Imagine this scenario. Your company was led by its external auditors several years ago to put in place an enterprise risk management (ERM) program. Its implementation has progressed at a slower pace than you’d expected, mostly because your operational managers perceive ERM to be just another compliance exercise. As the CFO, you’re starting to question its overall value, and whether it makes sense to continue committing resources to the effort. Thankfully, there is an upgrade of ERM that could have a material, positive impact on future financial performance: strategic risk management, or SRM.

John Bugalla

John Bugalla

What’s the difference between the two processes? In theory, SRM is an advancement of ERM, which itself builds on established, traditional methods of managing risk in silos, buying insurance, and spending on loss control. Importantly, ERM sets the stage for minimizing not only the downside loss potential of risk in a more sophisticated, holistic manner, but also enables firms to begin to consider how to gain added value through risk management.

Once a company achieves an appropriate level of experience and maturity in conducting ERM, its CFOs and other members of the C-suite can then view it as a foundation for engaging in a more strategic approach to managing risk. SRM is “a business discipline that drives deliberation and action regarding uncertainties and untapped opportunities that affect an organization’s strategy and strategy execution,” according to the Risk and Insurance Management Society’s definition.

In practice, SRM is the critical link between your ERM program and the strategy function of the company. It’s a discipline that registers “the positive as well as negative impact on enterprise value (e.g. on earnings, cash flow, capital, reputation and differentiating position) arising from emerging and dynamic changes in the environment,” according to RIMS.

What it’s not, however, is an additional set of audit or governance activities. Such activities fall within the confines of a robust ERM program. Think of it this way: SRM is designed to support strategic decision-making and strategic planning before significant actions are taken, thereby adding potential value to financial performance. It definitively doesn’t include after-the-fact risk-mitigation activities conducted on decisions that have already been made and projects underway.

Naturally, senior managements of all companies worry about advancing their employers’ competitive positions in the marketplace, making the best strategic choices, and effectively implementing strategy. SRM has an important, integrative role to play in each of those critical areas by fully leveraging insights gained from ERM into the front end of businesses.

A Bold Move

But many companies, even those that have been successful in implementing ERM, are not quite prepared to evolve into SRM. Structural barriers may exist, creating a gap between where ERM is managed and where SRM strategy is housed. In many cases, properly executing on SRM will require a bold move to reposition risk management from its traditional legal, compliance, or audit home to finance or strategic planning.

Such a move is necessary for SRM to have a timely impact within the strategic business planning cycle, to align activities and goals, and ultimately, to unlock the upside of risk.

Or there may exist challenges related to capability or resource constraints that will require thoughtful investments to achieve a productive bridging of risk management and strategy. Further, culture may play a pivotal role, where the tone at the top must become clear and strong around a new way of operating that recognizes executing risk management and conducting strategy can, and should, go hand-in-hand.

Emanuel Lauria

Emanuel Lauria

If you’re considering (or willing to consider) whether SRM could be right for your organization, and evidence shows that increasing numbers of large companies are moving in that direction, we suggest that you begin with the five “s’s” of SRM leadership:

  • Properly situate risk management.  Recognize the need for linkage between corporate strategy and SRM.
  • Embrace the full span of risk management. Understand and activate the “duality” of risk management. That will enable you to control the downside and capture the upside of risk.
  • Shift your risk management structure. Become the champion of positioning ERM and, in turn, SRM in the most advantageous way in the company’s structure.
  • Sponsor effective risk management process execution. Ensure that a partnership with your CEO and the board is in place, supported by robust communication channels over which real-time risk intelligence flows
  • Deploy new skills-based risk management. Develop new SRM methods and techniques to improve decision making and enable greater risk taking to grow the business, based upon an aggregate risk appetite calculation.

As the Chinese philosopher Sun Tsu stated, “every battle is won before it’s ever fought.” In the ongoing battle for competitive advantage, SRM can be the management ordnance to help you prevail.

John Bugalla is managing principal of ermInsights. Emanuel Lauria is managing principal of Risk Strategy Dynamics, LLC and on the faculty of the Robinson College of Business at Georgia State University. 

, ,

One response to “When Enterprise Risk Management Gets Strategic”

  1. Most ERM systems produce reports using a system of colors, i.e. red, amber and green. Stating the obvious… you can’t aggregate and compare colors. Effective ERM needs a common risk measurement system and a standard unit of measurement so that risks can be aggregated and compared with approved limits and bench-marked within and between enterprises. If we had that, operating managers would have to sit up and take notice.

    A new technique that does just that is ‘Risk Accounting’ which is described in a research working paper available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2726638. Although the paper describes the risk accounting method’s application to banks, it can be adapted for non-banks. Given that risk accounting is an extension of management accounting, finance and risk metrics can be validly combined in balanced scorecards which is the device often used by enterprises to monitor progress against their strategic vision and planning.

Leave a Reply

Your email address will not be published. Required fields are marked *