It must align with business strategy to achieve the desired outcomes.
After all, as I like to say, a risk isn't a risk unless it affects your objectives, either positively through gain or negatively through loss.
While some senior executives might agree that risk strategy should have equivalent importance, this is part of the challenge in aligning, if not integrating risk management and business strategies. In the end, you can't afford to do otherwise.
Effective risk management is critical to achieving strategic and tactical goals. Every objective, whether that of individual lower-level managers or enterprise-level strategies, is achieved by virtue of effectively mitigating or leveraging the risks associated with each.
Each time a firm fails to meet its goals, you can bet there are one or more risks that are culprits. Each time an enterprise fails, it is the result of the cumulative impact of risks not mitigated to levels consistent with the firm's risk appetite and/or its risk specific tolerances set by management. Each time this occurs, it is likely that there is little if any cooperation or alignment between the risk and planning functions. However, if your firm is progressive enough to recognize the opportunity this represents, you've got a better chance of a successful mission accomplishment.
Step one in avoiding this pitfall is developing a risk management strategy that is tied directly to business strategy. Ideally, you would start the draft goals for the long-term (strategic) period as a starting point. With this in hand, you would begin by meeting with the planning leader and establish a baseline for a process that ferrets out the biggest risks associated with each business goal, both from a threat and an opportunity standpoint. Depending on your cultural orientation, you may agree that the threats are either the first priority or perhaps the main focus, but always try to garner commitment to leveraging risks for gain.
Next, you should find out who owns these risks and arrange to walk through their current state of mitigation (threat) or exploitation (opportunity) to assess the fit to the firm's risk appetite overall, and the risk tolerances that have ideally been set in each related exposure area.
To the extent there is significant variance to these limits, press for adjustments that would bring them in line. Once compiled, you'll want to look at the aggregation of all significant risks to the plan and compare the result to the firm's overall risk appetite. Of course, this presumes that the risk level appetite has been defined and agreed upon by management and ideally validated by the board.
To do this work, quantification tools are necessary to enable you to measure risks consistently and facilitate not their summation, but their correlated aggregation, taking into account any relevant offsets that represent risks unlikely to occur together or within the same timeframe.
Completing this process means aligning resources and activities with your goals in order to achieve the overall mission. Of course, there are nuances to this, like there are for all processes. Suffice it to say, this is a continuous process that should be regularly updated for changes in the environment, both internally and externally, that affect exposures and drivers of risk.
CHRIS MANDEL is the president of Excellence in Risk Management LLC, a long- term risk management leader and former president of RIMS.
June 1, 2011
Copyright 2011© LRP Publications