Transforming risk leadership and management in ways that are better attuned to the business realities of the 21st century means adapting to a more dynamic environment where risk is integrated with opportunity and innovation. Therefore, in today’s business climate, forging a stronger relationship between risk and strategy should be an imperative. Enter the Council of Sponsoring Organisations of the Treadway Commission (better known as COSO) and its ERM framework update, released for public comment in the summer of 2016.
In many organisations, risk is an important, but largely supportive, function focused on well-defined risks, such as financial, operational, and cyber risk, yet rarely integrated with the core business. This can result in a risk mitigation culture that’s seen as separate from the core business needs for growth and innovation.
But risk management done right is tightly embedded in management’s core business processes, where identifying and managing strategic risks are an integral part of strategy setting and execution. This level of integration can help your organisation more effectively achieve intended business objectives and get better value from its ERM program.
There are advantages to enhancing ERM with a strategic risk approach. And the organisation can benefit from a view of the whole environment in which a company operates—which includes new and emerging disruptions and the inherent risks that accompany them. For example, actions that affect an organisation’s ability to go to market and operate successfully can be addressed more systematically and with greater agility.
With COSO’s 2004 ERM publication, risk management took a vital step forward. The framework became the basis for standard thinking about risk. But its implementation in many organisations focused on isolating, mitigating, and managing known risks.
Over the past dozen years, as the operating environment for business has grown more complex, technologically driven, and global, the board—as well as business and risk leaders—requires a much greater ability to identify, assess, and prepare for:
Now, thanks to diligent work by many in the risk field, an updated framework, Enterprise Risk Management—Aligning Risk with Strategy and Performance, was unveiled for public comment prior to its finalisation and publication slated for this summer.
The proposed COSO ERM framework elevates the role of risk in leadership’s conversation about the future of the company. It also emphasises the connections between risk, strategy, and value. The update provides a new lens for evaluating how risk informs strategic decisions, which ultimately affects an organisation’s performance.
In addition, the role of risk is more clearly emphasised when setting and executing strategy. By aligning risk and performance, organisations will be better positioned to embrace opportunity and steer toward the future with greater confidence.
Fostering risk-informed decision making at all levels of the organisation, especially as it relates to strategy, is an important first step. A few key action items include:
By approaching risk differently and viewing it as a facilitator for better outcomes, leaders can adopt an integrated risk management approach that:
Understanding this updated framework will be a good starting point for anyone seeking to acquire a more strategic view of risk. All business leaders, and not just risk leaders, can benefit from this integrated perspective.
Risk as a value driver
When the focus of risk management is more operational than strategic, and risks tend to be addressed only after they occur, organisations miss out on the opportunity to use risk to power performance. That power comes from “strategic resiliency:" the ability to anticipate, know, and act on risks when introducing or executing new strategies in order to increase the chances of success—in spite of uncertainty.Strategic resiliency is rooted in a risk framework designed to strike the right balance between value creation and value protection. The framework includes scenario planning to prepare for potential industry, market, and company changes or disruptions. It applies risk valuation modeling to each scenario to yield a range of potential outcomes, assess the likelihood of each, and compare outcomes so the company can better choose the alternative that provides the optimal risk/reward profile. And it considers the company’s risk tolerance when deciding which strategic objectives to pursue and how to pursue them.