risk management, strategy development and execution should integrate.
- Evaluating strategic alternatives with the highest potential to achieve the organisation’s goals together with the associated risks to determine the right balance of risk and reward relative to the organisation’s risk appetite.
- Lack of clarity on the risk appetite of the organisation which in turn can either limit the development of opportunities or expose the organisation to unacceptable levels of risk
- Ensuring the Board and Executive Management clearly understand the value drivers of the organisation, the risks associated with them and how to best manage those risks.
Internationally accepted risk management standards such as ISO 31000 and the COSO Enterprise Risk Management – Integrated Framework outline principles and processes for effective enterprise-wide risk management. These standards emphasise the necessity of promoting, embedding and integrating risk management throughout the enterprise at both strategic and operational levels.
Key Benefits of Effectively Bringing Together Risk and Strategy
All organisations’ need to set strategy and periodically adjust it, always staying aware of both ever-changing opportunities for creating value and the challenges that will occur in pursuit of that value. To do that, they need the best possible framework for optimising strategy and performance.
Organisations that integrate enterprise risk management throughout the entity can realise many benefits, including, though not limited to:
Increasing the range of opportunities: By considering all possibilities-both positive and negative, risk-management can identify new opportunities and challenges associated with current opportunities.
Identifying and managing risk entity-wide: Every entity faces a myriad of risks that can affect many parts of the organisation. Sometimes risk can originate in one part of the entity but impact a different part. Consequently, management must identify and manages these entity-wide risks holistically to sustain and improve performance.
Increasing positive outcomes and advantage while reducing negative surprises: Enterprise risk management allows entities to improve their ability to identify risks and establish appropriate responses, therefore reducing surprises and related costs or losses, while profiting from advantageous developments.
Enhancing enterprise resilience: An entity’s medium and long-term viability depends on its ability to anticipate and respond to change, not only to survive but also to evolve and thrive. This is, in part, enabled by effective enterprise risk management. ERM becomes increasingly important as the pace of change accelerates and business complexity increases.
These benefits highlight the fact that risk should not be viewed solely as a potential constraint or a challenge to setting and carrying out a strategy. Rather, the change that is associated with risk and the organisational response to risk gives rise to strategic opportunities and the capability and capacity to successfully pursue them.
The Journey to Becoming a Risk Intelligent Organisation
How Mature is Your Risk Management?
What does maturity look like in practice? At more progressive organisations, an embedded governance structure allows the enterprise to think about risk proactively and align its risk profile and exposures more closely with its strategy. It’s board and governance leadership group are proactive in setting the company’s risk appetite. Aligning risk to strategy, by identifying strategic risks and embedding risk management principles into business unit planning cycles enables the company to identify and document those risks that have the highest impact on performance and sustainability. The payback on this effort is multifaceted. Surveying risk so thoroughly gives the company the confidence to openly communicate its risk strategy to external stakeholders without worrying that the transparency would shake investor confidence. Most importantly, the alignment of risk awareness and management practices, from strategy to business operations, enables an organisation to monitor risk developments more effectively. Managers could keep the organisation within acceptable tolerance ranges, driving performance to plan. Mature risk management allows the organisation to further improve its financial performance, strengthen stakeholder communication, and build greater trust in the market.
When setting risk strategy, progressive organisations;
- Generate two-way open communications about risk with internal and external stakeholders.
- Establish clear roles and responsibilities to ensure risk is governed and managed efficiently and effectively. Have the Board or management committee play a leading role in defining risk management objectives and setting the appetite for risk.
- Adopt and implement a risk framework and strategy that integrates across the organisation
One Common Framework
Integrating risk into strategic and operational management under a cohesive and coherent framework or plan.
Most organisations will tell you “we already do risk management”. While this may be true, many operate in silos with narrowly focused, functionally driven, and disjointed risk management activities. Systems are patched together. Human and information resources are duplicated. With so many disconnects, the company cannot achieve a timely and enterprise-wide view of risk. It is left in a state of risk ignorance where interdependent risks are not anticipated, controlled or managed. The threat to the business is exacerbated by aggregate risk exposure. In contrast, in a risk-intelligent company with a proactive and comprehensive approach, the management of risks supports every activity across every function. Risk management becomes an integral aspect of organisational life.
To achieve the results of top-performing companies, senior executives, board members, and the risk and audit committee need to be clear about the company’s risk strategy and governance. And they need to provide adequate oversight and be accountable for the company’s risk management practices. Elevating the risk discussion to the highest levels of the organisation improves visibility, accountability transparency, and strategic decision-making.
Organisations that embed risk management practices into their DNA have a much stronger chance of achieving strategic and operational objectives.
When a company attains the highest level of maturity, it typically requires that dedicated resources for risk management be integrated into business processes through a formalised procedure. In such environments, proactive risk management is systematically incorporated into corporate strategy and strategic planning activities. However, many organisations have grown an internal maze of assessments as individual responses to various risks while omitting or misaligning the strategic risk.
