IRM ERM M2U7.2 Risk management and strategy Flashcards
4-step process for the management of risk applied to strategy
Step 1 - Consider the context, strategy, and objectives, and set the amount of risk that the organisation is willing to seek or accept to achieve these objectives (risk appetite).
Step 2 - Identify and assess the risks associated with the achievement of the strategy and objectives.
Step 3 – put in place the controls and actions needed to manage these risks.
Step 4 – monitor and review the risks and controls and report to stakeholders on the implications for the achievement of the strategy and objectives.
Strategic risk areas examples
The following strategic risk areas are indicative of the risks that are commonly found in strategic risk registers:
Succession planning for CEO / key C-Suite staff.
Competition risk.
Industry existential threats / evolution.
Shareholder exit arrangements.
SO 31000, strategy as part of the risk management process
ISO 31000, strategy is covered in the risk management process under “Scope, context and criteria”. This step in the process includes:
defining the purpose and scope of risk management activities
identifying the external and internal context for the organisation
defining risk criteria by specifying the acceptable amount and type of risk, and
defining criteria to evaluate the significance of risk and to support decision-making.
COSO components of strategy
The COSO standard amplifies the key components of strategy and objective setting as follows:
- Analyses Business Context – The updated framework considers business context and the role of internal and external stakeholders. The point is that management must consider risk from changes in business context and adapt accordingly in executing strategy.
- Defines Risk Appetite – The organisation defines risk appetite in the context of creating, preserving, and realising value. The risk appetite statement is considered during strategy setting, communicated by management, embraced by the board, and integrated across the organisation.
- Evaluates Alternative Strategies – Alternative strategies are built on different assumptions – and those assumptions may be sensitive to change. The organisation evaluates strategic options and sets its strategy to enhance value, considering risk resulting from the strategy chosen.
- Formulates Business Objectives – Management establishes objectives that align with and support the strategy at various levels of the business. These objectives should consider, and be aligned with, risk appetite.
How strategy influences the management of risk
Organisational lifecycle
For example, at start up and growth stage the strategic focus tends to be on expansion and growth. At this stage operations tend to be very lean and agile, and the management of risk is primarily situated at the front lines with minimal central support.
By contrast at the mature stage the strategic focus has often moved to increasing margins for existing products or services and encouraging innovation to develop new offerings. At this stage organisations have typically developed more formal risk management infrastructure with a robust professional risk function in the second line of defence.
