Risk Oversight and Strategy Need to be Better Integrated.

The comment:

‘Several of the conference speakers commented on the apparent disconnect between an organization’s risk management and strategic planning activities. Unfortunately, in many organizations, risk management is viewed as a compliance or regulatory activity that needs to be done to satisfy some external demand for risk management. Often that means risk management is relegated to a lower-level, nonstrategic position that addresses important, but not strategy-defeating issues. For some reason, business leaders continue to struggle to remember the important connection between “risk and return.” As a result, the organization’s risk management efforts are inadequately integrated with strategic planning. This may partially be driven by how risk managers have been leading their risk identification and assessment efforts.

Rather than beginning the conversation with a discussion about what drives value for the organization in order to pinpoint key risks, the conversation begins with what risks are on the horizon (e.g., what keeps you up at night?). By starting the conversation with what is strategically important to the organization and then asking what might prevent that from being successful, we might better assist business leaders in seeing how risk management can be positioned to provide strategic value.’

The source:

Mark Beasley, Deloitte Professor of Enterprise Risk Management (ERM) and Director of the ERM Initiative, NC State University



My take on it:

There are several gems in Beasley’s entire article, including the potential of the media to precipitate a chain reaction to an initial risk event.

As for the governance ‘disconnect’ world-wide between RM and strategic planning, a sad irony prevails in Australia:

  • ISO31000 (2009) mentions strategic plan(ning) 3 times;
  • the associated 2010 Handbook on practical application of AS/NZS 31000 mentions it 12 times, including this very helpful pointer:  The best place to first implement AS/NZS ISO 31000’s process for managing risk is the strategic plan and supporting business plans, after which each group should work through their operational risks. 
  • HB 2010 was nominally directed at NPOs, but its content was intentionally generic, and very practical.
  • In 2013 SA/SNZ decided to release a further Handbook, nominally directed at For Profits.  It reflected the same general message as its NPO peer, but with fewer references to strategic planning (ie 10), and was in my opinion less clear in how to actually apply the Standard.
  • The Corporate Governance Guidelines released by the ASX Corporate Governance Council (CGC) in 2014 are replete with references to risk, but do not mention strategic planning once!
  • If anyone is looking for practical assistance on implementing ISO31000-compliant RM in their organisation, I would refer them to the 2010 Handbook.