Strategic Risk Management


Companies are managing risks to seize opportunities since the Mercantilism. However, a company-wide framework to manage risks was developed few years ago. The first integrated framework for enterprise risk management was published by COSO in 2004. Strategic risks addressing the companies´ ability to archive business objectives within the stakeholders´ risk appetite are still immature. In this post, I will give an overview about strategic risk management.

Risk management and governance can be improved by developing strategic risk management processes. These processes encompass the identification, the assessment and the management of top risks in the business strategies. For a given risk tolerance, strategic risk management can assess internal and external events that potentially affect the company strategy to archive business objectives. This field is a concern of the boards, directors and top management. GRC approach should integrate it to allow align all the different business activities to common objectives. Additionally, ERM approach should include prioritization processes to indentify key risks (which are the input for strategic risks).

This area was not properly developed in an integrated manner, or even resourced by companies. Even though, it deserves attention from upper management and other stakeholders (eg. risk rating agencies). There are increasing cases of catastrophic losses because unaligned strategies to risk appetites (eg. managing debts and investments in 2008 crisis, dealing with cost volatility, poor data loss prevention measures, subordinated debt or lack of geographical diversification). In this world of “continuous surprises”, stakeholders´ value is neither protected nor created. Personally, I get the feeling that, in some cases, a specific control issue may get more attention and resources than indentifying an emerging risk to execute a strategy.

There were some current developments to integrate strategies into a holistic approach. Strategic Risk Management can be linked to the ISO 31000:2009 since the top management is responsible to integrate this standard to the decision marking processes (which involves the strategies). Also developed during the last decade, the Return Driven Strategy framework integrates the strategic goals to the risk management goals. Unfortunately, these approaches are not usually carried out to practice by most companies.