Five strategy and risk leaders from prestigious organizations discussed how risk and strategy are intertwined at the Center for Excellence in ERM at St. John's University. Strategy leaders from Time Inc. (Erik Moreno) and Con Edison (Guru Nadkarni) shared their views of strategy, strategy frameworks, the acceleration of disruption, business models, etc., and answered questions from leading risk executives about the strategy link to risk and how ERM can help strategy leaders. Risk leaders from General Motors (Kristie Bidlake and Ken Shogren) and PepsiCo (Denise Treacy) shared their tools for strategic risk identification and analysis as well as wisdom they've learned from making the strategy risk connection.

Identifying risks to objectives has been a great approach for several years. There are extensions to this approach that are important to think about.

1. Consider identifying risks in major decisions. If ERM adds value and does this by improving decisions (we have empirical evidence to support this) then ERM should be applied to new decisions and not just historical decisions and the related (already set) objectives. Those are still good places to identify risk but more can be done. Other places to consider risk identification include: large transactions, large contracts, new initiatives (think Wells Fargo), technologies, new business models (e.g. Uber or Chipotle), and strategy. The point is to identify the risk earlier, up front, instead of later when the objectives are written. This may require the ERM team to become more visible and more involved up front. 

2. Don't wait for objectives. In our recent FEI research report, companies that were in fast-moving industries do not wait for objectives to be written down. They listen to the CEO to identify the strategies and objectives. Waiting until a workshop or quarterly assessment can be too late in some industries.

Is leadership or leadership structure a potential top risk? According to an article in Forbes the answer is yes. The key is how many companies would even look at leadership as a top risk when they do their own risk identification. The Forbes article states:

"2. Organizational Leadership and a Strong Pipeline Are Important

Leaders could learn from Uber’s former CEO about the importance of organizational leadership and a strong pipeline. Uber had a bare senior leadership bench, and that led to culture fiascos, management failures and performance flops. Strong leadership at and near the top, an independent board, and thorough enterprise risk management would position a company for success better than one leader acting alone. - Kelly Byrnes, Voyage Consulting Group "

Read the FEI Leadership Daily about what a rapidly changing business world means for the role and skill set of the financial executive.

A brief overview of our MS and MBA in ERM programs including:

- talent 

- placement

- courses

- value proposition, and

- scholarships.

As ERM processes progressed, along with the sophistication of those involved, companies shifted from thinking about impact as dollars. To many, impact began to include other impact dimensions such as environmental, regulatory, health, safety, or even reputation. This gets a little tricky because organizations were combining quantitative dollars with qualitative assessments of these other dimensions. Still, this was an improvement, as was linking impact to what levels the organization cared about (whether or not this was formally stated in appetite statements). 

The next evolution in thinking about impact might need to be the impact dimension of the "business model." Business models, value propositions, and strategic positions are obtained and built and dollars tend to follow, but not always so quickly.

This especially applies to businesses that are facing significant and rapid disruption. As a reminder there are some famous companies that did not create positive net income for a long time, including some today that still lose a lot of money. But it is the strategy and business model position that the company has claimed that leads others to value them so highly. If the business model is threatened by some risk, the fall in dollars will follow.

While many organizations do risk workshops and surveys to identify risks, stories of major risk mistakes keep making the headlines. A couple of points to keep in mind:

• If your organization is in a rapidly changing environment, yearly risk assessments are not much help. In a fast environment, waiting till the CEO writes something down in a strategic plan is probably too late to do a risk assessment. During our research, one organization recently shared that they closely follow the CEO's comments and speeches because these are signals of the current and future strategy. It is critical to help the executive team and board navigate the risks and uncertainty around that strategy. 
• Boards and ERM leaders should consider the source/inputs to the ERM map, register, etc. How did that list of risks get determined? How broad was the search? Have potential risks from the business model, value proposition, value chain, macro environment, changing competition, etc. been considered? 

Our new FEI and FERF research report reveals how CFOs and financial executives link risk to strategy, disruption, and their own skill set. Highlights include:

• Recognizing disruption, the speed of change, and the underlying sources

  of disruption

• Increasing the enterprise’s risk IQ and capabilities

• Thinking and communicating strategically, and

• Developing skills to enable a forward-thinking, strategic finance organization. 

