Conventional enterprise risk management strategy has been well studied, researched and implemented as evidenced by the decent success that most enterprises now enjoy in handling risks that are not strategic in nature. In today’s business environment, no one cares anymore on a company’s ability to identify, classify, and mitigate operational and financial risks that businesses face on a day to day basis.
What makes a business successful in managing risk is the ability of a business to successfully articulate risks that are not only strategic in nature but pervasive as well. The ubiquitous nature of IT has introduced more uncertainties that many business leaders can possibly handle. Take the advent of cloud computing and cloud accounting as an example. Corporate risk managers now have to worry about privacy risk issues that came with cloud computing services like; software-as-a-service (saas), platform-as-a-service (paas), infrastructure-as-a-service and now, data-as-a-service (iaas) is rapidly making its way into the cloud computing arena.
Privacy risk (i.e risk of data leakage) is a good example of a strategic risk that is causing business leaders sleepless night. This is because of the interconnectivity that now exists amongst risks. A company can no longer deal with a particular risk in isolation as the effects of all business activities affects the overall fortune of the business. This is where good integrated risk management principle is very important. Before we delve into the discussion of blending strategic risk management process into every business process of a business entity, let us briefly familiarize ourselves with working definition or explanation of some of the key terms used in this article.
WHAT IS STRATEGIC RISK MANAGEMENT?
Strategic risk management is a holistic approach to risk management. The primary aim of strategic risk management is to ensure that risk management processes are well blended with organization’s core business processes. Think of strategic risk management as the actions or inactions of an organization in managing uncertainties and risks that would have business-wide consequences when not properly mitigated.
Strategic risk management is a part of the strategic management tool in a company’s strategy toolkit. Effective strategic risk management is based on the concept of realism, meaning that it takes an honest approach in dealing with risk. Risk management from the strategic point of view is built around gaining clear unbiased understanding of how much risk a company is willing to face considering the company’s unique situation.
One of the main features of enterprise risk management is that there is little or no meaningful connection between operation risk management process and strategic management decision. This over the years has led to lacuna in risk management design and implementation. This is where the real prowess of strategic risk management is best utilised. Simply put, strategic risk management process eliminates the gap that has hitherto been exploited by threats.
WHAT IS TRADITIONAL RISK MANAGEMENT PROCESS?
Traditional risk management process is a 7 step approach of dealing with uncertainties. The process starts with the identification of the long term goal and objectives of a company. This is then followed by identification and classification of a company’s assets. The next step would be to identify possible events that could go wrong thereby stopping the organization to achieve her objectives. After identifying the possible negative outcomes, possible solutions are developed. The next stage would be to choose the most appropriate course of action after evaluating their effects in the light of available and projected information. The last stage will be to implement and monitor.
In as much as the enterprise risk management process as described above is effective, it still has some major flaws that are constantly being exploited by threats. One of such weaknesses is the management of risk in silos and from tactical and operational levels. For risk management to be veritable, it has to be managed strategically, hence the need to integrate risk management process of an organization with every facet of business operations and processes.
INTEGRATED STRATEGIC RISK MANAGEMENT PROCESS
Integrated strategic risk management process starts with the promotion and institutionalization of positive corporate governance. Good corporate governance is a very solid foundation upon which every other risk management process is built. By promoting risk management culture through the business, the likelihood of any department running its business activities in a way that would undermine the strategic risk management policies and procedures of a company would be greatly reduced if not eliminated.
Strategic risk scenario analysis: one of the most powerful tools that management use to mitigate the effects of strategic risk on enterprise is strategic risk scenario analysis. Through the use of strategic risk scenario analysis, top management staff members asks the right questions of what can go wrong given a strategic challenge. The idea behind the use of strategic risk scenario analysis is to make risks more realistic. Strategic risk scenario can take any of the two forms described below:
- Top-down approach to strategic risk scenario analysis: under this approach, the scenario creation starts from the overall business objectives. This is then followed by analysis of relevant and probable strategic risk scenarios that might impeded the achievement of the global goal of a business enterprise.
- Bottom-up approach to strategic risk scenario analysis: here, the first step is the creation of a generic list of strategic risk scenarios.
LEVERAGING ON ESTABLISHED FRAMEWORKS
There is no point in reinventing the wheel when you can easily leverage on a more powerful wheel at a cheaper rate. Strategic risk management is all about employing the service of useful tools to achieve organizational goal in an efficient manner. There are two frameworks that I strongly recommend to everyone that is in a position of managing strategic risks, they are COSO and ISACA‘s COBIT.