Banking regulators recognize ‘Strategic Risk’ as a real risk, but shy away from defining it and setting standards to manage it.
Where does Strategic Risk fit in the risk universe? And why are regulators so frightened of it?
First, what is ‘strategic risk’? There are (as in all things risk-related) many definitions of the term but most relate to the achievement (or non-achievement) of a firm’s strategic goals.
Frigo and Anderson [1] note that COSO defines strategic objectives, which are at the “core of an organization’s strategy”, as “high-level goals, aligned with and supporting its mission.” And they define ‘strategic risks’ as “both internal and external events and scenarios that can inhibit an organization’s ability to achieve its strategic objectives”.
Deloitte [2] define ‘strategic risks’ as those “that affect or are created by an organization’s business strategy and strategic objectives”. And Slywotzky and Drzik [3] define and emphasise the importance of strategic risks “that can disrupt or even destroy [a] business”.
Using ISO 31000 terminology, we can define ‘strategic risk’ in a similar vein as the ‘effect of uncertainty on strategic objectives’ or the risk that a firm will fail to achieve its strategic objectives.
The stakes are high. If a strategy fails, in particular because the associated risks are not managed properly, a firm’s shareholders may suffer considerable losses, even bankruptcy.
But let’s step back.
Using the terms ‘firm’ or ‘organization’ in relation to strategy and strategic objectives is not correct. Strategic objectives are set by the Board and management of an organization and the ‘strategy’, or plans and means to achieve those objectives, is also set by the Board and management.
Everything about strategy, including how plans change with respect to external events as a strategy evolves, involves conscious, deliberate decisions made by the leaders of an organization.
Of course, changes in the external economic or political environment create risks to achieving strategic objectives but how a Board anticipates and manages the consequences of those changes will determine the success or otherwise of their chosen strategy.
So strategic risk is related to ‘decision making’ and the ‘people’ who make those decisions. Furthermore, as ‘people risk’ is a subset of ‘operational risk’, then it can be classified as a sub-set of ‘operational risk’ [4].
But of course ‘strategic risk’ is very different in its potential impact to other types of operational risks, such as fraud or business disruption due to terrorism.
So what are the unique or unusual aspects of strategic risk that make it difficult to manage (and scary for regulators)? There are a number.
First, the potential impact. Failure to manage the risks in a strategy can bankrupt a firm, see for example the cases of Lehman Brothers or Royal Bank of Scotland [4].
Equally, the potentially disastrous impact would/should argue strongly for the highest level of risk management.
Second, massive uncertainty. The major events that will impact the success of a strategy will be external to the firm, in the form of the (very uncertain) future actions of competitors, customers and regulators, plus the impact of new technologies.
Third, lack of transparency. Because of the conventions of corporate governance, most especially Board level secrecy and solidarity, the rationale behind strategic decisions, such as the choice of specific objectives, are rarely disclosed and not usually open to constructive questioning. Strategies are ‘handed down’, like biblical tablets of stone.
Fourth, risk mitigation is hard. There are no natural hedges for a strategy. Because of the resources needed, a Board cannot start off one strategy and then set off on another different strategy to offset risks. A Board might choose to follow diversified strands in its strategy but that will be as part of a single effort with integrated objectives.
Fifth, lack of experience. Few directors and executives actually get to follow through a successful strategy from inception to completion (5-7 years) and very few get to do it multiple times, having learned lessons along the way. Of course, consultants may help, but their track record is not stellar either.
Last, and most importantly, having taken a strategic decision, a Board is also the body that monitors the performance of that decision which is clearly unsatisfactory from a risk management perspective (a clear conflict of interest).
If one was to plot a Risk Heat Map, Strategic Risks would be in the top, top red quadrant – highly likely (because of inexperience), high consequences (possibly bankruptcy) with few mitigation options.
In such a situation, who would not want to do formal risk management? And which regulator would not want to insist on formal risk management of a firm’s strategy (especially for Too Big To Fail corporations)?
Strategic risks result from the decisions (or lack of decisions) by a small group of senior people, and are solely within the control of people in the firm. They are examples then of ‘people risk’ which is a subset of ‘operational’ risk [4]. So (theoretically) strategic risks should be managed within a firm’s Operational Risk Framework.
However, as operational risk functions tend to be process-oriented and backward looking (using histories of events) they may not be ideally placed to consider strategic risk as a concept, unless they choose to lift their collective heads up.
And also regulators and risk managers are wary because it means taking on the most powerful groups in the economy, the Boards of large corporations, who are not used to their decisions being questioned.
It’s a stand-off!
References
[1] Frigo M. L., Anderson R. J., 2011, What Is Strategic Risk Management? Strategic Management http://www.markfrigo.org/What_is_Strategic_Risk_Management_-_Strategic_Finance_-_April_2011.pdf
[2] See Deloitte’s survey of 300 managers in ‘Exploring Strategic Risk” http://www2.deloitte.com/content/dam/Deloitte/global/Documents/Governance-Risk-Compliance/dttl-grc-exploring-strategic-risk.pdf
[3] Slywotzky A. J. and Drzik J., 2005, “Countering the Biggest Risk of All” Harvard Business Review, April
[4] Blacker K. and McConnell P. J., 2015, People Risk Management – A practical approach to managing the human factors that could harm your business, Kogan Page
People Risk Management 