Last week I wrote about strategy execution and how companies can fail on this final stage. Now I will write about a topic that from my perspective should be present not only during execution but since early stages like planning: risk management in particular, strategy risks management. To better explain what strategic risk management is I will use information from three different articles that addresses this topic from different perspectives.
The first article is about the different types of risks and the right management approach for each of them. Basically, there are three categories of risks:
Category I: Preventable risks
The origin of these risks is the same organization and they should be eliminated. Examples are unethical employees' behavior or fails in processes. While not all risks of this type can be avoided completely (or it is highly cost), it is recommendable to eliminate as many as possible since they do not provide strategic benefits. For those risks that cannot be eliminated companies should have tolerance to faults caused by such risks. The best way to manage this type of risks is prevention. Possible measures include monitoring processes and defining norms and rules to guide people actions.
Category II: Strategy risks
These risks are those that a company accepts as part of its strategy because it is expected that they generate a benefit. Examples are the risks that a bank accepts when it lends money to its clients: lenders are not able to pay the money back. Companies take significant risks when they are executing aggressive strategies in order to get high returns, therefore it is vital for the success of their strategy that they manage strategy risks properly. Unlike preventable risks, the objective of strategy risk management is not to eliminate the root of the risk but reduce the probability that the risk materializes or to improve the ability of the organization to response to the occurrence of these risks.
Category III: External risks
As the name suggests, they are risks that come from the external environment of the company, and therefore companies have no way to control them. Examples are natural disasters, political or economic events. Unlike risks type I, prevention is not possible in this case. The management approach consist in identify and mitigate their effects.
The second article is about a research conducted by Ernst & Young to determine what are the economic effects of having a mature management risk process. The research show that mature companies, those that have focused on strategic risks (type II), outperform their peers financially. But how can a company focus on strategic risks? It needs to "align its risk profile and exposures more closely with its strategy...by identifying strategic risks and embedding ris management principles into business unit planning cycles, enabled the company to identify and document 80% of the risks that have an impact on performance".
Some of the results of the research are :
-Top-performing companies (from a risk maturity perspective) implemented on average twice as many of the key risk capabilities as those in the lowest-performing group.
-Companies in the top 20% of risk maturity generated three times the level of EBITDA as those in the bottom 20%.
-Financial performance is highly connected to the level of integration and coordination across risk, control, and compliance functions.
-Effectively harnessing technology to support risk management is the greatest weakness or opportunity for most organizations.
The research not only identified what are the benefits of an adequate mature risk management but also identified what are some of the traits that leading companies are doing better that the rest of the companies. They classified the traits into the following categories: Setting risk strategy, embedding risk management, optimizing risk functions and improving controls and processes.
The last article  (published by PwC) also supports the idea that the management of strategic risk factors has a greater impact on meeting your strategic objectives. It suggests that conventional enterprise risk management (ERM) is useful to identify and mitigate financial and operational risks but what can really give a company a strategic advantage over its competitors is "bringing ERM into the forefront of strategic decision making and execution".
Research shows that "effective strategic risk management is built around a clear understanding of how much risk your business is prepared to take to deliver its objectives and a timely and reliable evaluation of how much risk it is actually taking".
The research delves into the study of how risk management frameworks are evolving from the conventional approach to a greater integration with strategic management and what are the concerns of companies while they are executing this process.
The main concerns are :
-Executives are worried that the risk frameworks and processes that are currently in place in their organizations are no longer giving them the level of protection they need.
-Boards are seeing rapid increases both in the speed with which risk events take place and the contagion with which they spread across different categories of risk.
-Boards feel they are spending too much time and money on running their current risk management processes, rather than moving quickly and flexibly to identify and tackle new risks.
The article mentions 4 key findings to overcome the concerns:
-The boards should fully understand the risks that they are running or how the knock-on impacts can spread across risk categories.
-Checks and balances at the board level are critical.
-In the Internet age, speed and prejudice are all.
-Leadership and culture of the company.
I think this article is very complete because it also presents some questions that help companies to evaluate how effectively risk considerations are integrated into their strategic objectives and their execution.
Personally, I am excited about strategic risk management because I believe this is a opportunity for improvement in many companies (no matter the industry, size or country) and strategic risk management is a trend that will be a standard in the next few years.
Do you agree that Strategic Risk Management can really provide you an strategic advantage over your competitors or it will provide only a temporal benefit?