COSO, ISO, and many others continue to encourage organizations to think about the multiple dimensions of strategic risks—strategic risks in choosing strategy and strategic risks in delivering on that strategy. Since I teach Strategic Risk Analysis and have written on this subject, I frequently get asked about a reading list. Below is a supplementary reading list for my graduate course on Strategic Risk Analysis at St. John's. The list starts with disruption. I believe that sometimes, before a strategy is chosen, it is best to understand what changes, innovation, and disruptive risks exist that are likely to impact an organization.

DISRUPTION

• No Ordinary Disruption (Dobbs et al.)
• Big Bang Disruption (Downes & Nunes)
• Your Strategy Needs a Strategy (Reeves et al)
• Create Marketplace Disruption (Hartung)
• Superforecasting (Tetlock and Gardner)

STRATEGY SETTING / CHOOSING

• Blue Ocean Strategy (Kim & Mauborgne)
• The Lean Startup (Ries)
• Playing to Win (Lafley and Martin)
• Brand Resilience (Copulsky)
• Discovery Driven Growth (McGrath and MacMillan)
• Upside (Slywotzky)
• Innovator’s Toolkit (HBS) 
• Geography of Genius (Weiner)

STRATEGY DELIVERY / IMPLEMENTATION

• Achieving the Execution Edge (Bart & Schreiber)
• Strategic Project Management Made Simple (Schmidt)
• When Strategy Execution Marries Risk Management (Ow)
• Seven Strategy Questions (Simons)
• Strategy that Works—How Winning Companies Close the Strategy-to-Execution Gap (Leinwand & Mainardi)

BUSINESS MODELS

• Not much here. Hope someone writes something good soon. I still use my lecture notes developed with Dr. Bill Shenkir (former Dean at the University of Virginia's Comm School) 15 years ago. Haven't found anything better. 

What are your best reading recommendations on strategic risk analysis? 

A recent project by the Center for Excellence in ERM at St. John’s University analyzed Fortune 100 disclosures about innovation. The approach considered both risk factor disclosures in Item 1a (which tend to be negative) and other disclosures in the Annual Report where the company talks more about how they are innovating (these tend to be positive disclosures about innovation).

The analysis shows that the average Fortune 100 company mentions innovation in a positive way seven times, which is more than twice as often as they mention innovation in a negative way—three times. This is good news, and partially suggests that large companies see innovation as a problem but also as an opportunity. Interestingly, the tech companies in the Fortune 100 mention innovation in a positive way 16 times (more than double the average of everyone else).

The most aggressive companies about innovation opportunity include:

• Procter & Gamble (with 34 positive mentions)
• IBM (with 27 positive mentions)
• Pfizer and Dow Chemical (both had 25 positive mentions)

The surprise, however, is the inconsistency from industry to industry. A few industries appear to be unconcerned about innovation from an opportunity view or downside view. Those include energy, insurance, banking, and healthcare. One notable exception in those industries is American Express. 

In 2001, a paper entitled Managing Risk in the New Economy was published by the AICPA. That paper identified the many different ways companies can identify their risks. These included:

• Interviews
• Questionnaires
• Brainstorming
• Self-assessment and other facilitated workshops
• SWOT analysis (Strengths, Weaknesses, Opportunities, and Threats)
• Comparison with other organizations
• Discussion with peers
• Benchmarking
• Risk consultants / risk SMEs
• Checklists
• Flowcharts
• Scenario analysis
• Value chain analysis
• Business process analysis
• Systems engineering
• Process mapping

Since 2001 other sophisticated methods for identifying risks have emerged and it is important to get the right risks identified. As shown to the right, St. John’s University graduate ERM students in Silicon Alley get this. In one class exercise, the students discussed how they would identify the risks of an organization in addition to conducting interviews (Step 1 above).

ONE FINAL THOUGHT
It is enterprise risk management, not enterprise risk identification. Assuming the correct risks have been identified, it's the management of the risk that ultimately “creates, protects, and enhances shareholder value.”

Macro risk analysis uses simple modeling to gain insights into strategic risk dimensions. The importance of understanding strategic risk dimensions is emphasized by ISO recommendations that organizations "understand the context" and COSO's ERM exposure draft principles suggesting organizations consider risk in the business context and evaluate risk in alternative strategies. The COSO exposure draft also highlights the following strategic risk dimensions:

• The possibility of strategy and business objectives not aligning with mission, vision, and values
• The implications from the strategy chosen
• isks to executing the strategy.

