Smart organizations are doing more with enterprise risk management (ERM) than protecting value. They are using patient, structured and disciplined ERM approaches that influence and strengthen the business’ strategic plans. That, in turn, helps to ensure that goals for generating shareholder value are met.
The primary goals of best-practice organizations are:
• focusing senior management and boards on risks capable of disrupting business strategy;
• creating value for key stakeholders;
• ensuring that risks are properly identified, assessed, mitigated and monitored; and
• creating a risk-intelligent culture, reflected by a proper, risk-centric tone at the top.
To get there, an organization will want to augment its traditional governance, risk and compliance (GRC) model, which (among other things) aims at assessing the strength of internal controls. What is needed is a strategic risk assessment process that identifies and manages major business risks, either the well-known risks or those risks that are newly emerging.
A strategic plan is sound only if it incorporates action items for addressing major risks that have been identified during an enterprise-wide risk review cycle. Yet, according to a recent APQC survey, a surprising 61% of organizations do not ensure that strategic risks, once identified, influence the organization’s strategic plans (see chart below).
Organizations also need an ERM capability that systematically generates insights about the adequacy of risk mitigation plans. Those insights should then drive adjustments to the strategic plans. This helps companies avoid value erosion and drive value creation. Companies should strive to help business units and managers analyze the risks inherent in their strategic plans and find ways to leverage corresponding opportunities.
To do this, risk leaders should facilitate practical discussions with managers about the resiliency of their strategic plans. In order to avoid widespread disconnect across the organization, risk leaders should ask decision makers from a variety of functions what ought to be done to fold identified risks into the over-arching growth plans.
Some manufacturing organizations use a scale to help managers think through their mitigation strategies. Pointed questions go a long way—for example, what happens if the risk of product obsolescence is twice or three times more likely next year compared to last year?
In a recent report by APQC, the senior director of strategic risk management for a leading manufacturer of children’s toys described the ways in which the company aligned strategy with previously unexperienced risk. During a brainstorming session aimed at risk identification, he and his group came up with more than 250 risk candidates. They asked questions such as: What would we do if a regulation changes and we cannot use the materials we are currently using in products anymore? What would we do if there was a trade war between the United States and China? What if a key product line doesn’t spark the interest of the next generation of game-playing children?
Questions such as these help to get senior managers in the manufacturing industry to focus on the viability of risk mitigation scenarios and action plans. Predicting things like shifts in consumer demand and experiences—and adjusting to this shift more effectively than a competitor—can lead to major strategic advantages.
Additionally, organizations must pay careful attention to the messages senior management and board members are sending about risk management. Boards must not consider ERM to be an impediment to business strategy; rather, the tone at the top should reflect a sense that risk management is an integral component of strategy, culture and business operations. In addition to overseeing risk plans and making sure that they align with the company’s strategy and risk appetite, boards must also foster a culture of risk-adjusted decision-making throughout the enterprise.
Decision makers must prioritize risks, prepare their mitigation measures, and adapt strategic plans as necessary to reflect the changing risk environment. The risks inherent in supply chains, innovation, cybersecurity, regulations, talent—just to name a few—are not always easy to see during the strategy planning process. This is why organizations must not only identify major strategy risks but prepare for them—and shift plans in order to keep the strategic plan at the ready.
Elizabeth Kaigh is the financial management research specialist at APQC, a nonprofit business research and benchmarking firm based in Houston.