When S&P was defining ERM for Insurance company rating purposes, Strategic Risk was deliberately and consciously left out. That was not because S&P thought that Strategic Risk was unimportant. It was because Strategic Risk was already a very important part of the rating process.
Strategic risk is that most fundamental risk for a business or other enterprise. It is the risk that there will no longer be a compelling reason for its continued existence. The Strategic threat might be from a direct competitor, from major changes in customer behavior or from changing regulations. (An illustrative, non-exhaustive list)
A Strategic risk is the risk that something will happen to your firm’s lead product or service similar to what happened to Internet Explorer. In 2008, it had almost 70% market share. In 2013, its maket share looks like it may fall to 20%. In this case, the risk was from a competitor, Google. (The scenario that played out was the exact story Microsoft told when its near monopoly was under attack.)
Strategic risks are rightly at the top of the list of concerns for top management of all companies including financial firms. But there is not a great fit between these strategic risks and risk management.
Strategic risk is the topic of countless management books and it is also a favorite subject that is well covered in MBA programs. In the past 50 years, management has been well schooled in the processes of identifying and managing strategic risk. Try searching Amazon for books on Business Strategy.
The strategic risk does not easily lend itself to the control cycle approach that is fundamental to most other risk management. And RISKVIEWS knows of no management teams that have willingly given over the management of strategic risk to the risk management staff. That work is always a key task performed by top management.
So this leaves risk managers with a dilemma. When they engage top management (or the board for that matter) in a discussion about risk identification, they will usually name strategic risks in at least 1/4 to 1/3 of the top risks. Risk managers need to have an approach to dealing with that eventuality. There are several possibilities:
- Put Strategic Risks off the table. This is a common approach, but it creates a risk for the ERM program because it means that ERM will only deal with 2nd tier risks. Both Top Management and the Board will immediately or eventually drift away from paying any significant attention to ERM.
- Force Strategic Risk into the ERM template. This means creating risk measures and limits and controls for Strategic Risks. This approach is doomed to failure for a number of reasons. First, as stated above, top management will not delegate Strategic Risk Management to the people who do the rest of risk management. Second, Strategic risks do not lend themselves to the sort of statistical based measurement of most insurance, market and credit risks. Strategic Risks are usually one time events. When they happen, the company is dead or severely wounded.
- Create a side by side reporting process for Strategic Risks that uses some of the ideas from ERM to create some discipline for examining and discussing strategic risks. What that means is that Strategic Risks would be included in a risk dashboard cover sheet of top risks that are reported regularly to the board. The CEO or COO might be the risk owner. Status and mitigation efforts can be reported just as other risks, but measurement would be purely subjective and hopefully not put into numeric terms in most cases.
With the side-by-side approach to Strategic Risk Management, the risks and activities are put in front of the board just as often as Insurance, Market, Credit and Operational Risks. And in broadly the same format. But most likely, all of Top Management and the Board will be totally engaged if a Strategic Risk gets into the red zone.