Risk Disclosure Troubles Grow

The June 1st WSJ story "Ohio Sues Five Drugmakers, Saying They Fueled Opioid Crisis" highlights a recurring pattern in the ever growing importance, management, and oversight of risks—organizations are more and more getting into trouble over risk disclosures. Below is a summary of three separate lawsuits/investigations around risk disclosures.

1) In the Common Pleas Court of Ross County, Ohio Civil Division

The suit is about the opioid crisis and the role of certain drug companies. The suit alleges, among other things, that the defendants

- used third parties to spread inaccurate statements about risks, and

- used marketing schemes that misrepresented the risks and failed to disclose the known risk (and continue to disclose this incorrectly).

2) Chipotle: Alleged Inaccurate Statements (about the level of risk) 

After numerous food poisoning outbreaks, a civil suit was filed that alleged Chipotle made untrue statements or omitted statements (in public filings) about the level of risks (my word) in their food delivery process. Negative and related impacts included dramatic drops in their stock price and the board lowering the CEO's pay. Although the suit was dismissed [per Reuters 3/8/17] one takeaway is clear—public filings about the risk in business process are being watched and must be vetted. 

3) Dwolla: Level of Risk Disclosed About Data Security Was Inaccurate

The CFPB alleged that Dwolla had inaccurate disclosures about the level of IT/data risk. Dwolla had to pay a civil penalty and was ordered to do risk assessments. The order included language addressed to the board to "ensure adherence" which I interpret to mean "make management fix this problem."

Key ERM Lesson

Critical enterprise risks identified and assessed by management are probably biased and should be both benchmarked against others and supported with assessments beyond opinions. Risk assessments increasingly need to be more than management and employee opinions about probability and impact. A guide could be used on when to do a deeper risk assessment to verify the assessed level of risk.

Four Key Questions Board Members Should Ask About Risk Disclosures:

- How do we know we have the right risks disclosed?

- What has the organization done to ensure the level of risk disclosed is accurate?

- How do risk disclosures compare to other organizations?

- How do the risk disclosures compare to other statements and publications put out by the organization? 

The COSO Fraud Risk Management Guide is a valuable tool that shows how to conduct a fraud risk assessment, offering guides and templates that most organizations can use. 

The ERM team should be involved in the fraud risk assessment for the following reasons:

1. This is a risk identification exercise. Some of the conversations will bring up non fraud risks.

2. Fraud risks can impact the reputation risk of the organization. Since many believe reputation is a second-order/latent risk, conversations about potential fraudulent actions can reveal deep knowledge about reputation risk levels too. 

3. Conversations about fraud risks and related controls help the ERM team learn/confirm about the culture of the organization. Lessons include the attitude toward fraud and risk or the general attitude about building a proper tone at the top. These can have big implications for the tone at the top and risk culture of the organization.

Normal ERM

It is not unusual for organizations to have risk identification workshops and surveys. These are great and can be quite valuable. Some of the risks identified in these workshops can be labeled strategic (along with operational, financial, etc.). The problem with this risk identifier dilemma is that these are, at best, only the risks to the objectives and not the risks to the basic business model.

Asking the Business Model Risk Dimensions

In a world of strategic disruption and change, better questions lead to better strategic risk identification. To really identify the risks that can have major disruption, organizations need to think about the basic business model, value chain, customer value proposition, customer channels, segments, customer perceived and needed product/service dimensions, etc. These business model risks are much more likely to be the largest and real strategic risks.

Identify Value Killers

Companies can get clobbered. Deloitte’s study on “value killers” is a great lesson in understanding how company value moves around and just how much risk exists.

All public companies should try to identify their own value killers. Even a one day approach to stock price changes can reveal insights. Here’s one way to do it:

• 1) Download your daily stock price.
• 2) Calculate the one day percentage changes.
• 3) Sort (consider absolute values).
• 4) Investigate the days around the top drops and top gains to see what was happening. Consider beta or other major events that caused the entire market to move. Drill down to what moved your company's value.
• 5) Compare the daily lessons/event to your strategic risks. 

What Might Be Learned or Gained?

