The intricate link between strategic planning and Enterprise Risk Management.

Many businesses review their strategic plans for the upcoming period during the month of January. The principal focus is usually to ensure that goals are linked appropriately to broader strategic objectives; that each has an ‘owner’; assumptions are still valid; and goals are specified in a S.M.A.R.T. (specific, measurable, achievable, relevant/realistic, and time bound) manner.

The above is a good exercise; however, a crucial component of this process is often skipped or paid very scant regard ... that is the element of risk management.

Risk Management (and for the purpose of this article, Enterprise Risk Management or ERM) considers the potential events that could have an adverse impact on the successful execution of the organization’s objectives. Where possible, these are examined qualitatively and quantitatively to identify, assess, manage, and monitor for the potential occurrence of these events.

Proper risk management is one of the fundamentals of running a successful business; it is as vital as understanding your market, managing your finances, and keeping up with technological advancements. Whether you are doing it formally or informally, properly managing risks is simply non-negotiable for business success.

Therefore, once the core elements of a strategic plan have been developed, the next step should be a process to identify potential adverse events that could cause the realization of those goals to fail (risks), the probability of them materializing, and the impact to the organization if they do.

This process should include input from managers at all levels with crucial participation from the C-suite and the Board of Directors. Once the information is collated, it is important to challenge the ensuing cache of data to arrive at a more accurate view of the risk landscape.

Risks are wide ranging and can including things like changes to Government policies (who anticipated the range of revenue measures announced in the last budget and the impact to their businesses this year?); losing a key employee; adoption of new technology (such as artificial intelligence which is making redundant, the service offerings of some businesses); cyber-attacks; and even the inability to attract skilled employees in an increasingly competitive labour market.

Risks are pervasive, understanding their triggers, consequences, and mitigation factors can be the difference between whether a business survives or folds.

Once risks are identified, they are usually assigned values as part of the risk assessment process. These values are derived by assigning numbers (usually 1-5) to four key categories. The first is the likelihood of the risk occurring. The values here normally range from 1 (low/rare), to 5 (high/frequent).

Next, one should consider the impact of the risk if it materializes. The potential impact may be 1 (minor/incidental) to 5 (catastrophic/extreme).

Many individuals usually stop here and simply multiply the likelihood by the impact scores to get an overall risk score; however, modern approaches also include two other elements: vulnerability (considering how prepared the business is to withstand the impact of the risk materializing) and speed of onset (how quickly would the business be impacted if this risk materializes).

Depending on the size of the organization and the maturity of risk management, one can usually expect to arrive at somewhere between 10 to 15 risks with sufficiently high scores as a focus for a detailed and planned response.

The following questions should be asked in relation to each potential risk event: What would cause this to happen? What would the consequences be if it does? What could we do to prevent it? What could we do to minimize the damage if we cannot prevent it?

Depending on the organization’s risk appetite, one of four responses will normally follow. The organization may be able to avoid the risk; transfer it (e.g. insurance); mitigate (e.g. reduce exposure); or accept it (monitor).

This process of identifying risks, assessing, managing, and monitoring is not a project done once annually, it is a continuous cycle that helps to mitigate and reduce the blind spots that can allow adverse events to materialize without a plan on how they will be managed.

Enterprise Risk Management places the core strategic mission of the organization as the focal point and takes a holistic approach to how the risk of potential adverse events are managed.

There are two widely accepted frameworks for managing risks at the enterprise level. The first is by the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) framework which integrates strategy with performance. It looks at the following five interrelated components: governance and culture, strategy and objective setting, performance, review and revision, and information, communication, and reporting.

The other framework is the ISO 31000 Risk Framework. Personally, I am a big fan of COSO’s Framework and have mainly focused on that one here.

We have advanced a bit beyond the days when tribal priests rolled bones to try to predict the future. Risks are all around us, that is inescapable; therefore, a long-term successful strategy must include an effective means of identifying, assessing, managing, and monitoring the risks to an organization.

A well developed and functioning risk management programme can also be a competitive advantage for an entity. A business that is better prepared to respond to the uncertainties of life is likely to be more resilient than its competitors and will avoid potential shocks and loss of shareholder value when adverse events occur.

If your CEO or Managing Director is not practicing risk management at a mature level, you may want to have a conversation this year about implementing a robust ERM programme. Afterall, ensuring the business is well prepared to meet the uncertainties of the future is a crucial part of a director’s fiduciary responsibility to protect their organization and ensure it is well-run.

I have found the COSO framework to be useful in doing this and would recommend it to anyone wishing to take risk management to the next level.