Strategic risks, such as the potential for a major supply chain disruption, a failed venture, or a massive cyberattack, can be difficult to assess. But companies have found effective ways of drilling into these risks and developing quick-response action plans.
This month, we look at the average amount of time organizations spend identifying and assessing strategic risks. The metric is expressed as a portion of the time they spend identifying and assessing all risks.
Strategic risk management is hardly a waste of time — more than half of respondents to APQC’s enterprise risk management survey (58%) indicated that they have had a high-impact, unidentified risk (other than the pandemic) occur within the last two years.
Data from the survey of 225 executives showed that bottom-quartile companies (those in the 25th percentile) spend only 20% of their time identifying strategic risks. Leading organizations (those in the 75th percentile) spend 75% or more time on the activity.
Assessing strategic risk comprehensively and consistently often involves activities like scenario planning. Teams gather to imagine how risks might become reality and how the organization would respond. Exploring scenarios is not a check-the-box activity but a collaborative endeavor, so it takes time.
Leading organizations leverage a strategic ERM framework that includes at least five steps:
Perry D. Wiggins, CPA, is CFO, secretary, and treasurer for APQC, a nonprofit benchmarking and best practices research organization based in Houston.