Figure 1: This is the logo of the new Consumer Financial Protection Bureau of the US Department of Treasury.
My last post entitled: “A Prescription for Change” was about tackling change, one of the many strategic risks an organization faces. As every practitioner of strategy knows, strategic planning is a risky business so it is critical to address the other risks that can affect strategy and execution through a formal process that must be integrated into both planning and execution activities. In this post I will share some information about strategic risks, how I am addressing them and provide you with some resources I found useful to help you guide your own efforts.
In this age of increased corporate scrutiny, transparency and oversight, efforts at managing enterprise risks by the risk management, legal and compliance “silos” is no longer adequate. Fueled by the recent financial meltdown (and corresponding Dodd-Frank Wall Street Reform and Consumer Protection Act), Sarbanes-Oxley Act of 2002, FCPA, the new SEC rules, FINRA and now the debt rating agencies (such as Standard and Poors and Moody’s) there are new, more formal rules and requirements for enterprise risk management (ERM) procedures, processes and controls that impact strategic planning.
See this article and video from the Systemic Risk Council’s Sheila Bair: “Two Years After Dodd-Frank, Why Isn’t Anything Fixed?” By Yahoo! Finance, July 2012.
On August 31, 2012, members of the Bank of England gave an excellent speech about the risks, costs and complexity we now face to comply with new regulations. It is entitled The dog and the frisbee, a Paper by Andrew G Haldane, Executive Director, Financial Stability and member of the Financial Policy Committee and Vasileios Madouros, Economist, Bank of England. The speech was delivered at the Federal Reserve Bank of Kansas City’s 36th economic policy symposium, “The Changing Policy Landscape”, Jackson Hole, Wyoming, August 31st 2012, see pages 10 and 11).
The authors/presenters duly noted that The Dodd-Frank Act:
“runs to 848 pages – more than 20 Glass-Steagalls. That is just the starting point. For implementation, Dodd-Frank requires an additional almost 400 pieces of detailed rule-making by a variety of US regulatory agencies. As of July this year, two years after the enactment of Dodd-Frank, a third of the required rules had been finalized. Those completed have added a further 8,843 pages to the rulebook. At this rate, once completed Dodd-Frank could comprise 30,000 pages of rulemaking. That is roughly a thousand times larger than its closest legislative cousin, Glass-Steagall. Dodd-Frank makes Glass-Steagall look like throat-clearing.”
Authors ERIC A. POSNER, University of Chicago – Law School and E. GLEN WEYL, University of Chicago, University of Toulouse 1 – Toulouse School of Economics published a research paper that calls for an FDA-like agency where all complex financial products would be have to filed and approved before they can be used. See:
“An FDA for Financial Innovation: Applying the Insurable Interest Doctrine to 21st Century Financial Markets”
Northwestern University Law Review, Vol. 107, Forthcoming
University of Chicago Institute for Law & Economics Olin Research Paper No. 589
U of Chicago, Public Law Working Paper No. 382
Continuing on, to further illustrate the new ERM reality, consider this excerpt from a recent Forbes Magazine Blog that pertains to the U.K. version of the Foreign Corrupt Practices Act:
“Anti-corruption law is now a tidal wave that can engulf anyone doing any kind of business on a global basis. Nor is anti-corruption law the idiosyncratically Wilsonian expression of an oddball American rectitude. As we’ve seen, the UK program [aka 2010 U.K. Bribery Act] is, if anything, much broader in application.”
In fact, the U.K. Bribery Act provides only one defense “Adequate procedures” must be in place to prevent persons associated with the company from conducting illegal activities. The Act “outline[s] certain compliance actions as being valid defenses, including due diligence, risk assessments, and monitoring”. 
See the recent WSJ article on Oracle entitled: “US Probes Oracle Dealings”, August 31st 2011.
As a case-in-point, see this recent Forbes article Mexican Bribery Case Shows Wal-Mart The Risk Of Ignoring Risk by Daniel Fisher, April 23, 2012.
