As noted by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), “In the aftermath of the financial crisis, executives and their boards realize that ad hoc risk management is no longer tolerable and that current processes may be inadequate in today’s rapidly evolving business world.”  However, especially for nonfinancial companies that may be relatively new to these topics, enhancing risk management can be a somewhat daunting task.
This article focuses on two key aspects of the relationship between risk and strategy: (1) understanding the organization’s strategic risks and the related risk management processes, and (2) understanding how risk is considered and embedded in the organization’s strategy setting and performance measurement processes. These two areas not only deserve the attention of boards, but also fit closely with one of the primary responsibilities of the board — risk oversight.
The Advent of Strategic Risk Management
Enterprise risk management (“ERM”) and risk management in general can encompass a wide range of risks that face any organization. Some risks may reflect exposures that, although harmful, will not threaten the overall health of an organization or its ability to ultimately meet its business objectives. For example, a temporary data center outage can result in a short-term problem or customer dissatisfaction, but once recovered, the organization can quickly be back on track. Other more significant risk events can be catastrophic, resulting in losses that can not only impair an organization’s ability to meet its objectives, but may also threaten the organization’s survival. The recent credit crisis is an example of this type of risk. These more significant risk exposures have given rise to a focus on “strategic risks” and “strategic risk management.” “Strategic risks” are those risks that are most consequential to the organization’s ability to execute its strategies and achieve its business objectives. These are the risk exposures that can ultimately affect shareholder value or the viability of the organization. “Strategic risk management” then can be defined as “the process of identifying, assessing and managing the risk in the organization’s business strategy—including taking swift action when risk is actually realized.” Strategic risk management is focused on those most consequential and significant risks to shareholder value, an area that merits the time and attention of executive management and the board of directors.
Standard & Poor’s included the following attributes for strategic risk management in its 2008 announcement that it would apply enterprise risk analysis to corporate ratings:
Management’s view of the most consequential risks the firm faces, their likelihood, and potential effect; The frequency and nature of updating the identification of these top risks; The influence of risk sensitivity on liability management and financial decisions, and The role of risk management in strategic decision making. 
Clearly the potential impact of strategic risks is significant enough to deserve the attention of the board and its directors.
At the board level, strategic risk management is a necessary core competency.  In Ram Charan’s book, Owning Up: The 14 Questions Every Board Member Needs to Ask, one of the questions posed is “Are we addressing the risks that could send our company over the cliff?”  According to Charan, boards need to focus on the risk that is inherent in the strategy and strategy execution:
Risk is an integral part of every company’s strategy; when boards review strategy, they have to be forceful in asking the CEO what risks are inherent in the strategy. They need to explore ‘what ifs’ with management in order to stress-test against external conditions such as recession or currency exchange movements. 
Regarding risk culture, Charan provides the following insight: “Boards must also watch for a toxic culture that enables ethical lapses throughout the organization. Companies set rules—but the culture determines how employees follow them.”  We believe that corporate culture plays a significant role in how well strategic risk is managed and must be considered as part of a strategic risk assessment.
Understanding an Organization’s Strategic Risks and Related Risk Management Processes
A necessary first step for boards to understand their strategic risks and how management is managing and monitoring those risks is a strategic risk assessment. A strategic risk assessment is a systematic and continual process for assessing the most significant risks facing an enterprise.  It is anchored and driven directly by the organization’s core strategies. As noted in a 2011 COSO report, “Linkage of top risks to core strategies helps pinpoint the most relevant information that might serve as an effective leading indicator of an emerging risk.” 
Conducting an initial assessment can be a valuable activity and should involve both senior management and the board of directors. Management should take the lead in conducting the assessment, but the assessment process should include input from the board members and, as it is completed, a thorough review and discussion between management and the board. These dialogues and discussions may be the most beneficial activities of the assessment and afford an opportunity for management and the directors to come to a consensus view of the risks facing the company, as well any related risk management activities.
The strategic risk assessment process is designed to be tailored to an organization’s specific needs and culture. To be most useful, a risk management process and the resultant reporting must reflect and support an enterprise’s culture so the process can be embedded and owned by management. Ultimately, if the strategic risk assessment process is not embedded and owned by management as an integral part of the business processes, the risk management process will rapidly lose its impact and will not add to or deliver on its expected role.
Integrating Strategic Risk Management in Strategy Setting and Performance Measurement Processes
The second step for an organization is to integrate strategic risk management into its existing strategy setting and performance measurement processes. As discussed above, there is a clear link between the organization’s strategies and its related strategic risks. Just as strategic risk management is an ongoing process, so is the need to establish an ongoing linkage with the organization’s core processes to set and measure its strategies and performance. This would include integrating risk management into strategic planning and performance measurement systems. Again, the maturity and culture of the organization should dictate how this performed. For some organizations, this may be accomplished through relatively simple processes, such as adding a page or section to their annual business planning process for the business to discuss the risks it sees in achieving its business plan and how it will monitor those risks. For organizations with more developed performance measurement processes, the Kaplan- Norton Strategy Execution Model described in The Execution Premium may be useful.  This model describes six stages for strategy execution and provides a useful framework for visualizing where strategic risk management can be embedded into these processes.