Organizations should consider how they identify and understand these strategic risk dimensions. One tool to help understand strategic risk dimensions is macro risk analysis. This tool helps a company model how key macro variables drive strategic risks. 

Some potential benefits from macro risk analysis include:

• Creating a dialogue around strategic risk drivers
• Learning how much strategic choices are impacted by macro factors
• Confirming the business model
• Gaining clarity on performance metrics.

Read more about macro risk analysis in the recent white paper by Jim Presmanes and Paul Walker.

A recent study by the Center for Excellence in ERM at St. John's University shows the state of ERM in one industry—energy. The study highlights the top risks in the industry and the ERM practices.

The good news:
- 73% have a formal ERM initiative or process, and
- 88% have risk maps.

The not-so-good news:
- 48% have been surprised by a risk event
- 38% have no clear risk accountability
- 56% do not know when to do a deep dive
- 52% do not look at the upside or opportunities
- 49% do not look at risks in an integrated approach
- 38% do not timely take risk information to the board.

The recent report on innovation and risk shows that ERM executives believe ERM is a missing piece of the innovation process. Some of the keys are:

• Incorporating ERM into the innovation process
• Requiring risk acumen
• Risk-adjusting the analysis, and 
• Doing risk post-mortems.

These keys are designed to counter the risk of bias by various members, force the risk conversation at every stage (rather than after the new innovation is launched), identify and understand all risks with the innovation (not just the financial related risk), get consistent performance, and change the thinking from a certain number to the real value associated with the innovation. One CFO even argued that financial numbers are the last thing to consider. 

The real success? "If you know the real risks, you can innovate more," according to one Fortune 50 company executive.

The Center for Excellence in ERM at St. John's University and the ACCA co-hosted an Oct 13th event on risk and disruption.

St. John's alumni Henry Ristuccia (Global leader of Deloitte’s Governance, Risk Management and Compliance practice as well as a financial services industry senior client service partner) delivered the keynote and was joined on a panel by Lee Marks (SVP of ERM at First Data) and Michael Lynn (Vice Chair of the IIA's Global IT Guidance Committee).

Around the year 2000, we were asked by COSO to determine if they should write an ERM framework. Students, educators, and others with ERM curiosity might find our original report of some interest. Our answer was, "Yes. Write an ERM framework."

Back then we thought an ERM framework should address:

• Risk identification and establishing a risk language
• Measurement and prioritization of risks
• Business risk solutions, and
• Risk infrastructure.

Despite the fact that a lot has changed in the world, this framework is still a good starting point.

1. Know the business model.
Really know the business model. Spend time discussing, evaluating, and applying strategic risk tools to understand and score the business model. One key strategic risk is the health of the business model.

2. Write the business epitaph.
Ponder the death risk combination of trends and disruption that could take out or severely impact the business in the future.

3. Using the insights from #1 and #2, confront the upside risk and opportunity. 
Learn how to generate new revenue opportunities using new business models (a strategic risk tool). Map the ideas to help see feasibility or identify early wins. 

APPLICATION:
Graduate Enterprise Risk Management (ERM) students at St. John's University Tobin College of Business applied the approach above to a Fortune 100 company. The students also mapped the ideas (see left). As the photo shows, these millennials thought there was tremendous upside opportunity—untapped revenue. 

This exercise was part of a class assignment. St. John's University is one of a few schools that offer both an MS ERM and a MBA in ERM. Sitting in what some call Silicon Alley, St. John's shares the same building with IBM's Watson.

Innovation and disruption are coming to many organizations. For some, it is already upon them. For others, it is moving so quickly that leaders either do not see it or they misunderstand it. New research by the Center for Excellence in ERM at St John's University highlights three big ideas.

#1 — Companies must learn to see the waves of disruption coming at them.
Interpreting what is noise versus a signal is critical. The sooner the better. It is critical to link the detected signal to the current business model, risks, and strategic plans. As others have noted, continuing to believe the same things over and over can have serious negative consequences. Challenge the traditional thinking at your organization. 

#2 — Organizations need to create their own innovation waves to keep up or disrupt others.
Innovation is a response to strategic risk. If the innovation person/team is not talking to the team that is watching for the waves of disruption coming, then a serious disconnect exists.

#3 — Organizations must identify the risk in new innovations.
If you know the real risks and the related dimensions, the chances of success increase and more innovation can be done. Not understanding the related risks seems foolish in today's environment. 

Next