top of page

   Corporate Governance (Strategic Risk Management – SRM)

 

  • Strategic risk refers to any interference by external or internal risks that may make it difficult or impossible for an enterprise to achieve the long-term strategic objectives C-Suite executives have planned for the enterprise;

  • Strategic risk management (SRM) – which is a management philosophy intended to prioritize various threats (risks) to the enterprise, by anticipating, eliminating, remediating, quantifying or transferring strategic risks away from the enterprise – is a specialized subcategory (perhaps the most important subcategory to the enterprise) of enterprise risk management (ERM) – and is generally-accepted as consisting of: competitive risk management; financial risk management; governance risk management; operational risk management; and, reputational risk management – focused particularly on identifying two (2) paths by which risk may threaten the enterprise, either from: (a) external threats (such as, for example – financial market crises; natural disasters; political philosophies; shifts in customer demand for the enterprise flagship products or services; sudden regulatory changes; supply chain disruptions; and the like), or (b) internal threats (such as, for example – attacks on the reputation of the enterprise – whether deserved or undeserved; bad business decisions by C-Suite management; failure to adapt to or anticipate change; introduction of low-quality products or services; lack of governance compliance; new competitors with similar-but-better products; poorly-executed or poorly-planned strategic objectives; sudden changes in executive leadership; unsuccessful acquisitions, divestitures or mergers – collectively, M&A).

  • Although the actual circumstances resulting from unfortunate events along each such path can never be anticipated, the fact that such situations along each path are almost-certainly destined to occur to an enterprise, repeatedly, requires executives and senior personnel within the enterprise to make good-faith attempts (strategic attempts) to formulate contingency action plans to handle such situations as quickly and as efficiently as possible, to minimize any damages to the enterprise.

  • Occasionally, strategic risks are confused with operational risks, but there is a difference in perspective, such as for example: as noted directly above, strategic risks generally result either from unfortunate external events or bad internal executive management decisions relating to strategic objectives for the enterprise, whereas operational risks generally result from unfortunate internal lower-level bad decisions and unfortunate situations relating to operations or production; strategic risks generally affect strategic long-term objectives for the enterprise, whereas operational risks generally affect short-term or daily operations.

  • When implementing an internal enterprise SRM framework, it may be prudent for the enterprise management to begin with the selection of enthusiastic and qualified personnel for appointment to a dedicated strategic risk management committee, which might then adopt the generally-accepted enterprise approach to SRM planning, such as for example:

    • identify every possible strategic risk (whether from external or internal sources) that might potentially-threaten any aspect of the enterprise;

    • perform strategic risk assessments of each such potential threat to the enterprise, including analyses of the likelihood such potential threat may actually occur and what damage it might cause to the enterprise (akin to what land use experts may do when they are attempting to diagram flood plans and the extents of 10-year, 25-year, 50-year and 100-year floods);

    • pick the risk-handling strategy that seems to be most-efficacious, perhaps from the four (4) generally-accepted risk-handling strategies: risk avoidance; risk elimination; risk remediation; and, risk transference (such as the use of insurance to pay for the cost of fixing damage caused by natural disasters;

    • continuously-monitor all aspects of the enterprise for any potential strategic risk threats;

    • report all such potential strategic risk threats and any changes in both the external and internal strategic risk landscape to management, as quickly as possible.

  • SRM attempts to quantify (place some dollar value on) whatever strategic risks the strategic risk management committee may identify prioritize as being the most-potentially catastrophic to the enterprise; there are two (2) generally-accepted metrics that are used to quantify strategic risk, as follows: (a) economic capital – the amount of equity required to pay to completely-restore damage to the enterprise to the condition in which it was before it was damaged; generally-based on a solvency standard determined from the enterprise debt rating, employing the same methodology used to determine the enterprise value itself; and, (b) risk-adjusted return on capital (RAROC) – a banking term of art developed in the late 1970s, meaning the anticipated after-tax return on an investment, divided by the value of the economic capital expended for the investment; this analysis assumes that investments requiring greater risk must produce greater profits; if the RAROC is greater than the value of the economic capital expended for the investment, then the investment has been successful; however, if the RAROC is less than the value of the economic capital expended for the investment, then the investment has been a failure.

  • To be successful, SRM requires that strategic risk should merge with strategic planning; to do so, SRM planners may apply several steps in their analysis for risk, in order to  fine-tune their objectives, as follows (in no particular order of precedence:

    • the strategic risk committee must first assemble a list of business strategies and objectives, which must then be reviewed and revised or approved by the C-Suite and the Board of Directors; perhaps the strategic risk committee might use a strengths, weaknesses, opportunities and threats (SWOT) analysis, among others, but since risk is not a component of such an analysis, the committee must bring risk into their analysis through the use of other analysis tools;

    • the committee should consider using key performance indicators (KPIs) as minimum benchmarks to compare the actual enterprise operations performance to what was anticipated;

    • likewise, key risk indicators (KRIs) can be used to compare historical risk tolerance levels to the current levels, to ascertain the actual system performance to the historical;

    • whatever are the KPI and KRI risks that cannot be measured, those are the very risks that must be monitored most-carefully, since those are the very risks that may skew reported results to unacceptable levels.

  • When planning to implement SRM framework, the committee should use a methodical to approach to gathering data, such as (in no particular order): reviewing all existing corporate polices and mission statements, to verify that their understanding of the Board and C-Suite strategic objectives aligns with those of the Board and C-Suite; collect all past data about risk against which the C-Suite and Board have struggled, in an effort to itemize as many potential risks as possible; create a risk profile in both list and heat map format; develop an action plan; get sign-offs from the Board and C-Suite before proceeding to implementing the SRM framework; once all the sign-offs have been returned, but before actual implementation, publish the SRM framework on the enterprise intranet, so that all personnel may review and understand the SRM framework, and use an employee engagement software (EES) platform to allow such personnel to provide feedback, if they so choose; continuously monitor and stress-test the SRM framework, to verify that it is functioning properly.

  • Drafting and negotiating all SRM-related documents and legal support for all SRM-related tasks.

   Progress_Page_Last_Updated_221105_1351

bottom of page