- When and why the market likes you or does not like you.
- How much your own corporate value moves around.
- Confirmation that your strategic risks already identified are correct.
- Discovery of new strategic risks.
- A pattern of missing the same risks on a regular basis.
- A new dimension of risk—timing.  There are certain times in a company's history when having a certain risk event happen is significantly more troublesome than if it occurs at another time. This should be factored into risk action plans.
- You are sometimes susceptible to other people’s risks. My graduate ERM students at St. John's have found that sometimes, a company takes a hit not for what they have done but for a risk that has hurt another company. The market then assumes other companies in the same industry have the same problem. A little deep analysis and forward thinking (and perhaps better disclosures) could help mitigate this from happening to your company.

Can ERM Play a Role in M&As?

Many believe that ERM should be about making better decisions and improving performance. While ERM is commonly applied around objectives and the related risk, few have applied it to the M&A process. Given that the biggest decision some companies make is the M&A or divestiture decision, it makes sense that ERM should be applied there and could probably add value. 

Two Versions of M&A As a Strategic Risk

Many also believe that M&A is a response to strategic risk. There are generally two versions. A cynical version is that after the organization has messed up everything else, they have nothing left to do but buy another company. One can only hope this does not happen too frequently. 

Another version is what I call the "hawk and hedgehog" view. The hedgehog concept of knowing one thing really well was first written about by Greek poets, later by Vogue, and made common in everyday business language after the best selling book Good to Great by Jim Collins. Not many would question that you've got to be good at something and focus to be successful—be a hedgehog. But in today's disruptive, rapidly-changing world, you've got to be a hawk too. COSO's ERM Exposure Draft emphasized this by listing ERM principles about monitoring substantial change, considering the business context, and evaluating alternative strategies. Hawks have amazing eyesight, can fly at incredible speeds, and can also dive to take over prey at incredible speeds. Today, companies need to be able to see better and farther and move more quickly to be successful. Keeping your head down and focusing is good, but not enough. 

When a company is a hawk, its leadership surveys (flies high and sees far) the landscape, future business models, future "blue ocean" dimensions, and uses that knowledge to compare the competitive position they should take with the position they are currently taking. They see the gaps and assess if internal capabilities exist to narrow the gaps. When that is not possible, leadership looks for a company that can help them narrow the gap (or perhaps narrow the gap more quickly than internal capabilities). In short, once they see it they rapidly swoop in and take their position. 

If the ERM team is not involved in the strategic view of M&A noted above, there are still ways to get involved.

Adopt a Before-and-After Enterprise-Wide View

If ERM really is integrated, enterprise-wide, portfolio focused, and holistic, then companies and their ERM leaders should analyze how the current risk portfolio changes after the transactions. There is a natural way to do this if some of the major risks are financial. One executive pointed out after a major transaction that they just lost their natural hedge and hence; the transaction was mis-priced because no one factored that hedge into the deal. Similarly, another ERM leader identified the top drivers of one of their larger but ambiguous risks. Using the merger and acquisition plans (as stated in the CEO's strategy documents) they plotted out how many more acquisitions were likely to happen in the next two years. Each acquisition (and there were several for this company) raised some of the drivers of this particular risk, thereby raising the risk. In this case the risk went from somewhere around a Top 20 to a Top 5 and gathered a lot more Board and C-Suite attention as a result.

Double Check the Velocity of Any New Risks

Assuming you've identified the risks, look seriously at the velocity of any risks in M&As. These are risks that your company may not have managed before. In one case, an executive shared with me where an M&A risk grew rapidly and ending up hitting the financial statements that same year. Apparently, it looks like his audit firm decided he should get a material weakness for, among other things, not following COSO ICIF Principle 9 about changes in the environment. Management's remediation statements is as follows (emphasis added): “Management plans to revise existing risk assessment practices to facilitate timely, recurring evaluations of internal controls over financial reporting for known and/or expected changes in our business environment during each calendar year."

Review the M&A Process from a Risk Perspective

A third company used their ERM lead to review how the M&A process works. One of the bigger findings was that the metrics used were biased towards pulling the trigger on the deal versus whether the deal was a real success. A second major finding was that all risks weren't identified and sent to the board before the transaction was undertaken.

Five years ago we launched a Center for Excellence in ERM at St. John's University. Some prestigious firms donated money and some very smart people helped us along the way (for which we are grateful). The Center has focused on promoting the conversation about risks. We've done this in several ways (as described in this brief summary).

