Integrating ERM with Strategic Planning
Integrating ERM with Strategic Planning
Best practice implementation of Enterprise Risk Management becomes ingrained in a company's strategic planning process. By broadly evaluating the primary risks of the business, better decisions are made and value is added.
By Doug Brooks
Enterprise Risk Management (ERM) has many different facets, from the highly quantitative to the subjective and qualitative. It deals with risks that are very dynamic and short–term in nature as well as those that are longer–term and strategic. In order to be successful, it is necessary to integrate any of these elements into the way in which a business is managed. The best quantitative tools and processes will not ensure better business decisions if the understanding developed through the use of these tools is not applied with discipline in business decision–making processes. This article will deal with integrating processes for managing strategic risks into strategic planning processes. Strategic decision–making processes are often less structured than those processes that are part of daily operations. Therefore, it is even more important to ensure that proper disciplines are applied.
Some level setting is appropriate, as strategy and strategic planning can mean different things to different people, and the terms are used in a variety of ways in various organizations. For the purposes of this article, the term strategy means a set of choices about a business that determine the direction and orientation of the business–the way in which an organization will distinguish itself from its competitors. Thus, strategy defines and articulates the value proposition that an organization brings to its market–a basic description of its business model. Note that, although the article is written primarily from the perspective of businesses in competitive markets, it is intended that the principles apply to organizations in any sphere of activity.
Strategic Planning and ERM
Strategic planning, then, is the process through which an organization develops, refreshes and refines its strategy in light of its view of the future, for the purpose of achieving its long–term goals and objectives. Again, for purposes of this article, the term strategic planning is distinct from business planning, which is the development of a detailed business plan for a short period (e.g., one or two years). An effective business plan will be aligned with the strategic plan, and ensure that initiatives developed are consistent with the strategy articulated in the strategic plan.
The term Enterprise Risk Management is well known, but again, to try to ensure a common understanding for purposes of this article, a definition is provided. The Casualty Actuarial Society (CAS) has defined ERM in this way: ERM is the discipline by which an organization in any industry assesses, controls, exploits, finances and monitors risks from all sources for the purpose of increasing the organization's short– and long–term value to its stakeholders.1 This definition incorporates the key elements of ERM, and can be applied to the strategic aspects of ERM as well as to the financial.
A strategic plan, as defined above, is almost by definition concerned with risks–strategic risks. The reason for developing a strategic plan is the recognition that an organization's current business model will not survive indefinitely. Threats will come to the business model, whether through the development of competing business models by competitors, through developments in technology that result in a business model (or even an organization's basic product) becoming obsolete, or through changes in the environment or market. A strategic plan is an attempt to address these risks by refining, modifying or even creating a new business model that will continue to add value to an organization's stakeholders in new environments and despite the risks involved. Since risk management is inherent to strategic planning, it is important that the processes used be as effective as possible. As with business planning and management, it is also critical that these processes be applied in a disciplined manner–or else their benefit will be significantly lessened. ERM is the process through which risks are managed comprehensively and with discipline across an organization.
A strategic plan should also incorporate the risk parameters of an organization. That is, a business model should explicitly include the limits of risk that an organization deems acceptable. A structured set of risk parameters (which could also be known as risk tolerances or risk limits) is an integral part of an ERM framework. In fact, an organization's risk appetite and strategy must be aligned. Therefore, again, enterprise risk management and strategic planning are inherently related.
An organization should view the management of risk at an enterprise level as an integral part of its value proposition. Strategic planning is also oriented toward finding a successful future–a business model that will thrive despite perceived risks. Perhaps more than in any other area, in strategic planning, "risk is opportunity." Strategic risks are longer–term and broader than business risks (the day–to–day risks facing an organization), and therefore can be better planned for and turned into opportunity. Strategic planning is a proactive exercise (as risk management should ideally be). It shapes the future of the business to derive competitive advantage.
A more articulate statement than the above is provided by the Institute of Management Accountants: ERM and strategy setting should be viewed as complementing each other and not as independent activities. If strategy is formulated without identifying the risks embedded in the strategy and assessing and managing those risks, the strategy is incomplete and at risk of failure.2
Risk categorization is important to ERM. A common language for risk can assist communication across an organization. A language and categorization for strategic risks is also important to ensure a comprehensive assessment and analysis of risk.
For purposes of this article, strategic risks will be distinguished from business risks in an analogous manner to the differentiation between strategic planning and business planning. Strategic risks are the risks that involve threats to the business model as opposed to threats within the business model.
Since strategic risks are different in both type and nature from business risks, different processes are necessary to manage them. The identification and assessment of risks is an important component of risk management. The process for identifying and assessing strategic risks will be different than the process used for identifying business risks. Techniques must be found and developed to model strategic risks. Similarly, the measures of strategic risks, the tools used for measurement and the processes by which they are monitored, will be quite different. Finally, the techniques to mitigate strategic risks are quite different than those used to mitigate financial and operational business risks, as they involve changes to the business model itself.
There are many different types of strategic risks. As with the management of risks in any organization, it is important that risk management be specifically oriented toward an organization's risk profile. A cookie–cutter approach does not work with respect to risk management. The following list includes some examples of strategic risks, but is not meant to be comprehensive.
Examples of Strategic Risks
- Competitive dynamics (existing and new entrants).
- Demographic changes.
- Technological innovation.
- Economic changes and trends.
- Changes in consumer behavior.
- Political and regulatory direction.
It is important to recognize that strategic risks are real risks! Many studies have been done to analyze the underlying cause of collapses or significant setbacks of organizations. These studies have consistently determined that, while the ultimate manifestation is often financial, the underlying cause is usually strategic or operational in nature.