Risk management must stay close to the business and the business must understand what risk management is tackling. When corporate strategy, operations and risk management come together, a more well-defined and direct path to achieving business value and objectives are assured.
Active Monitoring and Reporting on Risks Through a Meaningful Dashboard
Being able to easily view and track the organisation’s risk profile and status at any time and in turn to provide stakeholders with easy-to-follow graphical summaries are key attributes of a successful risk and strategy-oriented approach. This can be achieved through an effective risk management dashboard which can help you to:
- Determine which areas of the company are most at risk and requiring rapid action.
- Easily identify the “Top 10” or highest priority risks across the organisation
- Track progress of risk treatment actions and their subsequent effect on reducing risk impact.
- Quickly profile the severity of risks by risk category.
- Check the status of risk reviews at any time.
- Monitor events and trends through key risk indicators.
Keeping both internal and external stakeholders engaged and informed is crucial to the success of your organisation as they provide important resources, external support, and influence that will ensure risk and strategy are successfully integrated and the organisation’s objectives are achieved.
Minimise Multiple Handling of Risks and Controls
As companies grow, risk, control, and compliance activities often get dispersed across multiple functions. Companies can reduce their risk burden by aligning monitoring and control functions to concentrate on the risks that matter most, coordinating people to reduce gaps in capability levels, developing consistent practices that can be applied across functions, and sharing information and technology tools to create greater visibility of risk management activities enterprise-wide.
To Achieve Efficiencies When Managing Risks & Controls You Should:
- Establish key risk indicators (KRIs) where relevant to track the effectiveness of controls deployed in different areas of the business and inform respective risk owners and stakeholders.
- Standardise risk assessment and review processes across the business.
- Optimise controls to improve effectiveness, reduce costs, and support increased business performance.
- Review risks and controls to remove replication and develop templates to minimise future replication. Ensure all risks and controls are captured, assessed, reviewed and reported on through standardised software.
Companies can improve performance and reduce the cost of controls spend by choosing automated controls over manual and establishing key performance indicators to monitor control effectiveness.
Leverage Performance Measures and Analytics to Improve Risk Quantification and Control Assessment
Identifying and tracking the right key risk and performance indicators (KRIs and KPIs) ensures risks and their controls are more accurately assessed. These indicators can also help organisations in several ways. For example, KRIs can help identify emerging risks (e.g. impacts of climate change, supply/demand changes etc.) and drive appropriate risk mitigation responses. KRIs can help organisations analyse historical data and for pattern recognition and forecasting – which can be further utilised in the areas of alert management and capacity planning.
Combining the use of metrics, data analytics, incident and risk related activity monitoring can help managers and stakeholders to:
- Better target resources to higher priority risks that impact areas of the organisation critical to performance and sustainability.
- Review the targets for each metric and assess the operational impact on time, cost and resources.
- Better analyse the root cause(s) of risks and enable more accurate assessment of current impact, effectiveness of controls and the right treatment choices.
- Identify areas of increased risk (where data was incomplete) and re-prioritise remediation efforts to fix the data issues and increase monitoring coverage.
- Provide more meaningful reports to support decision making on risk management and strategy choices.
As organisations become better at integrating enterprise risk management with strategy and performance, they make better decisions and achieve better results. By knowing the risks that will have the greatest impact on the entity, organisations can use enterprise risk management to help put in place capabilities that allow them to act early thus opening up new opportunities.
Champion a risk-aware culture from the top down
Organisations that embed risk management practices into “the way we do business around here” have a much stronger chance of achieving their strategic and operational objectives.
Yet little will happen without clear messaging from the top and the commitment to make the necessary changes to both the key processes and the culture of the business. Senior executives will need to change the way they incorporate risk considerations when making key business decisions. They will need to communicate openly with all stakeholders about what that change looks like and what it will mean. And most importantly, they need to be consistent and hold the whole organisation across all levels accountable for their roles and responsibilities in the enterprise risk management strategy.
For companies looking to take their risk management practices to the next level—to reach beyond compliance to address the issues that can add strategic business value—there is no better time. It will take a multi-pronged effort, but companies that choose to move their risk management practices up the maturity scale have an opportunity to boost growth and outperform their peers.
Choosing the Right Software Partner to Manage and Integrate Your Risk Management Approach
Organisations today need next-generation enterprise software that can consolidate disparate processes, systems and data sources into a singular, holistic solution, delivering deep insight into the risk profile, status and respective performance of every part of the organisation, while enabling integration and cross-functional interaction.
But selecting the right software solution is a complex undertaking that demands multi-level, multi-regional, cross-functional, and inter-departmental collaboration.
Our Gartner and Forrester recognised ERM solution, can help you evaluate and meet your organisation’s governance, risk and compliance needs and best position it to meet business challenges and opportunities that lie ahead.
For more information on integrating your planning and risk processes to achieve business success, watch our on-demand webinar The key to successfully integrating your planning and risk processes