1. Building intellectual capital

2. Hosting Center Events

3. Growing an ERM degree

4. Volunteering and staying connected

5. Sharing with others

Culture as a Negative

There seems to more talk about culture and risk. A recent WSJ article highlighted how Wells Fargo will survey a couple hundred thousand employees in an attempt to measure and understand culture. This is a nice plan and a step forward.

Culture should be Measured in All the Right Places

To improve culture it is wise to know where it stands already. This usually includes measurement of culture and the Wells Fargo story suggests that is what they are doing. But in our earlier study on culture we focused on the culture and relationship between the C-Suite and the Board. Given that some (many or all) of these cultural debacles may have roots from the top, it is hard to believe that Boards are not demanding a measure or assessment of the C-Suite - Board culture and relationship. That study suggested a few key starting points. 

Culture and Greatness - An Observation

What should not be lost in the stories is that culture is also a key to greatness. It is not uncommon for new CEOs to admit that to turn the company around they need to change the culture; implying their fundamental belief that culture is related to being a great company. One successful CEO once told me that when his company loses their "soul" they get off track. When they are most successful they seem to have that soul again. I think he meant a form of culture, a discipline, buy-in, and a commitment to the mission. 

At some of the best companies that have let us in their doors (to do research) there does seem to be something their - a swagger, a confidence, a buy-in, everyone on the same page (ibidem). It appears to lead to greatness and success on their part. 

Are we building strategic capability / market position that will last? How do we know? What are the risks to the position being built? What key insights do we have that justifies this position?

Where is the value being created now? In the future? How are we sure? At what level of certainty? Do our customers agree?

How are external stakeholders valuing our company beyond financials? What could influence one of these key valuation assessments?

How are we assessing our current business model? Why are we confident it is the right model? Which part of the business model is most at risk to volatility or large events?

How will we know if we are off track with the current strategy?

What continuing efforts do we have to ensure we are focusing on and/or searching for the right dimensions for our customers?

Strategic risk has at least two major categories, at least nine specific dimensions, and about 40 tools that can be applied to the categories and dimensions. One strategic risk tool is assumptions risk analysis [ARA], which provides comfort to boards and leaders that strategy has been appropriately vetted and is staying on track. Our risk culture research found that some executives actually thought it was acceptable to get a board to quickly (in 7 minutes) approve a strategic plan. Whether it is due to rushing or just not applying the right tools, leaving assumptions unknown or untested is not recommended. Stories (and investigative reports) about British Petroleum assuming certain safety technology would work at a certain sea depth, or Fukushima’s leaders assuming that an earthquake or tsunami could never get beyond a certain size, make for notable headlines and lifelong lessons. However, rather than just avoiding negative headlines, the goal in applying ARA to strategy is not to create a list of assumptions and risks, but to be more successful, minimize surprises, and to be more resilient.

Timing of Assumptions Risk Analysis

Drucker argued in his 1994 article, “The Theory of the Business,” that organizations should challenge their theory of the business every three years. The “theory” was all the assumptions that are made every day about the customer, the product, the supply chain, the business model, etc., in today’s disruptive world, every three years may not be nearly often enough. Each company and its board should determine whether this is a periodic exercise or if it should be applied to all major decisions.

Approaches to Strategic Assumption Risk Analysis

One simple and easy way to do ARA is to just ask straight up, “What are the assumptions in that decision or strategy?” Experienced leaders will recognize immediately that this approach can be sensitive. This method can still be done but is best left to someone with tact, credibility, and training.

A second version of flushing out the assumptions can be done via a simple flow / template approach that gets leaders to identify strategic objectives, confidence in meeting those objectives, and the related risks and assumptions. It is usually a short (but not seven minutes) discussion with a natural flow in thinking.

A third version of ARA is a cascading logic / systems approach. I prefer Schmidt’s logic as best described in his book Strategic Project Management Made Simple. The focus is on assumptions in numerous areas: goals, purposes, outcomes, and input. This flushes out more assumptions because the approach is broader that just one decision.

A fourth method that can be applied is Jim DeLoach’s contrarian approach (DeLoach is a global ERM leader at Protiviti). The approach is, in some ways, a supplement to the assumptions analysis because it takes the assumptions one more step and asks what might be the contrarian view of the strategy and related assumptions.