A study by Mercer Management Consulting analyzing the collapses of Fortune 1000 companies from 1993–1998 showed that these collapses (defined as the loss of 25 percent or more of shareholder value within a one–month period) were strategic in nature in well over 50 percent of cases. Operational risks accounted for more than 25 percent, while market and other risks accounted for only about 10 percent of these losses. A more recent Booz–Allen study showed similar results.
Integrating ERM and Strategic Planning
Since the identification of strategic risks is different than the identification of business risks, separate processes should be used as the primary identification processes for these different types of risk. Strategic risk assessment is more naturally "top down" than business risk assessment, given its orientation toward the overall business model rather than functions within the current business model.
It is important to recognize that no one group or profession has expertise in all areas of risk, and certainly no one group or individual has complete insight into the future. In developing a strategic risk assessment process, it is necessary to ensure that insights, methods and techniques for identifying, evaluating, measuring, monitoring and dealing with different risks are brought to bear in order to have a comprehensive framework for addressing strategic risks.
Necessary components of a strategic risk management process include: a target risk profile; a strategic risk identification process; a process for the assessment of the likelihood and impact of strategic risks; and a process for the monitoring and reporting of strategic risk.
Target Risk Profile
An organization should have a target risk profile as a parameter for strategic planning. In this context, a target risk profile means an articulation of the organization's appetite for risk–an outline of the risks that an organization deems acceptable, and those it does not. These, along with a company's strategic goals and objectives, form the parameters of the strategic planning process. They are a check against which strategies must be evaluated–do the proposed strategies achieve the organization's goals and objectives, and are they consistent with the organization's risk profile?
Strategic Risk Identification Process
Because strategic risks are different in nature from business risks (longer term, broader and oriented toward impact on the success of the business model rather than shorter–term financial or other consequences), it is appropriate to have a separate process for identifying these risks. Strategic risks are more naturally captured in a "top down" process, while business risks may often be captured through a more detailed "bottom up" identification process. Of course, strategic risks may be identified through the business risk identification process, and should be captured and fed into the strategic risk identification and assessment process.
A strategic risk identification process must have broad and senior participation to be effective. It is also vital that discussions be open, challenges allowed and different perspectives encouraged and debated. Facilitated sessions may enable free discussion. (Table 1)
Strategic Risk Assessment Process
Strategic risks are not necessarily subject to modeling and quantification in the same manner as business risks. Therefore, different techniques must be used to assess their likelihood. The Casualty Actuarial Society paper referred to earlier provides a discussion of some potentially useful techniques. Space does not permit discussion in this article.
Assessing the Likelihood of Strategic Risks: Techniques
- Fuzzy logic.
- Preference among bets (with experts).
- Judgments of relative likelihood (with experts).
- Delphi technique.
- Testing biases (i.e., test both sides of probability).
Similarly, different techniques must be used to assess the impact of strategic risks. Again, the primary impact with which a strategic risk assessment process is concerned is the impact on the success and sustainability of the business model, rather than the impact on current financial results, capital or reputation. The impact of strategic risks will often emerge gradually rather than having relatively immediate consequences. Therefore, the identification and evaluation of trends is an important part of the strategic risk assessment process. When assessing strategic risks, potential triggers should be considered and key trends identified. An environmental scan is normally done as part of a strategic planning process and provides a basis for trend information. Identifying trends helps to identify both risks and opportunities. Scenario testing is also a step to flesh out the impact of different potential scenarios. Strategic risk assessment does not need to be as specific as business risk identification–that is, an assessment of likelihood accompanied by a "low, medium or high" assessment of impact of a particular threat or scenario is likely sufficient to determine whether strategic action is required.
Monitoring and Reporting Strategic Risk
Strategic risks are not expected to change as frequently as other risks that are market– or business–related. Therefore, their monitoring and reporting should reflect that. It is important that, when strategic risks are assessed, expected trends are developed (on which the company's strategy is based), and potential events identified that could signal a change in the likelihood of a strategic risk occurring, which would then trigger a re–evaluation of strategy.
Reporting should be consistent with this. The frequency of reporting on strategic risks will generally be less frequent than for business risks–perhaps annually on a comprehensive basis. Monitoring of key trends should be ongoing, and changes in trends identified and reported. Also, triggering events identified during the assessment phase should be monitored and reported on should the event occur. Therefore, regular (e.g., quarterly) reporting may be on an exception basis, rather than comprehensive basis.
Is a Flawed Strategy a Strategic Risk?
Some consider a flawed strategy a strategic risk. A strategy is essentially a response to perceived strategic risks and an operating and competitive environment. A flawed strategy may result from a flawed process, including an incomplete or inaccurate assessment of strategic risks. It may also result from the development of an inappropriate strategy even though the "input" to the process is good. The role of ERM in the process is to ensure that the process has the right elements, which are:
- A comprehensive view of risks and framework for their management including common terminology, common measurement, a target risk profile; a desired risk culture.
- Processes and tools for the various aspects of risk management (identification, assessment, addressing, measurement and monitoring).
- Full and unfettered discussion and evaluation of risks.
- A disciplined process to ensure risks are addressed.
Strategic planning and strategic risk management are intertwined. In fact, they are effectively one process. Strategic planning is a response to strategic risks to the business model. It is important to have disciplined processes to identify, assess and deal with strategic risks. These processes will be distinct from business risk management processes, but are a vital part of a comprehensive ERM framework.
Doug Brooks, FSA, FCIA, MAAA, is senior vice president and CFO for Equitable Life Insurance Co. Canada. He can be contacted at firstname.lastname@example.org.
- 1Source: Casualty Actuarial Society: "Overview of Enterprise Risk Management." May, 2003.
- 2Source: Institute of Management Accountants: "Enterprise Risk Management: Frameworks, Elements and Integration."