Stage 1: Develop the strategy This stage includes developing the mission, values, and vision; strategic analysis; and strategy formulation. At this stage, a strategic risk assessment could be included using the Return Driven Strategy framework to articulate and clarify the strategy and the Strategic Risk Management framework to identify the organization’s strategic risks.
Stage 2: Translate the strategy This stage includes developing strategy maps, strategic themes, objectives, measures, targets, initiatives, and the strategic plan in the form of strategy maps, balanced scorecards, and strategic expenditures. Here, the strategic risk management framework would be used to develop risk-based objectives and performance measures for balanced scorecards and strategy maps, and for analyzing risks related to strategic expenditures.  At this stage, boards may also want to consider developing a risk scorecard that includes key metrics.
Stage 3: Align the organization This stage includes aligning business units, support units, employees, and boards of directors. The Strategic Risk Management Alignment Guide and Strategic Framework for GRC (Governance, Risk and Compliance) would be useful for aligning risk and control units toward more effective and efficient risk management and governance, and for linking this alignment with the strategy of the organization. 
Stage 4: Plan operations This stage includes developing the operating plan, key process improvements, sales planning, resource capacity planning, and budgeting. In this stage, the strategic risk management action plan can be reflected in the operating plan and dashboards, including risk dashboards. One organization we worked with developed a “resources follow risk” philosophy to make certain that resources were appropriately and efficiently allocated. This philosophy focused on ensuring that resources used in risk management are justified economically based on the relative amount of risk and cost-benefit analysis.
Stage 5: Monitor and learn This stage includes strategy and operational reviews. “Strategic risk reviews” would be part of the ongoing strategic risk assessment, which reinforces the necessary continual, closed-loop approach for effective strategy risk assessment and strategy execution.
Stage 6: Test and adapt This stage includes profitability analysis and emerging strategies. Emerging risks can be considered part of the ongoing strategic risk assessment in this stage. The strategic risk assessment can complement and leverage the strategy execution processes in an organization toward improving risk management and governance.
For more information about integrating risk management in the strategy execution model and a discussion of risk scorecards, see “Risk Management and Strategy Execution Systems.” 
Final Thoughts: Moving Forward with Strategic Risk Management
Management teams and boards must challenge themselves and their organizations to move up the strategic risk management learning curve. Developing strategic risk management processes and capabilities can provide a strong foundation for improving risk management and governance. Boards may want to consider engaging independent advisors to advise and educate themselves on these matters. For organizations that are early in this process, the seven keys to success for improving ERM as described in a 2011 COSO Thought Leadership Paper may be useful, and are applicable in strategic risk management:
- 1. Support from the top is a necessity
- 2. Build ERM using incremental steps
- 3. Focus initially on a small number of top risks
- 4. Leverage existing resources
- 5. Build on existing risk management activities
- 6. Embed ERM into the business fabric of the organization
- 7. Provide ongoing ERM updates and continuing education for directors and senior management 
However the board decides to proceed, their leadership, direction, and overall oversight will be critical to the success of a strategic risk management process.
 “Effective Enterprise Risk Oversight: The Role of the Board of Directors,” COSO 2009, p. 1.
 Mark L. Frigo, “Strategic Risk Management: The New Core Competency,” Balanced Scorecard Report, 11, no. 1, January–February 2009.
 Ram Charan, Owning Up: The 14 Questions Every Board Member Needs to Ask (San Francisco: John Wiley & Sons 2009).
 Charan, Owning Up: The 14 Questions Every Board Member Needs to Ask, p. 23.
 Charan, Owning Up: The 14 Questions Every Board Member Needs to Ask, p. 28.
 Mark L. Frigo and Richard J. Anderson, “Strategic Risk Assessment: A First Step for Improving Risk Management and Governance,” Strategic Finance, December 2009.
 Mark S. Breasley, Bruce C. Branson and Bonnie V. Hancock, “Developing Key Risk Indicators to Strengthen Enterprise Risk Management,” COSO, 2011 p.2.
 Robert S. Kaplan and David P. Norton, The Execution Premium (Cambridge, MA: Harvard Business Press, 2008).
 Mark L. Frigo and Richard J. Anderson, “Strategic Risk Management: A Primer for Directors and Management Teams,” 2012.
 Mark L. Frigo and Richard J. Anderson, “A Strategic Framework for Governance, Risk and Compliance,” Strategic Finance, February 2010.
 Robert S. Kaplan, “Risk Management and Strategy Execution Systems,” Balanced Scorecard Report, Vol. 11, No. 6, November-December 2009.
 Mark L Frigo and Richard J. Anderson, “Embracing Enterprise Risk Management: Practical Approaches for Getting Started,” COSO, 2011.