Enterprise Risk Management as a Strategic Tool for Companies

I previously wrote an article referencing the latest report from the Enterprise Risk Management (ERM) Initiative at North Carolina State University, in partnership with the American Institute of Certified Public Accountants (AICPA).  Their 8th State of Risk Oversight report provides an overview of ERM practices for a variety of industries.

Although the previous article was specific to non-profits, this time we are going to talk about all industries because I am dismayed at the results discussed in the report.  Only 20% of the 432 respondents feel that the organization’s risk management process is a “proprietary strategic tool that provides a unique competitive advantage.”  Only 20%!

In reality, ERM (or just plain risk management to keep it simple) should be used to provide management with valuable information and insights as they make decisions about the strategic plan. 

But the report tends to lead me down the thought that management just doesn’t see the connection between risk management and strategy.

Does that mean that as risk professionals, we are not articulating the case for ERM being integrated with strategy?

Or are we so caught up in the operational side of the house that we aren’t demonstrating value by identifying emerging risks related to the industry, market, and strategic plan?

I wrote about some possible ways of identifying external risks, but many experienced risk professionals like Norman Marks will say (and I agree!) that ERM should be linking identified risks to an organization’s objectives.  Only then can management truly see the value of a robust ERM program.

What are your thoughts on linking risk management to strategy?

Please share your thoughts in the comment field below, or join the conversation on LinkedIn.

Do you want to help ensure your organization achieves its objectives but are unsure how to proceed?   Are you struggling to get your risk management initiative off the ground or back on track? To discuss ways your organization can link risk management to strategy, contact me today.

, , , , ,

Related Posts

5 Comments. Leave new

  • When a strategy team uses PESTLE or SWOT as part of the periodic strategic planning updating process, these tools/techniques identify uncertainties that can be turned into risks where appropriate. Clearly “risk” ie the context phase of the risk management process is being linked to objectives/strategies. It is integrated into the process, which according to ISO 31000 is the preferred way to do it. The query I had on the GE article in relation to emerging risks, was how GE’s separate emerging risk practices were integrated into the update of its strategic plan. There was a couple of sentences that indicated they were taken into account, but how is this actually done?. When risk management activities are heing done off to the side of a proces set up to make decisions ie they are not integrated into for example the strategic planning process, there is a real risk the information will not be used (eg it could be outdated as new objectives are set as part of an updating process) or even properly understood (because it is de-linked from the formal process set up to make decisions on an updated strategic plan). In regard to the survey ( and like most risk management surveys), the way the question is written could lead to people interpreting it in many ways eg are we talking about what a risk management function typically does or the risk management process in general?. Many may simply associate risk management with the formal risk identification, assessment etc process (the 20% answer in the survey is hardly surprising), not the process of ensuring those who make decisions have the requisite information on hand to make the right decisions at the right time when faced with uncertainty.

    • Hi, Glenn. Thanks for your comments. I agree with you that if the strategic planning team used SWOT or PESTLE, then risk would automatically be incorporated to a certain extent. But what if they do those analyses without really understanding how to incorporate the results in the decision-making process? If they don’t incorporate the results, then risk isn’t included.

      Risk management is about perception, whether if it is about the branding of an ERM/RM program, its effectiveness, or even whether the company already has risk management. The survey may not have been explicit in its question or description, which concerns me that the results are being misconstrued.

      To answer your question about the GE processes re: emerging risks versus strategic risk, I have sent an inquiry to Carol Fox at RIMS to see if she would be able to get an answer. As soon as I hear, I will update the article to include the information…

      Thanks again!

  • Thanks Carol. In regard to strategy teams using SWOT and/or PESTLE and then not effectively using the results of the analysis, I suppose this is true of any tool or practice including the formal risk management process itself. In regard to your comment about risk management being about perception, I thought it was about helping decision makers, make the right decisions at the right times when facing uncertainty pursuing business objectives. We do this by encouragin
    g such decision making to be done in a structured and logical way. Perhaps too much concern for perception at the expense of substance has led to the formal risk management discipline being in the state its in today. Rgs Glenn

  • Gregory Sosbee
    April 11, 2017 10:50 am

    Risk is risk.

    An organization has financial, tactical and strategic exposures among others in its risk profile, but risk is risk. In a true Enterprise Risk Management environment there is one set of definitions, policies and procedures under the overall authority and responsibility of the Chief Risk Executive (CRE). (The use of CRO to designate the CRE became untenable when the CRO position became codified.) Since Risk Management is the only group (other than the CEO/President) in any organization that everything the organization touches and everything that touches the organization occurs, the CRE at a minimum should be on the same organizational level as the CFO and COO.

    Unfortunately, as supported by the NCSU ERM Initiative Oversight Report, most organizations (80% and actually closer to 90%) still see a siloed risk management effort despite any boxes checked confirming they have an ERM program. The fact that Carol’s well written article about the notion of ERM as a strategic tool is proof that silos still exist. All risk must be put through the full ERM matrix to align the risk management effort with Board directed and approved corporate goals.

    The ensuing use of models discussion between Glenn and Carol, while very good repartee, is a perfect example of the tug-of-war that the CRE faces daily when faced with the “old” organizational risk thought process. Models produce data points not answers. The ERM Matrix process converts the data points into probability ranges that provide leadership options to make informed organizational strategic decisions.

    Risk is risk.

    • Thanks for your comment, Gregory. I agree – risk is risk. It doesn’t matter the source, there is still a risk to the organization that needs to be known, recognized, and a decision. There is a lot of talk around strategic planning, but having risk information helps put some context and, more importantly, can ensure that certain risks are addressed as part of the bigger corporate plan!


Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.