Strategic Risk Accountability Has Risen to The Board Level
As a result of these sweeping new regulations, the “ability to effectively manage risks” has become a top priority in large enterprises. Generally, ERM is an initiative being pushed vigilantly by the Board of Directors. Since Directors and Officers are responsible for discharging the duty of risk oversight, and are now being held liable when things go very wrong, they are beginning to insist that management provide them with details on all the major risk exposures (known and emerging) facing the organization. No surprise here. In fact, many larger companies have already created a new C-level position, the Chief Risk Officer (CRO), along with a new set of metrics called Key Risk Indicators (KRIs) to provide a focused, top-down ERM monitoring, enforcement and reporting regimen. And that effort includes keeping everyone at the top of the organization abreast of risks, and drivers of risk, external to the organization:
“It’s important that boards and senior executives focus on external drivers of risk and consider how they might strategically respond to events that might be out of their direct control.”
– Mark S. Beasley and Mark L. Frigo
Financial Times reporter Lucy Kellaway wrote an excellent article entitled: “Road Test CEOs to avoid Corporate Crashes”. Here is an excerpt:
“Not every risk gets measured: there is one that never gets dealt with at all. It’s the biggest risk of the lot – that the chief executive gets so high on power that he or she loses the plot.
Nowhere on a risk register have I seen “hubristic CEO” as a specific danger to the business, which is a bit of an oversight when you consider this is the common denominator in every corporate catastrophe you’ve ever heard of.” Lucy Kellaway, Financial Times, September 16, 2012.
In her article, she suggests that each CEO be subject to an annual, simple MOT (UK Ministry of Transportation-style) test that measures a CEO’s level of “hubris”:
1) How would you rate his arrogance on a score of one to five? Has it increased recently?
2) Has he changed his mind on anything in the past year?
3) Has he done anything even slightly dodgy?
The Risky Business of Strategic Planning
Strategic planning and execution in this environment can be one of the riskiest business activities to engage in, so it is imperative to approach it in a systematic manner. Beyond value creation the strategist must also consider value preservation. So, in addition to tackling the fun part – developing strategies, setting objectives, action plans, timelines and projections – an essential part of the strategic planning process involves how we choose to allocate resources and spend our time in the most productive and effective manner. In this effort, each choice we make has associated risks; and therefore, a part of the process must also include an evaluation and quantification of these risks. To the extent possible, strategic risks must be identified, weighed, evaluated then prioritized. As you analyze and determine the relative risk of each strategic initiative, this additional information will have an impact on prioritization which drives such important factors as investment level commitments, resources and timing going forward.
Some Important Terms Defined for this Post
In the classical sense, risk is defined as the possibility of loss or reversal, emphasizing the downside or the negative side of risk. However, in the Chinese language, it has been said that risk has a dual meaning (or “two sides of the coin”), as expressed in these two symbols:
The first symbol (or character) is the symbol for “danger”, while the second is the symbol for “opportunity” – thereby making risk a mix of danger (the downside) and opportunity (the upside). In other words, in strategic planning terms, this definition of risk includes both the “T” (threats) and “O” (opportunities) in the S.W.O.T. analysis framework. This expanded view of risk management includes both activities designed to deal with risks: risk mitigation (or hedging) as well as thoughtful risk taking. In my opinion, both of these separate defensive and offensive activities should become an integral part of the strategic planning process and strategic risk management equation.
Also, in the context of strategic planning, I think it is also important to be mindful of Michael Porter’s definition of risk:
“Risk is a function of how poorly a strategy will perform if the ‘wrong’ scenario occurs.”
The Risk Intelligence Process
Risk Intelligence refers to an organization’s ability to weigh such risks effectively. The Risk Intelligence process involves classifying, characterizing, and calculating threats; perceiving relationships; learning quickly; storing, retrieving and acting upon relevant information; communicating effectively and adjusting to new circumstances. Taken a few steps further, it is important to consider the 4 rules of risk intelligence and a tool for conducting a risk strategy audit.
