The global economic crisis, which began with the U.S. housing market’s nose-dive in late 2007, continues to burn brightly across nations far and wide. This financial meltdown has served as a jack-hammered catalyst for corporations today to re-evaluate their risk management practices – assuming, of course, they had one in the first place. Most didn’t. Apart from very large, globally diverse corporate behemoths, formal risk management practices didn’t really exist outside of the top-level business strategy sessions conducted between CEOs, CFOs, and other members of the executive team.
Until recently, boards of directors were simply there to listen and learn what the strategy and execution plan was. Not much more was asked. Part of the problem was that back in the day – let’s call it pre-crisis – having some celebrity status for board membership was de rigueur. That’s all gone, of course, in the name of being more legally accountable in their roles where board members are actually looking after the business in ways unlike before. (There’s a famous story about a Goldman Sach-delivered board presentation where Gerald Ford stopped the presenters and asked, “What’s the difference between revenue and equity?” …He was our U.S. president at one time. Ouch.) Yes, now boards are more actively involved in the business including taking an interest in not only the business strategy, but also what the risk assessments are for it and how they’re going to be mitigated, including the next-step plans to address them in the unlikely event they come to fruition. For all of these reasons, risk management practices arebecoming more pervasive and universally adopted by organizations, both large and small. These companies are expected to meet the demands of an uncertain and ever-changing marketplace not to mention evermore interested (read activist) shareholders, regulators, compliance hawks, and don’t forgot those employees. Yes, regulatory measures like Sarbanes-Oxley, Basel II, Dodd-Franke and other forthcoming reporting requirements have pushed companies to throw much greater rigor around how they’ve planned and executed their responses to risk events. Companies now are adopting risk management strategies to assess, manage, and mitigate strategic, operational, and functional risks in all shales and sizes. A formalized risk management framework is no longer optional or a nice-to-have.
Still, many companies are way behind the curve. According to risk management trade organization RIMS, only 17% of organizations have implemented company-wide risk management to look at risk categories like operational, legal, financial, compliance, IT, strategic, market, and health and safety risk in total – not in siloed isolation lacking an “enterprise view”. To a large degree, internal audit has been commonly given ownership of cross-organization collaboration.
If you’re in the camp that hasn’t implemented a risk management strategy or is only doing it in some, but not all, areas of the business, consider placing more (or some) focus around strategic risk management. Reason being is that according to the research firm, Corporate Executive Board, 70% of the risks that cause the most harm to corporations are strategic risks.
What is strategic risk, you ask? Well, it’s any risk whether it exists today or may crop up in the unforeseeable future that could force the company to change, modify, or overhaul its business strategy forcing it to change the way you do business. RIMS defines it as “a business discipline that drives deliberation and action regarding uncertainties and untapped opportunities that affect an organization’s strategy and strategy execution.” Still too ambiguous? Well, think of it as defining what risks could be applied to your company’s product lines, M&A actions, economic conditions, overall business model, or baseline assumptions that come into play when defining the business strategy. This is one reason bringing the risk team into the business strategy sessions is essential. The Risk Management team (or their leader) needs to have a seat at that table. More often than not the CFO, given his or her management of financial and operational risk, owns strategic risk. Gone are the days where the CFO is simply in charge of reporting prior year numbers – long gone. In this case, CFOs are the overseers of risk while delegating the task of ‘selling’ the concept to departments outside of finance.
It was reporting in a 2011 Accenture survey that 39% of the organizations surveyed said that risk managers have a seat at the company objectives-setting table; In 2009, it was only 27%. It’s getting there but needs to be at 100%. Rome wasn’t created in a day but headway is being made.
In summary, if you’re new in adopting a formal risk management strategy, given that 70% of the risks that cause the most harm to corporations are strategic risks, take a look at starting with strategic risk management. Then, attempt to apply financial metrics to these risk events and how they align with your business plan. You want to be asking questions that look at your strategic assumptions, specifically what if they’re wrong. An example is, what if you’re expected EPS growth is X% over the next 5 years…Ask yourself, what’s stopping the company from getting there? Also, try setting up a risk committee to review the risk events in question and explore the outcomes and the company’s response(s) to these events. Don’t take this on yourself. Tackle strategic risk first.