Strategic-risk Management
I would say it was about three years ago when buzz about strategic risk and strategic risk management started (again - I say again because some companies had worked on this earlier; the LEGO Group for example started an initiative for strategic risk management in late 2006 led by Hans Læssøe, senior director of strategic risk management at LEGO System A/S). But like many things ERM, there wasn’t total agreement on what that REALLY meant. I personally like Deloitte’s definition of strategic risks: “those that affect or are created by business strategy decisions”.
What I think is essential to the definition of strategic risk is that it has to do with the decisions made relative strategy. The firm has a set of objectives, and a strategy must be set in order to achieve those objectives. When setting the strategy, the firm must identify the (strategic) risks in terms of their ability to achieve their objectives. Based on a risk assessment, the firm must set a strategy which will best minimize and exploit the risks identified. Of course, when the strategy is set a new set of strategic risks arise associated with the set strategy. And so the risk management cycle continues.
The fundamental question to ask ourselves is - what is the risk associated with our current strategy (or having the WRONG strategy) and how can we mitigate that risk? Well, the risk mitigation becomes setting a new strategy! This “aha” moment was brought to me, and now you, by Anna Bonander from AB Volvo. Below is a bit more clarity.
Below on the left is the risk management process as suggested by Culp (2001). Regardless of what kind of risk management a corporation has, simple to robust ERM, or even just the risk management you do before you cross the street, this is the process. On the right is the strategic development process as suggested by Robbins and Coulter (2018).
Now what happens if we combine the two and treat the strategic development process like a risk management process? The process begins with the current mission, goals and strategies of the firm. From that starting point, an external and internal risk analysis is done where we identify risks to our mission, goals and strategies and determine respective tolerances. We measure those risks we identify and then compare our measures with our tolerances (monitor and report risks). Now, if we find that there are some risks we don’t feel are within our tolerance, we take action to control those risks. This is where the cool part takes place. How do we control the risks we have identified to our mission, goals, and strategies? Well, we formulate new mission, goals, and/or strategies and implement those new strategies. So the risk control in the strategic development process is the formulation and implementation of new strategies - this is what I would refer to as strategic-risk management.
I like to make a distinction between strategic-risk management and strategic risk-management. Strategic-risk management is the management of strategic risks where the risk control is formulation and implementation of new strategies. Strategic risk-management is the strategic management of risk where the ultimate goal is finding the “sweet spot” for risk taking. More on this in the next post!