IS RISK MANAGEMENT REALLY EMBEDDED IN STRATEGY?

Risk Management

Viljoen van der Walt

As risk professionals, we are leaders in our sector: financially sound, upwardly mobile, socially connected, ethically proud. Our strategy guides the way to a bright future while we continuously identify, assess and manage risks. We should get full marks…or should we?     

The COSO definition of risk management states that risk management is embedded in strategy and South Africa’s King III Code on Corporate Governance recommended risk management to be applied as part of the strategy process. 

However, a recent study of strategy formulation processes has failed to provide examples of how this is actually done. Furthermore, when a representative sample of business leaders was asked about embedding risk management in their strategy processes, a large majority accepted the principle but was less assertive regarding the status quo at their organisations. 

The problems are…

  • In spite of general acceptance, the methodology of embedding risk management into strategy is not very clear, while guiding processes in literature are scarce to non-existent;
  • Risk management sources regularly acknowledge that the function is embedded in the nature of strategy, but if strategy formulation sources are searched, reference to risk management steps are uncommon;
  • Silos… These two functions are still within silos at many companies, both locally and abroad – something proved yet again in a recent academic study.
  • Have you ever considered where a risk appetite setting slots into the ISO 31000 (2009) framework?  

What is the missing link?

There are many reputable sources guiding the risk management process. Among these are ISO 31000 and all related sources. But where does risk appetite setting slot into ISO 31000?

Have you ever considered adapting the ISO 31000 process to include risk appetite setting?

How do we move towards a risk embedded strategy formulation process?

The potential absence of embedding risk management into strategy processes was identified by many authors. One source, Noy and Ellis (2003:691), stated that risk management is a “neglected component of strategy formulation”.

Risk management is a function applied via a process. Similarly, strategy formulation is best executed via the application of a process. It is worth considering whether these wo processes could be combined, with the steps of the risk management process as adapted above embedded into a generic strategy formulation process. Look at embedding the adapted risk management process (Figure 1) into a generic strategy formulation process (Figure 2):

Figure 1
Figure 2

The integration was not straightforward embedment. Following close scrutiny of each of the steps in both processes, it was found that the sequence of steps needed careful consideration. It was also found that some of the steps were of such a complementary nature that it was unnecessary to include both steps. The steps were then combined into single steps in the combined process.  

The outcome of the integration was found to be a 12-step process, best presented in a cyclical format to illustrate the cyclical characteristics of a risk management embedded strategy formulation process. Adopting such a process would allow risk management to be seamlessly embedded within strategy – and risk professionals could indeed give themselves full marks.