“Strategic risk is not new; however, in a world where risks are hastened along by business trends and technological innovations, strategic risk management has taken on new urgency. In fact, according to a recently published global survey of more than 300 companies, conducted by Forbes Insights on behalf of Deloitte, 94% say they aren’t just increasing their focus on managing strategic risks; they are changing how they do it – most often by incorporating strategic risk management into their business strategy and planning processes.”

There’s a Strategic Risk Management magazine, my friends at RIMS (the risk management society) have a paper and web page on strategic risk management, and according to a report from IIA, internal auditors in the USA need to pay more attention to strategic risks. In fact, earlier this year the IIA released a Practice Advisory (which is considered “strongly recommended guidance”) on “Internal Audit Coverage of Risks to Achieving Strategic Objectives”.

This sounds right, but it is worth exploring further.

For a start, just what is “strategic risk”?

RIMS says that “Strategic Risk Management (SRM) is a business discipline that drives deliberation and action regarding uncertainties and untapped opportunities that affect an organization’s strategy and strategy execution”.

A 2011 article by (originator of Deloitte’s excellent Risk Intelligence series) Mark Frigo and Richard Anderson, “What is Strategic Risk Management”, defines SRM as “a process for identifying, assessing and managing risks and uncertainties, affected by internal and external events or scenarios, that could inhibit an organization’s ability to achieve its strategy and strategic objectives with the ultimate goal of creating and protecting shareholder value. It is a primary component and necessary foundation of Enterprise Risk Management”.

The IIA doesn’t really define strategic risk, but says “Executive management is responsible for identifying and managing risk in pursuit of the organization’s strategic objectives. It is the board’s responsibility to ensure that all strategic risks are identified, understood, and managed to an acceptable level within risk tolerance ranges. Internal audit should have an understanding of the organization’s strategy, how it is executed, the associated risks, and how these risks are being managed.”

In Risk Angles, Deloitte defines strategic risks as “risks that have a major effect on a company’s business strategy decisions, or are created by those decisions. So they tend to have a larger and more widespread impact than the other types of risk that businesses have traditionally focused on, in areas such as operations, finance and compliance.”

Leaving aside the error in some of these definitions that risk management is only about the downside and not the seizing of opportunities, there is a larger question:

If risk is the effect of uncertainty on objectives (the ISO definition, but if you read COSO ERM carefully, you will see they essentially say the same thing), then how is “strategic” risk different?

In fact, if a risk doesn’t have a significant potential effect on the organizations strategies and goals, why should we worry about it?

Aren’t all risks that matter therefore “strategic risks”?

A compliance risk can significantly affect an organization’s ability to achieve its strategic goals. Just ask JP Morgan Chase as they consider their multi-billion dollar fines.

An operational risk, such as the floods in Thailand that shut down hard drive manufacturers, can cripple an organization.

We could stop there and conclude that the concept of something separate and distinct “strategic risk” is nonsense. But, I have a proposition for you to consider.

In the Introduction to the ISO 31000:2009 global risk management standard, there is this paragraph:

“Risk management can be applied to an entire organization, at its many areas and levels, at any time, as well as to specific functions, projects and activities.

You can (and should, in my opinion) take all your organization’s defined business strategies and goals and take a top-down approach to understanding and assessing the uncertainties surrounding achievement of each of those strategies. That should include assumptions that have been made, the things that need to go right, the things that could go wrong, and the events and circumstances that could lead you to surpassing your objectives. All of those uncertainties should be understood, an assessment made as to whether the risks are at acceptable levels, and actions taken as necessary to optimize outcomes.

I would call this top-down approach strategic risk management. It doesn’t preclude the individual risks being financial, compliance, green, blue, or whatever you want to name them.

At the same time, there is nothing fundamentally wrong with understanding and assessing risks at lower levels of the organization, such as those surrounding the use of technology. The key is to prioritize resources on the risks that matter to the organization as a whole over those that only matter to one department, business unit, or location.

In other words, if you are assessing risks within an area such as IT, Finance, or Human Resources, consider whether they will have an effect of any significance on the success of the organization as a whole in achieving its strategies and strategic goals in the pursuit of value.

If they would, then you can choose to call them strategic, red, blue, or whatever. If not, perhaps they relate to activities that are not relevant to the organization’s objectives and which can be cut back.

Personally, I prefer to focus on the risks that matter to the organization’s success. I just call them risks.

What do you think?


Norman Marks, CPA, is vice president, governance, risk, and compliance for SAP's BusinessObjects division, and has been a chief audit executive of major global corporations for more than 15 years. He is the contributing editor to Internal Auditor’s “Governance Perspectives” column.
normanmarks.wordpress.com/