Organizations are seeing the value of adopting a risk-based approach to execute strategies in order to survive in a post-recession world. This approach enables managers to focus on opportunities in strategic plans, as well as minimizing the potential impact of threats. This article, authored by Norman T. Sheehan, four key steps to executing a strategy using a risk-based approach:
Map the Strategy
An organization must clearly map mission, vision, and strategy in order to determine what they want to accomplish. A strategy map is a one-page illustration that shows what the organization hopes to accomplish in terms of the customer, financial, and societal goals, and how it will achieve desired results using processes and resources. A strategy map should include the following perspectives:
- Financial – defines how much and what type of value the organization must create to satisfy shareholders and stakeholders
- Customer – describes the value proposition the firm promises to deliver to its customers and why customers should buy from the organization, rather than rival competitors
- Process – describes how the organization will efficiently and effectively deliver value promised to customers
- Learning and Growth – clearly describes the resources that enable the organization’s employees to efficiently and effectively perform internal processes
Identify Risks using the Strategy Map
Since the strategy map describes initiatives the firm must successfully complete in order to achieve the best possible outcome for shareholders and stakeholders, it can be used to identify potential risks. Categories of risks that should be assessed include:
- Customer perspective – external events that may decrease the attractiveness of the organization’s value for current and potential customers
- Process perspective – events that may prevent the organization from creating value promised to consumers
- Learning and growth perspective – events that impair intangible human, organizational, and informational resources that the organization relies on to successfully complete internal processes
Risks should be ranked based on financial impact and likelihood of occurrence. This assessment will place risk events in one of four risk response categories:
- Mitigate risk – activities with a high likelihood of occurring, but financial impact is small. The best response is to use management control systems to reduce the risk of potential loss.
- Avoid risk – activities with a high likelihood of loss and large financial impact. The best response is to avoid the activity.
- Transfer risk – activities with low probability of occurring, but with a large financial impact. The best response is to transfer a portion or all of the risk to a third party by purchasing insurance, hedging, outsourcing, or entering into partnerships.
- Accept risk – if cost-benefit analysis determines the cost to mitigate risk is higher than cost to bear the risk, then the best response is to accept and continually monitor the risk.
Design a Risk-based Management Control System
Organizations should employ a comprehensive framework to enhance the execution of strategies. Based on Simons’ (2000) “Lever of control” framework, five controls should be engaged to manage risk:
- Diagnostic controls – communicates to employees what activities lead to strategy execution and reports if they were successfully completed
- Boundary controls –constrains employee activities by making it clear what actions are unacceptable
- Belief controls – outlines what the organization stands for and inspires and motivates employees to make a difference
- Internal controls – ensures accurate record keeping, safeguards the organization’s assets, and enhances compliance with laws and regulations
- Use levers to control and manage risk – ensures that the organization is properly mitigating, avoiding, transferring, and accepting risks
Management should regularly monitor the risks listed above to ensure that the management control system is working, as well as the appropriateness of the organization’s strategy.
Strategic execution capabilities will be improved by integrating strategy mapping with control, compliance, and risk management activities. A risk-based control system enhances management’s ability to properly manage risks, threats, and opportunities in order to achieve the organization’s strategic plan.
Click below to download article through Emerald Publishing Group.
Read ERM articles as soon as we post them
Keep up-to-date with current developments in ERM. Subscribe to the ERM Newsletter.