The “4 Rules of Risk Intelligence” are:
- Recognize which risks are learnable.
- Identify risks you can learn about fastest.
- Sequence risky projects into a learning pipeline.
- Keep networks of partners to manage all risks.
The Risk Strategy Audit
A risk strategy audit is a step-by-step review of how the principle risks in your organization fit together by developing a score, by project or strategy, in a fairly subjective manner. There are 3 categories that require scoring at the project level: risk intelligence as measured against the competition, risk diversification and project size vs. all other projects. See and download the attached example spreadsheet I created (based upon David Apgar’s model) to help me conduct a Risk Strategy Audit for a Marketing and Sales function.
Sample Risks and More Definitions
See the attached Exhibit A Sample Strategic and Business Risks.
Strategic risks – are simply those that affect the strategic direction of the organization.
Business risks – are those risks that have an impact on the day-to-day running of a business in terms of operational, product and marketing risks.
According Sayan Chatterjee, author of the book Failsafe Strategies, the three business risks that can derail a strategy are: demand risk, competitive risk and capability risk, as defined:
- Demand risk – is the risk that the value proposition that a firm is trying to sell will not be accepted by the market or, will be so accepted by the market that demand exceeds supply causing a competitive risk.
- Competitive risk – is the inability to cope with unexpected demand making the firm susceptible to competitive advances.
- Capability risk – is the risk that a firm is not able to deliver on the value proposition that customers are willing to pay for or, the capabilities cost is so high that the firm cannot make a satisfactory profit.
Key Risk Indicators (KRIs) – are the leading indicators of emerging risks and metrics that shed light on shifts in risk conditions so the management team and the board of directors can proactively assess the impact of such risks on the organization’s portfolio of risks.
Risk appetite – is the organization’s comfort level with each associated risk. The risk appetite can be expressed by the Board of Directors and senior management in the form of risk parameters, limits and thresholds of risk that their organization is comfortable in assuming. The 4 elements of risk appetite are: 1) Existing Risk Profile, 2) Risk Capacity, 3) Risk Tolerance and 4) Desired Level of Risk. 
But the mother of all of these definitions is this one:
“Enterprise risk management – according to COSO.org “is a process, affected by the entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
Translation: ERM seeks to consider the risks to the business as a “portfolio of risks” that fall within the “risk appetite” of the entity.
A subset of the Enterprise Risk Management process is the category of Strategic Risks. As part of ERM, the strategist must identify, evaluate and approach strategic risks in an intelligent and organized way. The risk intelligence process described above can help the strategist do so.
Developing Key Risk Indicators (KRIs)
Similar to the concept of Key Performance Indicators (KPIs), a common practice in most businesses, COSO.org has developed a process for the development of Key Risk Indicators (KRIs) which helps management to focus on risks that otherwise might threaten the business, present new opportunities for risk taking or, potentially hinder the execution of the strategic plan. The KRI Development Process can be summarized by the following simple workflow diagram:
Objectives – are the Strategic Objectives (such as Increase Revenues and Reduce Costs).
Strategies – are a set of Strategic Initiatives developed to meet the Strategic Objectives.
Potential risks – are the risks, potential risks and events associated with each strategy that might affect the achievement of the Strategic Objectives.
Key Risk Indicators (KRIs) – are the leading indicators and metrics that are mapped to potential risks and key strategies. Stress points and Trigger points that lead to the root causes and intermediate risks need to be identified. Thresholds and limits need to be established to guide actions in conjunction with KRIs (i.e if the response rates on a direct mail campaign fall below .x% then we will stop funding these campaigns). Such limitations are based upon an organization’s “risk appetite”, as defined above, and as articulated in the COSO.org whitepaper entitled: Strengthening Enterprise Risk Management for Strategic Advantage, COSO 2009.
