Risk is inherent in every activity we undertake in life. In a business context, addressing the question ‘what can go wrong?’ is a constant preoccupation for practitioners and managers in both private and public settings, and the foundation of risk management practice. Clearly, organisations cannot answer this question with any certainty given that they do not have the ability to predict the future. But they can develop the insight to build the capability required to address the different eventualities that the future might bring.
Through effective risk management, and by having an understanding of risk appetite, businesses can determine how much risk they are willing to accept in relation to any choices or events they undertake. For those most uncertain eventualities for which we cannot anticipate the required capabilities, having a war chest of well-managed resources that can be deployed to acquire the necessary capabilities to manage unforeseeable risks will provide an advantage. Such was the case, of course, with the Covid-19 pandemic in 2020/2021: although futurists and scientists had predicted that such a pandemic would occur, no one could have predicted its impact.
Having a war chest of well-managed resources to manage unforeseeable risks will provide an advantage
Developing and implementing a strategy without assessing the associated risks is one of the biggest factors leading to the destruction of value. Strategic risk management (SRM) should therefore be a key element of strategy formulation and execution.
SRM is best described as the process of developing insight to understand what could go wrong that would affect the achievement of a given strategy, and adopting appropriate mitigating actions.
Six keys to SRM
Ensuring effective oversight of your strategic risk management is essential.
Monitor the periphery. Assess information on activities or events that are not directly linked to the main business activities of the organisation.
Identify ambiguous threats. Potential risk events that the organisation might not clearly understand should be identified and analysed.
Actively identify risk exposure concentrations. Otherwise, by the time any concentrations of damagingly large potential losses are discovered, it may be too late to address the associated risk effectively.
Mitigate risk. Identify the options open to the organisation for addressing risk so that it does not impact the business significantly.
Track risk. Assign responsibilities to organisational structures and staff to monitor, reassess and analyse all identified risks regularly.
Manage the integrity of the business model. It may be necessary to change the business model to avoid certain risks or to leave the organisation better positioned to withstand the threat posed by the risks.
Strategic risk commonly falls into five categories: regulatory and compliance risk, competition risk, economic risk, political risk and technological risk. These categories mostly cover external factors, but strategic risk can also arise from internal factors and, therefore, partnership and/or collaboration risks should be added to the list. This is because strategy implementation activities are often performed in partnership or with the support of other stakeholders.
Over the past two decades, we have seen a number of businesses in big trouble as a result of exposure to strategic risks. Enron, Volkswagen, Lehman Brothers, BP, Uber, Apple, Facebook, Valeant Pharmaceuticals, Kobe Steel, Equifax and, most recently, Steinhoff International are just some of the large entities that found themselves embroiled in scandals through failures of strategic risk management.
Enron, VW and Lehman Brothers became embroiled in scandals through failures of strategic risk management
For most of these entities, the exposure was primarily related to regulatory and compliance risks, such as failures of corporate governance and business continuity planning. However, strategic risk exposure is not limited to corporate scandals. Largely unforeseen events such as the 2008 financial crisis and the Covid-19 pandemic caused enormous turmoil, resulting in significant losses, legal fees and/or penalties, and even closure or collapse.
For an entity’s stakeholders, the collapse of a business, or the need to settle penalties and the associated legal fees, may rob them of the benefits or returns they might otherwise have received, such as ongoing business with other partners in the value chain, profits, dividends or, in the case of employees, income.
Oversight and accountability
With so much at stake, businesses are well advised to re-examine their strategic risk management policies and processes and enhance oversight (see boxout). To ensure that there is sufficient accountability for managing risk, risk control should be the overall responsibility of the chief executive, supported by the other executive directors, with oversight from the board of directors.
Establish strategic risk management committees at board and management levels
Alongside these arrangements, organisations should establish strategic risk management committees at board and management levels, tasked with reviewing and monitoring the processes of strategy formulation, implementation and associated strategic risk management.
In an uncertain world, no solution is bulletproof, but if you’ve taken steps to enhance your strategic risk management your business will be as ready as it can be to respond if the unexpected happens.
Watch on-demand the session 'Risk culture and future performance: how accountancy professionals make a difference' from ACCA's Accounting for the Future conference