Determine the risk agenda. After defining, identifying, and prioritizing risks, management needs to assess how capable the organization is of mitigating the most critical risks. Companies can establish an effective risk agenda by determining the intersection of high-priority risks with weak capabilities. This risk agenda can be used to align the actions of various company stakeholders, such as the risk committee, office of the chairman, and business or functional management.
Build and adapt the risk management architecture. This architecture must reflect the risk agenda and encompass corporate processes, organization, information tools, and culture. For example, a company that depends on a nimble, decentralized organization to succeed in its markets should consider having a risk management architecture that manages activities and accountability in a decentralized fashion, but is also supported by diligent central monitoring of results.
Integrate risk management with strategic planning. Companies must incorporate their risk management capabilities — such as better business intelligence and scenario planning — in the strategic planning process. Fundamentally, the same capabilities that mitigate risk enable a company to capture growth opportunities. For example, when a company identifies a competitor that is posing a specific threat to its strategic position, the tools that will help the company defend itself and enhance revenues and earnings are better market-sensing capabilities, improved product development, and more sophisticated strategic planning activities.
Adapt the agenda and architecture to changes in the risk environment. Any broad risk management system must be flexible and responsive enough to adjust quickly to changing market dynamics. For example, if shifts in customer demand require a change in the company’s product mix, a good risk management system will anticipate the change and trigger a reassessment of the capabilities required to manage in the new risk environment implied by the new product mix.
Executing these imperatives requires a shift from a “culture of compliance” to a “culture of confidence.” That is, it requires a cultural shift from an exclusive focus on controls to an atmosphere in which managers can confidently choose, on the basis of robust analysis and strong corporate values, which strategic risks to take, which to mitigate, and which to avoid. By taking a diagnostic approach, companies not only avoid negative earnings surprises, but also save significant sums by targeting their investment on the key gaps in their strategic risk management capabilities.
Companies that are successful in establishing an effective risk management program are more likely to protect directors and officers against charges of lack of good faith, build stakeholder trust, capture opportunities, and improve corporate performance and shareholder value over the long run.
Paul Kocourek (firstname.lastname@example.org) is a senior vice president with Booz Allen Hamilton in San Francisco. He focuses on the strategic transformation of companies facing changes in the competitive landscape or the regulatory environment.
Jim Newfrock (email@example.com) is a principal with Booz Allen Hamilton in New Jersey. He specializes in business strategy and enterprise risk.
Reggie Van Lee (firstname.lastname@example.org) is a senior vice president with Booz Allen Hamilton in New York. He has extensive experience in developing and implementing major growth strategies and change programs for media and high-tech companies.