Strategic Response – is the Directors and Officers response and reaction to the KRI that is unfolding. These responses can include remedial actions to reduce or eliminate the impact of the emerging risk such as: revising or eliminating strategies, risk mitigation activities, explicit countermeasures, raising and/or lowering of expectations based upon a new level of awareness, establishing legal defenses, increasing lobbying intensity, etc.
During this process it is important to note that KRIs must cover the linkages between a root cause event, an intermediate event all the way through to a complete risk event.
According to COSO.org, well-designed KRIs possesses all of the following characteristics:
- They are based upon established practices or benchmarks.
- Developed consistently across the organization.
- Provide an unambiguous and intuitive view of the highlighted risk.
- Allow for measurable comparisons – across time and business units.
- Provide opportunities to assess the performance of risk owners on a timely basis.
- Consume resources efficiently.
Download the Global Risks Report – World Economic Forum
The excerpt from the Swiss Re.com Web site states:
“This year’s GRR, “World more at risk from markets and Mother Nature,” highlights the need for a more joined-up approach in addressing the myriad issues we face.
The authors of the Global Risks Report (GRR) 2013 say that the ongoing economic crisis and attendant social tensions threaten to water down efforts to confront climate change. And they ask whether there are ways to build resilience in both the economic and environmental spheres simultaneously.
Swiss Re CRO David Cole says, “Coping with the economic and climate change crises is unfortunately no longer seen as a continuum, but as opposing choices. The idea has gained ground that we can’t have solutions to both. But we need to go beyond this thinking-in-boxes approach.”
According to Cole, addressing the economic and climate change challenges requires a holistic approach, the core of smart risk management. But admittedly, these issues are complex and there is no simple solution.
Taking resilience to the national level
GRR 2013: “World more at risk from markets and Mother Nature” suggests that one effective method of building resilience would be to take a far more systematic approach to analyzing and monitoring a country’s preparedness to cope with major risk.
“Countries and local governments are the insurers of last resort,” says Cole. “Society is in fact picking up a relatively significant cost as a result of not being as proactive as we might.”
But resilience cannot be built in a vacuum. According to Cole, it is our interconnectedness that requires us to work together to find concrete ways to manage societal risk. “We need to look for partnerships. We need to make global agreements. We need to think not only about mitigation, we also need to think about adaptation.”
Medicine, media and moderation
The GRR highlights two additional risk cases for 2013: overuse of antibiotics and “digital wildfires.”
Currently, new antibiotics replace older ones as they become ineffective. But what if human inventiveness falls behind bacterial mutation? The dilemma, the experts say in “Health and hubris,” is to encourage the development of new antibiotics while at the same time ensuring that that these will not be overused.
In “Digital wildfires in a hyperconnected world,“ the GRR also describes the mayhem that could result when misleading information is intentionally or inadvertently distributed via the internet. The impact, according to the report, can be likened to shouting “fire” in a crowded theatre. Can social media participants cultivate the kind of “don’t believe everything you hear” attitude necessary to mitigate this risk?
Building resilience for future generations
Events like Hurricane Sandy in the US, the Tohoku earthquake in Japan and the flooding in Bangkok have shown us the ripple effect of risk. They have also highlighted the importance of systematically assessing and planning for events before they happen. Cole believes understanding the situation, without becoming overwhelmed is key.
“What concerns me the most about risk is that ten years from now we’ll look back and say, ‘We knew, and we didn’t do enough. Or we didn’t do what we could have done.
The Ernst & Young Business Risks Report of 2010
After several years of issuing a report on business risks alone, E&Y has seemingly adopted “the Chinese definition of risk”, surveying top risks and opportunities. I thought it would be interesting to share the E&Y survey results (from more than 700 leading organizations in 15 countries) of the top risks and opportunities that have been identified.
