Implementing Risk Transformation in an Organization’s Strategy

Risk transformation can help enable a company to elevate its risk management from only a functional capability to an enterprise responsibility that is a holistic part of an organization. When any entity decides to put more emphasis on risk management, all parts of the business become responsible for the risks related to their own function.

Deloitte breaks down risk transformation into four different cornerstones. First is strategy – the overarching element of the cornerstones – which drives the organization’s vision forward to align with its overall goals. Next is governance and culture, which focuses on making sure correct oversight is in place to execute said strategy, along with influencing positive shared values to guide the organization. Third would be business and operating models, which help an organization decide how their execution should be structured. Lastly, data analytics and technology drive the analysis behind the different models to again, execute their strategy.

Risks from industry to industry can vary significantly, and every organization relies on these cornerstones discussed above to manage their risks. Deloitte defines strategy as “an integrated set of choices that can position an organization to create superior financial returns and sustainable advantage relative to competitors”. Strategic risks are ones that threaten the organization’s strategy at its core, and can arise from any business facet such as operational, financial, technology, security, legal, or any other situation that is a potential threat to the overall strategy. In our current economic situation, almost all industries are at an increased threat of strategic risk. For instance, financial institutions move away from the capital-intensive side of business and more into capital efficiency. The risk to strategy in this example would be the pure need to make the migration in strategy. Even in the automotive industry, they face strategic risks in the form of rapidly evolving technologies, supply chain issues, and intense regulatory scrutiny. Deloitte’s most recent study found that 85 percent of respondents in a survey rated their company as either “not effective” or “somewhat effective” in identifying strategic risks, compared to only 13% notifying as “very effective.”

Underlying Strategic Risks

Strategic risks many times may lack historical precedent, and signals related to that risk are often faint, making them harder to uncover, and difficult to interpret. In addition, strategic risks can also be unique to one organization because of the strategy in place. Risks are also easier to overlook when they seem irrelevant, and can be difficult to address with customary risk methods. These type of strategic risks that have a low likelihood, but high-impact are known as “black swan” events. Events like these sneak up on organizations that are not prepared, escalating quickly and leave ones that have not anticipated this paralyzed and confused. As well as being hard to identify, strategic risks also tend to be difficult to quantify and track. It is clear to see that if ignored, these risk can become a “value killer” as Deloitte describes it. On the other hand, strategic risks can become the driver of value by suggesting modifications of current drivers, or letting the organization know it is time to discontinue an existing driver.

Value Killers

Deloitte defines “value killers” as risk events that destroy 20 percent or more of corporate value in one month relative to the growth or decline of the MSCI All World Market Index in the same period. The newest update to their report claims that value killer losses were experienced in 38 percent of the Global 1000, with some seeing more than 50 percent of their value lost.

The update breaks down value killers into five types:

  • High-impact/low-frequency risks: rare but potentially devastating events that catch companies off guard leading to extreme, quick losses (“black swan” event)
  • Correlated or independent risks: 90 percent of companies suffering the greatest losses were exposed to one or more risks that affected the organization as a whole
  • Liquidity risks: financial crisis can expose the dangers of liquidity and draw intense regulatory scrutiny toward banks and their cost of capital
  • Merger and acquisition risks: business combinations may fail to have the anticipated value and can also have unexpected risks emerge
  • Culture and compensation risks: incentive programs that reward short-term performance can create business models inconsistent with leadership and tone at the top

Shifts in Perspective

Recognizing the importance of strategic risks can be hard for an organization to convey to their employees. This calls for a shift in perspective as business and economic conditions continue to change, so does our risk strategy.

Deloitte identifies a few shifts in perspective that would be useful:

  • From a focus only on understanding traditional financial and operational risks to a broader view of risk and interrelatedness of risks
  • From a mindset of managing known, fairly predictable risks to one of positioning the organization to detect and respond to unknown/unknowable risks
  • From a sense of mastery over risk to curiosity about risk
  • From a focus on traditional risk reports to a focus on scanning for emerging risks
  • From an inside-out view of risk to a more outside-in view

How to Plan and Prepare for Strategic Risks

Identifying the risks significant to your organization is one thing; how to deal with future risks is another area companies must address.

Some ways companies might consider investing in addressing risks would be:

  • Identifying hard-to-predict strategic risks: brainstorm with employees what undermines their overall strategy and identify how to treat that
  • Sensing capabilities: using technology to monitor numerous situations in real time that could cause a risk in the future
  • Modeling and scenario analysis: generate scenarios that deal with multiple risks to assess the possible impact of said event
  • Response capabilities: simulating response to risk events and developing plans to improve capabilities

Discover, Scan Prepare

Many organizations think they already have the means in place to manage their risks, when in reality, they are vulnerable to emerging, off-the-radar situations that could affect them. For this, Deloitte developed a three-step process relating to go at examining and assessing risks.

  1. Discover
    - Use scenario planning to gauge potential impacts
    - Conduct simulations for outcomes and responses
  2. Scan
    - Monitor the environment / interpret signals
    - Apply risk sensing technologies and tools to big data fields
    - Add insight through human analysis
  3. Prepare
    - Reassess your assumptions and identify new strategic options
    - Develop contingency and recovery plans
    - Mitigate and manage risks

This type of approach is very structure and practical, and can be easy for any company to adopt. It incorporates risk sensing at the scanning state and then goes into the human review, while always continuing to use the findings of the process to improve the process.

Goals of Transforming Strategic Risk

When a company transforms their approach to strategic risks, there are five main results that studies have found prevail.

First, senior executives manage risk proactively by cohesively working together to identify, detect, monitor, and address any strategic risks that emerge. Management will have response places in place with backup capital, insurance, hedging, and diversification to minimalize their risk.

Second, transaction and portfolio risks are well understood, and strategic decisions determine the kinds of transactions the organization will engage in. Management realizes risks less quantifiable are harder to understand, and can be looked beyond when assessing all strategic risk.

Thirdly, risk infrastructure is aligned with the business strategy in place. The risk culture must be aligned for a strategy to succeed, which also enhances the lines of defense for risk governance.

Fourthly, another goal of the organization through transformation would to align your capital allocation with your risk appetite. Management understands the risks of new models when changing your risk profile, and must therefore adjust their risk appetite or strategy to meet their most profitable uses of capital.

And lastly, regulatory issues dealing with the organization is considered when deciding their business strategy, as our culture and governance resources. Being flexible with strategy can help adapt as regulations intensify and change.


As read above, strategic risk can come in all shapes and sizes, and can be invisible to an organization until it hurts the most. In most industries, regulations have reached new highs, which calls for an increase in focus on managing risks that come with that. Strategic risk can destroy value quickly and quietly, therefore, they must have the upmost attention when trying to transform your approach. Transforming strategic risk helps executives and board members understand the risks needed to be addressed, and encourages them to adjust and implement strategies to changing factors. Only senior management and the board can lead the organization to transform the risk strategy, and it is more important than ever.

Link: Deloitte & Touché LLP "Strategic Risks – A Cornerstone of Risk Transformation" Fall 2018

Subscribe to ERM Insights

The latest research, insights and opportunities from the NC State ERM Initiative to help
you and your organization lead with confidence.

Related Resources

ERM Enterprise Risk Management Initiative 2019-01-29