Risk & Compliance

Do You Spend Enough Time Assessing Strategic Risks?

Devote more time to strategic risk management and you won’t be caught completely unprepared.
Perry D. Wiggins, C.P.A.January 26, 2022
Do You Spend Enough Time Assessing Strategic Risks?
Photo: guvendemir

Strategic risks, such as the potential for a major supply chain disruption, a failed venture, or a massive cyberattack, can be difficult to assess. But companies have found effective ways of drilling into these risks and developing quick-response action plans.

This month, we look at the average amount of time organizations spend identifying and assessing strategic risks. The metric is expressed as a portion of the time they spend identifying and assessing all risks.

Strategic risk management is hardly a waste of time — more than half of respondents to APQC’s enterprise risk management survey (58%) indicated that they have had a high-impact, unidentified risk (other than the pandemic) occur within the last two years.

Data from the survey of 225 executives showed that bottom-quartile companies (those in the 25th percentile) spend only 20% of their time identifying strategic risks. Leading organizations (those in the 75th percentile) spend 75% or more time on the activity. 

Assessing strategic risk comprehensively and consistently often involves activities like scenario planning. Teams gather to imagine how risks might become reality and how the organization would respond. Exploring scenarios is not a check-the-box activity but a collaborative endeavor, so it takes time.

Leading organizations leverage a strategic ERM framework that includes at least five steps:

  1. Conduct a strategic risk assessment to evaluate and rank the potential likelihood and severity of all known strategic risks. The objective is to gain agreement among stakeholders on the key risks.
  2. Identify the strategic risks that may cause the most damage to the ability to execute strategy or run the business. Score and prioritize risks based on criteria like the severity of the risk’s impact and the likelihood of occurrence.
  3. Build action plans to address each strategic risk. Include roles and responsibilities for risk monitoring and action plan management across operations, internal audit, compliance, and management teams.
  4. Continuously monitor each strategic risk and report on risk statuses. Some of the most common reporting methods include risk dashboards, heat maps, and scorecards.
  5. Utilize risk management technology to automate and improve the process, quality, and efficiency of risk identification and decisions. For example, in supply chains, leading companies leverage technologies that create and automatically monitor risk profiles not only for direct suppliers but also for second- and third-tier suppliers.


Perry D. Wiggins, CPA, is CFO, secretary, and treasurer for APQC, a nonprofit benchmarking and best practices research organization based in Houston.