The Top 10 Risks
- Regulation and Compliance
- Cost Cutting
- Managing Talent
- Pricing Pressure
- Emerging Technologies
- Market Risks
- Expansion of Government’s Role
- Slow recovery/Double Dip Recession
- Social Acceptance risk/CSR
- Access to Credit
The Top 10 Opportunities
- Improving Execution of Strategy Across Business Functions
- Investing in process, tools and training to achieve greater productivity
- Investing in IT
- Innovating in products, services and operations
- Emerging Market Demand Growth
- Investing in Clean Tech
- Excellence in Investor relations
- New Marketing channels
- Mergers and Acquisitions
- Public-private partnerships
Transparency and oversight of risk exposures has become the “new normal” and strategic planning is no exception. Therefore, it is imperative to view risks as yet another dimension of the strategic planning process. So, my suggestion to the strategist would be to follow these 9 steps towards strategic risk management, as follows:
- Be proactive and get ahead of the curve. Become a student of strategic risk management by tapping into the resources listed at the end of this post.
- Take a broader-than-traditional view of risk management that considers both threats and opportunities.
- If you haven’t done so already, conduct an updated S.W.O.T. analysis to help guide your strategic risk management efforts.
- Establish a dialogue and collaborate with anyone internally that has a role in ERM, compliance, regulatory and related activities.
- Determine the Company’s “Risk Appetite” as articulated by the Board of Directors and Senior Management in the form of practical guidelines for you to use.
- Establish a baseline by conducting a risk strategy audit.
- Review the list of “Sample Strategic and Business Risks” and the E&Y Top Risks and Opportunities and select the ones that apply to your organization.
- For each strategic initiative, develop the potential risks and follow the process for developing KPIs.
- Track and report KPIs as new risk information becomes available or, monthly at a minimum, making adjustments and recommendation along the way.
“Strategy formulation involves the constant search for ways in which the firm’s unique resources can be redeployed in changing circumstances.”
As a final note, there is much work left to be done in the area of ERM. According to the ERM initiative at NC State University, the current state of enterprise-wide risk management, across a wide spectrum of organizations is in an immature stage of development. Therefore, I encourage you (and your colleagues) to utilize some of these recommended resources I have listed below to help guide you.
What are your thoughts on strategic risk management? I recognize that this is just a cursory review of a very broad topic. Do you agree or disagree with my recommendations? Do you have anything else to add or comment on related to strategic risk management? Please comment below or, if you prefer, you can email me through Linked In, or my web site at: http://www.strategicmarketingplus.com
Bill Tyson, CEO of Strategic Marketing Plus, LLC is an independent strategic marketing consultant and the author of the popular blog Strategy-In-Action. He is a graduate of the Temple University Fox School of Business Insurance and Risk program. To subscribe visit: http://www.billtyson.wordpress.com
The Key to Compliance – The Trenches
News article on FINRA guidelines for social media
Naomi Klein gave an interesting talk 12 months ago on TED called “Addicted to Risk”. It was posted in January 2011.http://www.ted.com/talks/naomi_klein_addicted_to_risk.html
Risk Intelligence: Learning to manage what we don’t know, David Apgar, Harvard Business School Press, 2006, Boston, MA
Strategic Risk Taking – A Framework for Risk Management by Aswath Damodaran, Wharton School of Publishing, Upper Saddle River, NJ. 2008.
Failsafe Strategies – Profit and Grow From Risks That Others Avoid by Sayan Chatterjee, Wharton School of Publishing, Upper Saddle River, NJ. 2005.
Strategic Finance, May 2007 “Strategic Risk Management: creating and Protecting Value” by Mark Beasley and Mark Frigo. Available at http://www.coso.org.
2009 COSO Thought Leadership paper entitled: “Strengthening Enterprise Risk Management for Strategic Advantage”, by COSO.org.
