In this two-part blog, we’ll look at some tips for making the most of your enterprise risk management.
Risk is, well, risky—but your organization can’t grow without it. The key is that risk needs to enable organizational strategies and culture. Unfortunately, strategy development and enterprise risk management (ERM) often compete for relevance within organizations. Strategy is usually a risk-seeking activity, while ERM seeks to identify and mitigate the very risks a strategy creates. Some common issues in integrating strategy and risk management include duplicating risk management and strategy development processes efforts; competing objectives between the risk management plan and program strategy; or lacking resources to maintain a risk management program.
In deciding and executing strategy, organizations inherently accept risks. Therefore, it makes sense for ERM strategy to be developed alongside and inside the strategic planning cycle. Few companies, however, do so. A 2016 report from the North Carolina State ERM Institute concluded that only 25% of organizations integrate ERM into strategic planning. With key decision makers and stakeholders already engaged in identifying the vision for the organization, there is an opportunity to identify factors that could hamper strategy execution.
After identifying external risks, many organizations perform an internal analysis to identify competitive or strategic advantages. The internal analysis is completed using one or more of the following frameworks: strengths, weaknesses, opportunities, and threats (SWOT), Porter’s five forces, or 3 Cs. This output is critical during the risk assessment and identification phase. For example, weaknesses and threats identified in a SWOT analysis can be used as indirect and direct starting points in risk identification. “Opportunities” are uncertainties with a potentially positive outcome (or positive risks).
At this point, organizations should ask a number of questions. What events would change the positive outcomes of uncertainties to negative? How would opportunities become risks? What happens if we don’t take advantage of these opportunities? The answers to these questions are risks to long-term strategy. After assessing the impact of these risks, stakeholders should begin contemplating mitigation strategies, so they can be fully integrated into the overall strategy. This prevents an organization from pursuing competing objectives or duplicating efforts in risk assessment, and promotes a risk-conscious organization. This also allows leadership to develop and communicate the strategy, in terms of risk, to the organization.