Transforming risk leadership and management in ways that are better attuned to the business realities of the 21st century means adapting to a more dynamic environment where risk is integrated with opportunity and innovation. Therefore, in today’s business climate, forging a stronger relationship between risk and strategy should be an imperative. Enter the Council of Sponsoring Organizations of the Treadway Commission (better known as COSO) and its ERM framework update, released for public comment in the summer of 2016.
In many organizations, risk is an important, but largely supportive, function focused on well-defined risks, such as financial, operational, and cyber risk, yet rarely integrated with the core business. This can result in a risk mitigation culture that’s seen as separate from the core business needs for growth and innovation.
But risk management done right is tightly embedded in management’s core business processes, where identifying and managing strategic risks are an integral part of strategy setting and execution. This level of integration can help your organization more effectively achieve intended business objectives and get better value from its ERM program.
There are advantages to enhancing ERM with a strategic risk approach. And the organization can benefit from a view of the whole environment in which a company operates—which includes new and emerging disruptions and the inherent risks that accompany them. For example, actions that affect an organization’s ability to go to market and operate successfully can be addressed more systematically and with greater agility.
With COSO’s 2004 ERM publication, risk management took a vital step forward. The framework became the basis for standard thinking about risk. But its implementation in many organizations focused on isolating, mitigating, and managing known risks.
Over the past dozen years, as the operating environment for business has grown more complex, technologically driven, and global, the board—as well as business and risk leaders—requires a much greater ability to identify, assess, and prepare for:
Now, thanks to diligent work by many in the risk field, an updated framework, Enterprise Risk Management—Aligning Risk with Strategy and Performance, was unveiled for public comment prior to its finalization and publication slated for this summer.
The proposed COSO ERM framework elevates the role of risk in leadership’s conversation about the future of the company. It also emphasizes the connections between risk, strategy, and value. The update provides a new lens for evaluating how risk informs strategic decisions, which ultimately affects an organization’s performance.
In addition, the role of risk is more clearly emphasized when setting and executing strategy. By aligning risk and performance, organizations will be better positioned to embrace opportunity and steer toward the future with greater confidence.
By approaching risk differently and viewing it as a facilitator for better outcomes, leaders can adopt an integrated risk management approach that:
Understanding this updated framework will be a good starting point for anyone seeking to acquire a more strategic view of risk. All business leaders, and not just risk leaders, can benefit from this integrated perspective.
Risk as a value driver
When the focus of risk management is more operational than strategic, and risks tend to be addressed only after they occur, organizations miss out on the opportunity to use risk to power performance. That power comes from “strategic resiliency:" the ability to anticipate, know, and act on risks when introducing or executing new strategies in order to increase the chances of success—in spite of uncertainty.Strategic resiliency is rooted in a risk framework designed to strike the right balance between value creation and value protection. The framework includes scenario planning to prepare for potential industry, market, and company changes or disruptions. It applies risk valuation modeling to each scenario to yield a range of potential outcomes, assess the likelihood of each, and compare outcomes so the company can better choose the alternative that provides the optimal risk/reward profile. And it considers the company’s risk tolerance when deciding which strategic objectives to pursue and how to pursue them.