How to Rank Risks, By Bernard L. Cohen, Wednesday, February 27, 2002
December 2010 COSO Report: “Developing Key Risk Indicators to Strengthen Enterprise Risk Management”, COSO.org by Mark S. Beasley, Bruce C. Branson and Bonnie V. Hancock.
Ernst and Young Report: Business Risks Report of 2010. Also see http://www.ey.com.
Ernst & Young Dodd-Frank Whitepaper called Positioning for Change.
Report on the Current State of Enterprise Risk Oversight (2009) at http://www.erm.ncsu.edu
Marsh April 2011 Report: Dodd-Frank’s Whistleblower and Clawback Provisions: Potential Effects on D&O Exposures.
Bailey Cavalieri, LLC Attorneys-at-law: Future D&O Exposures: Storm Clouds Ahead?
 Forbes Magazine, Richard Levick’s , The Communicator, Blog post entitled: “Today’s Guidance on the UK Anti-Bribery Act Launches New Enforcement Era.”, March 30, 2011.Today’s Guidance on UK Bribery Act Launches New Enforcement Era  Ibid.  See 2009 Thought Leadership paper entitled: “Strengthening Enterprise Risk Management for Strategic Advantage”, by COSO.org. Page 4.  See December 2010 COSO.org report: “Developing Key Risk Indicators to Strengthen Enterprise Risk Management report by Mark S. Beasley, Bruce C. Branson and Bonnie V. Hancock.  See May 2007 whitepaper: Strategic Risk Management: Creating and Protecting Value, by Mark S. Beasley, CPA and Mark L. Frigo, CMA, CPA, Strategic Finance.  Strategic Risk Taking: A Framework for Risk Management, Aswath Damodaran, Wharton School Publishing, Philadelphia, PA. 2008. Page 6.  Ibid.  Competitive Strategy, by Michael Porter,  Risk Intelligence: Learning to manage what we don’t know, David Apgar, Harvard Business School Press, 2006, Boston, MA.  Risk Intelligence: Learning to manage what we don’t know, by David Apgar, Harvard Business School Press, 2006, Boston, MA. Chapter 6: Raising Your Risk Intelligence Systematically, Pages 184 to 198.  Risk Intelligence: Learning to manage what we don’t know, by David Apgar, Harvard Business School Press, 2006, Boston, MA. Chapter 6: Raising Your Risk Intelligence Systematically, See Figure 4-4.  “Developing Key Risk Indicators to Strengthen Enterprise Risk Management”, COSO.org by Mark S. Beasley, Bruce C. Branson and Bonnie V. Hancock, December 2010.  See 2009 Thought Leadership paper entitled: “Strengthening Enterprise Risk Management for Strategic Advantage”, by COSO.org. Page 9.  Strategic Finance, May 2007”Strategic Risk Management: creating and Protecting Value” by Mark Beasley and Mark Frigo. Pages 25 – 53.  COSO.org is the Committee of Sponsoring Organizations of the Treadway Commission – a private sector initiative to support the development of enterprise risk management best practices, internal controls and fraud deterrence. For more information see http://www.coso.org.  “Developing Key Risk Indicators to Strengthen Enterprise Risk Management”, COSO.org by Mark S. Beasley, Bruce C. Branson and Bonnie V. Hancock, December 2010. Page 6 Well designed KRIs.  Ernst and Young Report: Business Risks Report of 2010. Also See http://www.ey.com  Ernst and Young Report: Business Risks Report of 2010. Also See http://www.ey.com.
- NYSE Webcast on Enterprise Risk Management in the New ‘ab’Normal (blogs.gartner.com)
- Downsizing Enterprise Risk Management (the-decisionfactor.com)
- Marketing Feature: Actuaries Taking Growing Role in Enterprise Risk Management (business.financialpost.com)
- COSO ERM or ISO 31000? Which is better? (normanmarks.wordpress.com)
- What executives should know, but often don’t, about risk management (normanmarks.wordpress.com)
- Does the future hold a bigger and better role for risk management? (normanmarks.wordpress.com)