A final version of ARA is slightly more involved and is done in a workshop. This can be considered as just a longer approach and a more in-depth analysis than some of the approaches mentioned above. This approach starts with specific objectives such as earnings targets. Next, the targets and related objectives, assumptions, and risks are flushed out via workshop and lengthy discussion. I’ve seen one F100 company save themselves from embarrassing assumptions that, when flushed out, implied a clear impediment to meeting the targets. This approach, if applied timely, can give a company time to manage the risks and greatly increase the chances of meeting targets. This is the type of big upside risk win that ERM or ARA can provide. Ideally, companies could try to flush out risks and assumptions before they even set the targets. 

Recent data collected by the Center for Excellence in ERM at St. John’s University explored how organizations identify and react to unknowns, disruptions, and emerging risks. Although the project is still in progress, some early findings are interesting. The early highlights:

Timing matters. Only 14% of companies stated that they see these changes too early.

You still must take action. 74% of companies stated that they sometimes had the right idea (to react to the changes) but failed to execute on the idea.

Easier to say than do. 95% agreed that the key to these changes is linking the change to the business model and strategy.

Raise the risk aware culture. 95% agreed that a risk culture that encourages the entire organization to be aware of and identify emerging risks is critical.

As COSO and ISO continue to suggest or imply that strategic risk has multiple dimensions, it is worth considering how these dimensions can result in alternative scenarios. A review of the strategy and disruption reading list on the prior blog (or taking my strategic risk analysis class) would suggest that the relationship between performance over time depends upon managing the strategic risks. Managing or not managing these strategic risk dimensions can lead to two alternatives: cool or uncool.

Strategic Alignment

Cool: The organization understands the current market, regularly challenges their view, and identifies (and measures success on) future dimensions.

Not Cool: Management has not given much thought (nor analyzed) as to how their business aligns to the market, environment, and its direction.

Strategic Capability

Cool: The organization builds capabilities and market advantages based on a reasonable analysis of the market and expectations of future gains and cash flows.

Not Cool: The organization spends its money primarily based on last year's budget or has no idea how the budget aligns to building strategic advantages.

Business Model

Cool: The business model is clearly understood, frequently tested, and customers relationships are powerful, sticky, and linked to value. New business models, innovations, or service opportunities are regularly sought after.

Not Cool: Just go sell something. 

Surprises etc.

Cool: The organization recognizes it is an uncertain, disruptive, and changing world and aggressively seeks to gain more knowledge, minimize surprises, be robust when surprises occur (knowing they can occur), and be agile in quickly responding to changes.

Not Cool: The organization regularly gets surprised and has trouble recovering or adapting from certain events, regularly disappointing stakeholders.

Importance of Strategic Risk

Disruption, change, globalization, an endless supply of non-traditional competitors, and a rapid growth in new business models seem to be making executives and boards more nervous than ever and success is more uncertain.  Strategic risk is more important than ever.

The Problem

Normal ERM can produce a set of risks via interviews and workshops and, in many organizations, a few of these risks might be categorized into strategic, financial, operational, etc. However, categorizing such risks into the strategic category is not the same as conducting a thorough strategic risk analysis and is unlikely to uncover the most significant strategic risks.

Given the importance of strategic risk, leaders and boards should demand and do more. They should specifically ask questions that address the two major dimensions of strategic risk and they should expect a strategic risk approach that is the most likely to identify strategic risks and, therefore, increase the likelihood of future success.

Strategic Risk Dimensions and Related Questions

Strategic risk has many dimensions but two potential broad dimensions are:
1.     Risks related to setting the strategy and,
2.   Risks related to implementing and delivering the strategy.

Key questions around setting the strategy include:

• “How do we know, or have comfort, that the right strategy has been chosen?”
• “Who are those companies that we do not know about that may become competitors and how is their business model different?”

A financial institution on Wall Street recently conducted a workshop with the top leadership team to address these types of questions. Similarly, a major NYSE manufacturing company is known for its black swan and emerging risk workshop that is partially designed to address this same topic.

Key questions around implementing and delivering the strategy include:

• “How do know, or have comfort, that we are on track?”
• “Would we know soon enough if we are off track (not on target), and how would we know?”

The only way to really answer these questions is to conduct a thorough strategic risk analysis and apply strategic risk tools around each of these dimensions.

Conclusion

A key to being a great company is to manage the risk, volatility, and uncertainty of known, should-have-known, and unknown events that impact strategic goals and objectives. Strategic risk analysis is one method to manage that risk.