In a study conducted by the Conference Executive Board and published by Harvard Business Review it was found that strategic risks accounted for 86 percent of significant shareholder value losses over the last decade. This is significant since most risk professionals are not trained in strategy and the C-suite typically does not view them as partners in strategy development. FEI Daily spoke with Mike Kearney, Managing Partner of Deloitte Advisory’s Strategic Risk practice, about strategic risks and why organizations spend more time on them.
FEI Daily: What was the impetus for building a new practice within Deloitte?
Mike Kearney: We started our strategic risk business about two-and-a-half years ago. We wanted to help our clients get more value out of their enterprise risk management program. Unfortunately, many companies treat ERM as a compliance activity. When I talk to executives, they often state that they don’t get a lot of value out of ERM. As a lifelong risk professional, this was very depressing.
So what are strategic risks? Before I define, let me just give you some examples.
If you are in the auto industry, you are thinking about how future generations will get from point A to point B. Maybe they won’t purchase 2.5 cars like we have. Or, if you are in the airline industry, you are focusing on competition from overseas where they have newer planes, lower cost structure, and government subsidies. Or how about about healthcare? Today the focus is on what’s going to happen with the Affordable Healthcare Act, but what about other factors that are driving change in the industry, everything from creating the optimal patient experience to doctors being paid for outcomes and not how many patients they see in a day.
We find that many companies don't really spend a lot of time on strategic risks. Most of your readers probably focus on financial reporting, compliance, and operational risks. While these are important risks, this is unfortunate because the risks that have the biggest impact on shareholder value are strategic.
FEI Daily: Why aren’t companies focusing on strategic risks?
Kearney: There are a whole host of reasons. The executive responsible for strategy likely identifies some risks, however, in my experience, it doesn’t go deep enough. And why would it? You've just spent all of your time and energy creating this strategy, why would you challenge the assumptions and point out all of the risks?
Also, most risk professionals haven’t been trained to evaluate strategic risks. It takes a very different mindset to think about the strategy of the organization and external conditions that could potentially disrupt the business. It’s difficult to take a traditional risk professional who is used to assessing financial reporting or compliance risks and elevate them up to the C-Suite. Also, the fact that there are few regulations mandating the assessment of strategic risk doesn’t help either.
FEI Daily: What does it mean to focus on strategic risk?
Let me start with a definition…strategic risks are those risks that threaten to challenge to the logic of a company’s strategy. However, I like to make it real for clients using a three-legged stool metaphor.
The first leg are the risks associated with the strategic choices that have been made. Underneath every strategy, there are assumptions on how the future will play out. Within those assumptions, there are risks that need to be monitored since the future you anticipate may not play out the way you envisioned.
The second leg is focused on VUCA, a term that we borrowed from the Army War College. We live in a world that is volatile, uncertain, complex and ambiguous. And in this world there are new risks that challenge strategy every day. When strategy is created, it is usually based on the best information available at that time. However, we all know that the world is changing fast and it is important to understand how it impacts the viability of the chosen strategy.
The third leg is really simple. You can come up with the best strategy, you can stay on top of changes in the external environment, but you've got to execute. Interestingly, we find that strategy often falls apart in execution or an overly-aggressive agenda of priorities leading to initiative overload.
FEI Daily: Risk can come from anywhere. Where should companies begin?
Kearney: I am a big believer in not creating unnecessary complexity. Embed strategic risk into existing processes, reports, meetings, everything. As risk professionals, we are notorious for creating new meetings, reports, roles. From there, the Risk team should begin to work with the Strategy group to identify risks when strategy is set. Risk should also partner with whoever in the organization is responsible for identifying trends that will create new opportunities and risks in the future. In my experience, there are usually people in large organizations that have this responsibility. Risk should work with them and, to the extent possible, avoid creating a competing organization. And finally, Risk should be integral in identifying and monitoring risks associated with projects to execute on the strategy.
FEI Daily: How can CFOs encourage a strategic mindset in their risk professionals?
Kearney: CFOs are often tasked with the responsibility of leading ERM programs, especially when there isn’t a formal CRO, which is the case for many non-financial services companies. An effective ERM program must consider the full spectrum of risks, including strategic.
It all starts with linking risk to the strategy of the organization. Most executives are focused on growing shareholder value and executing on their strategy. When I work with risk professionals in developing presentations for the executive team or the board, I always recommend that they start with what is important to the leaders of the organization. What is the mission of the organization, what are their strategic priorities, and how do they measure success? Risk professionals should put risk into a context that aligns with what matters to the executive team and how it can help them drive value. Once they make that connection, they will likely get their attention.
I would also encourage risk professionals to develop a genuine level of curiosity. Spend more time thinking about the company’s strategy. Think like a CEO or an investor. Spend time understanding what is going on in the industry that could create new risks for the company. Look outside the industry for trends that could impact the company down the road. You don’t have to look too far to see how traditional industries are converging. Who would have ever thought that you would see a doctor at your local drug store?