Strategic Risk Management

The paper, authored by Mark Frigo, discusses how strategic risk management involves the evaluation of how well business strategy will perform under different scenarios and risks.  Risk scenarios that could lead to significant loss of shareholder value are to be considered.  At the same time, risks can lead to opportunities for growth and should be managed, not necessarily eliminated. Ultimately strategic risk management and ERM need to be connected with the potential impact on shareholder value.

Strategic Risk Management at High Performance Companies

Research on high-performance companies can provide valuable insights about risk management. High-performance companies are vigilant to forces of change, and they manage risks and opportunities better than other companies. The author of this article also co-authored, Driven: Business Strategy, Human Actions and the Creation of Wealth in which the “Return Driven Strategy” provides a framework for evaluating the strategic risks of a company from many different risk categories, such as the following:

  • Shareholder value risk is driven by future growth and return on investment
  • Financial reporting risk is driven by reporting irregularities such as revenue recognition
  • Governance risk is driven by controls
  • Customer and market risk is driven by the extent to which a company sells what people want
  • Operations risk is driven by failure to deliver goods or services when needed
  • Innovation risk is driven by inability to change to beat competition
  • Employee engagement risk is driven by the employment practices of the company

A Strategic Risk Assessment Process

This article outlines 4 steps for strategic risk assessment:

  • Risk assessment of plans. Conduct an overall risk assessment of the 2008 plan and strategic plan. This assessment includes scenario analysis.
  • Identify Critical Risk Scenarios. The next step is to identify and describe “critical risk scenarios” considering the severity and likelihood of the events and scenarios.
  • Identify Countermeasures. Next, management identifies possible countermeasures for managing the critical risk scenarios and considers the cost/benefit of the countermeasures.
  • Establish a process for continuous monitoring. This includes the key risk indicators and best practices of performance management, such as the balanced scorecard.

Questions to Address During a Strategic Risk Assessment:

  • What events or scenarios could create significant downside risk in your business strategy and 2008 plans?
  • What countermeasures have been developed to address these risk scenarios and events?
  • Has the company considered the upside of risk and how it plans to realize the opportunities?
  • What are the roles of the CFO, general counsel, chief risk officer, internal audit, and others in assessing and managing the threats and opportunities in your plans and business strategy?
  • How is enterprise risk management incorporated and embedded in your 2008 plans and business strategy?
  • What performance measures and key risk indicators are you monitoring to continuously assess and manage strategic business risk?


The article describes an approach to risk assessment that looks at three perspectives: risks, opportunities, and capabilities. Risks are about risk of loss – the downside of risk, such as loss of revenue or assets. Opportunities are about the upside of risk, such as opportunities for gains in revenue, profitability, and shareholder value. Capabilities are about distinctive strengths of an organization that can be used to manage the risks and opportunities.

  • Competitive intelligence, ethically conducted, is an integral part of the strategic planning process.
  • Corporate sustainability should be considered in risk assessment, as well as corporate social responsibility.
  • Risk transfer and retention strategies should be included in risk assessment as well; whether to protect corporate assets by purchasing insurance, self-insuring, or “creating a captive.”

Genuine Assets at Risk

Genuine assets may not be on the balance sheet; they are the tangible and intangible resources, capabilities, and traits that make an organization and its offerings unique. They are the “building blocks” of strategy and form the basis for creating sustainable competitive advantage. Genuine assets should be valued very specifically, including how difficult it would be for another company to develop a similar asset, i.e., how long it would take and how much it would cost.

To Help Identify and Manage Risks to Genuine Assets, Ask:

  • What are the most valuable and unique capabilities and resources of the company?
  • What scenarios and events could put the most valuable Genuine Assets at risk?
  • What countermeasures can be developed to protect these assets?

Key Risk Indicators and the Balanced Scorecard

Effective strategic risk management should be a continual process that includes metrics for continuous monitoring of risk. An organization’s key risk indicators and metrics should link to the potential impact of risk on shareholder value. A balanced scorecard should focus on strategy and accountability (see Mark Beasley, Al Chen, Karen Nunez, and Lorraine Wright, “Working Hand in Hand: Balanced Scorecards and Risk Management,” Strategic Finance, March 2006). Risk dashboards can also provide a way to monitor key metrics and trends.

Making the Connection

Connecting strategy and ERM is critical for every company to create and protect shareholder value and corporate assets. Risk management and assessment should be continuous and consider both the upside and downside of risk. Risk assessment, risk management, and ERM should be embedded in strategic plans and budgets, execution plans, and performance measures.

Subscribe to ERM Insights

The latest research, insights and opportunities from the NC State ERM Initiative to help
you and your organization lead with confidence.

ERM Enterprise Risk Management Initiative 2008-01-01