While the financial crisis has given companies plenty of motivation to expand their risk-management practices, very few executives lose sleep over the constantly changing predilections of three-year-old children. But it’s a major issue for Hans Laessoe, senior director of strategic risk management for Lego. It’s around age three, he says, that parents start to lose their influence over what toys their kids demand for Christmas. What are the implications for Lego when that more-autonomous three-year-old decides that any toys associated with, say, the Star Wars film series no longer have much appeal? Will demand suddenly recede to a galaxy far, far away?
That prospect currently seems as remote as that distant galaxy: last year Lego sold twice as many Star Wars products as it did in 2005, when the final film in the franchise was released. But, given his focus on “strategic” risk management, Laessoe has to consider any risk — whether it exists today or may crop up in the ostensibly unforeseeable future — that could force Lego to reconsider aspects of its business strategy.
Strategic risk management (SRM) is a distinct subset of overall risk management, and one that many companies are only just beginning to address. No wonder. As Laessoe says, the term applies to “the [many] things that can change the way you do business.”
That makes SRM both broad and hard to define, but it is possible to bring rigor to the analysis. Lego uses a process that Laessoe calls AROP (actual risk and opportunity planning) to examine the risks and opportunities of large projects, in order to see how the company can mitigate the threats. No project is approved without clearing the AROP hurdle.
While few businesses have created a position specifically devoted to strategic risk management, let alone created a methodology for assessing it, more are beginning to formalize the way they assess, manage, and mitigate strategic risks. For example, Orbitz Worldwide does not yet have a “mature process,” but the travel site is getting there, says CFO Russ Hammer.
Earlier this year, Orbitz collected input from nearly 60 senior managers to outline its risk plan for 2011. “We shared the information with our board of directors to show the link between our strategic risks and business strategy, to see if we missed anything,” Hammer says, describing a process that did not exist prior to his joining the company last January.
Hammer isn’t alone. Only 17% of organizations have fully implemented enterprise risk management, according to risk trade association RIMS. While the concept of ERM — looking at all risks across a company rather than taking a siloed, department-by-department view — sounds good in theory, it’s not easy to do. So far, a souped-up, technology-assisted way of viewing risks across the business is mostly limited to the largest companies. Moreover, strategic risk has frequently fallen through the cracks, as ERM programs focus heavily on compliance risks.
“A lot of companies do ERM by name and forget about the strategic part, or don’t do it diligently enough,” says Laessoe. But they should: nearly 70% of the risks that cause the most significant harm to corporations are strategic risks, notes Michael Griffin, executive director of research firm Corporate Executive Board.
These include risks to a company’s product lines, competitive advantage, mergers and acquisitions, and overall business model. In other words, they’re topics companies generally place under the purview of the strategic-planning team rather than of risk managers. Three years after the peak of the financial crisis, companies are encouraging the two groups to interact. “Strategy is often done by one group, which is focused on the future of the company. Other groups tend to be directly responsible for risk such as internal audit or the ERM function,” says Mark L. Frigo, director of the Strategic Risk Management Lab at DePaul University.
CFOs are leading the effort to get these groups talking, particularly at smaller companies that lack a chief risk officer. “For a company of our size, the chief risk officer is a shared responsibility with the CEO,” says William Stuart, CFO at privately held technology company Synacor. From their experience managing financial and operational risks, finance chiefs are in the ideal spot for overseeing or initiating a strategic risk program. “CFOs are often being asked to take on a more strategic role in their organizations and more beyond reporting the numbers on what happened last year,” Frigo says. “This is another facet of their role.”
Sowing Confusion?
RIMS recently defined strategic risk management as “a business discipline that drives deliberation and action regarding uncertainties and untapped opportunities that affect an organization’s strategy and strategy execution.”
Others, however, see it as little more than a marketing ploy by service providers. Words like enterprise, strategic, and holistic “confuse the issue,” says Felix Kloman, a retired risk-management consultant. “They take the relatively simple idea of risk management, a discipline for dealing with uncertainty, and add confusion to it, which I don’t think a CFO needs.”
To be sure, CFOs hardly need a term to prompt them to think about risks. “We walk in every day and think about what’s keeping us up at night,” says Fred Ball, CFO of Marketo, a privately held software company founded four years ago. “As your company matures and grows, risk management becomes more formalized.”
Still, the concept of SRM can help CFOs explain their risk-management program to boards of directors, whose role in risk oversight has been scrutinized following the financial crisis. They have increasingly been questioning finance chiefs about strategic risks, according to Frigo.
Whatever the interpretation, the terminology is meant to help companies focus on a certain area that may have been neglected. “Organizations that for whatever reason aren’t adopting ERM could look at SRM as a stand-alone practice, as part of their strategic planning and execution,” says Carol Fox, director of RIMS’s strategic and enterprise risk practice.
Indeed, SRM is “a natural outgrowth” of the progress some companies have made in enterprise risk management, according to Brian Elowe, a managing director at risk consultancy Marsh. On their own, some ERM programs have prevented companies from taking the next step. After identifying their risks, as they have through ERM, companies need to ask, “How do these risks affect our strategic decision-making?” Elowe says. “How do we build them into the framework of how we make decisions and tie it back to the financial metrics that matter to shareholders?”
To help with the answers, companies are giving risk managers a seat at the strategy-setting table. In a recent Accenture survey, 39% of respondents reported that their risk managers have a say in setting company objectives, up from 27% just two years ago. The change is giving the risk-management profession a boost as risk managers stretch their expertise beyond the legal, compliance, and health and safety risks for which they have historically been responsible. “It’s much better to be part of a team that can help an organization achieve its objectives than to be seen as a naysayer,” Fox says.
Internal audit is getting pulled into the job, too. Nearly three-quarters of internal auditors are including strategic risks in their risk assessments this year, according to Corporate Executive Board’s Griffin. Nick Cioll, CFO and CRO of energy provider TriEagle Energy, recommends that those in charge of overseeing risk look beyond the management team for insight. “You have to tap the talent around the organization,” he says.
Talk It Over
Getting managers to share their concerns about risk and their relation to big-picture strategies can be tricky. John Fraser, CRO at Hydro One, a Canadian electricity company, suggests only CFOs with a certain personality could kick-start an SRM program on their own. They can maintain their status as overseers of risk while delegating the task of selling the concept to departments outside of finance.
“I make things happen, but people who work for me are charming and likeable, and they are the ones building relationships and running risk-management workshops,” says Fraser.
One of the biggest risks to a company’s strategy is that its employees don’t know what the strategy is. For that reason, asking employees to articulate it can be a good way to start an SRM program, suggests Griffin. The collective response could be humbling. “We have surveyed hundreds of executives at western multinationals in emerging markets, and more than a third either didn’t identify strongly with a clear strategy or didn’t understand their role in strategy,” says Griffin.
From there, the work gets more difficult. As with ERM, companies need to identify their strategic risks, do their best to measure them, and examine how they relate to their business plans. They should ask, “If we have a strategy of growing by X% in five years, what’s stopping us from getting there?” Fraser says. If one potential risk is the unpredictable taste of toy-loving kids, managers clearly have their work cut out for them.
Sarah Johnson is senior editor for risk & compliance at CFO.