The first step in building a risk management plan is to conduct an initial risk assessment. What sets a strategic risk assessment apart from other risk assessment methods is that it is driven by the business’s core strategies.
What is a Strategic Risk Assessment?
A strategic risk assessment is a systematic, continuous process for organizations to identify its strategic risks and understand how those risks are being managed across the business. “Strategic risks” are the risks that are most consequential to the organization’s ability to execute its strategy and achieve its objectives. They entail the risk exposures that can ultimately impact shareholder value or even threaten the business’s survival.
Planning A Strategic Risk Assessment
The strategic risk assessment process should be led by management, but receive input from and be reviewed in conjunction with the Board. The outcome of this risk assessment is to achieve consensus, among Board members and management, around the top key risks facing the organization. This process aligns with COSO’s 2017 ERM framework and is based on research by Dr. Mark Frigo, Director of the Center for Strategy, Execution, and Valuation at DePaul University, and Richard Anderson, a retired Partner at PwC and a clinical professor at the Strategic Risk Management Lab at DePaul.
Risk Assessment Checklist
Strategic Risk Assessment Template
- Understand the strategies of the organization
The first step of the risk assessment is to develop an overview of the organization’s key strategies and business objectives. For some businesses, this data may already be well-developed and formally documented. If not, the risk assessment team can leverage examples such as The Return Driven Strategy model to understand and identify the strategies most critical to achieving the organization’s overall objectives. This is a crucial step in helping management and the Board eventually prioritize the potential risks to these strategies.
Source: Frigo, Mark L. and Joel Litman. DRIVEN: Business Strategy, Human Actions and the Creation of Wealth. Strategy & Execution (2007).
2. Collect data and views on strategic risks from the organization
The second step is to collect information from the organization regarding its strategic risks. This can be achieved by:
- Reviewing financial reports and investor presentations
- Interviewing key executive leaders regarding what they view as strategic risks
- Surveying business leaders and other personnel with views on risks, e.g. compliance, internal audit, and external audit teams
It can be helpful to use the information gathered on strategic risks in Step 1 to frame these interviews and surveys around the business’s key strategies. It can also be useful to interview key executive leaders regarding what they view as potential emerging risks in addition to gathering their feedback on strategic risks.
3. Prepare a preliminary strategic risk profile
The next step is to utilize the results from steps 1 and 2 of the risk assessment planning to develop a preliminary profile of the organization’s strategic risks. The risk assessment team can use the Strategic Risk Management Model as a template to help assess the risks related to each of the top strategies identified. Ultimately, this profile should contain a list of the top risks to the organization’s strategy and objectives and their potential severity or ranking. How detailed this profile is, and how it will be presented, should be carefully catered to the culture of your organization. Color-coding risks and using visual heat maps may be helpful in presenting this information to management and the Board for review and discussion.
Source: Frigo, Mark L. and Richard J. Anderson, Strategic Risk Management for Directors and Management Teams (2011)
4. Validate and finalize the strategic risk profile with management and the Board
Upon presenting the preliminary strategic risk profile to leadership, the next step is for the risk assessment team to facilitate a discussion among key executives to help refine, validate, and finalize the risk profile. The ensuing cross-dialogue and conversations about risk and opportunity are among the most valuable conversations for shaping business strategy, as they unite executives across the organization to share their unique perspectives and collectively vet and prioritize the organization’s top key risks.
5. Develop a strategic risk management action plan
This step entails leveraging the results of the previous steps to produce an actionable plan to help manage and monitor the identified strategic risks. The action plan involves developing an appropriate risk response (accept, avoid, pursue, reduce, share) to each critical risk identified in accordance with the organization’s risk appetite. The consolidated action plan should prioritize these risk responses and allocate resources across them. Best practice indicates the action plan should also include a charter that:
- Has a formal statement on the organization’s risk appetite
- Assigns responsibilities and accountability for risk monitoring and actions among management, internal audit and compliance
6. Communicate the strategic risk profile and action plan
Once the strategic risk management action plan has been developed, it should be validated and finalized by management and the Board. Once finalized, this profile and plan must be communicated with the organization in order to help develop and build the organization’s risk culture.
7. Implement the enterprise risk management action plan
The value of performing a strategic risk assessment is realized when the organization implements the resulting action plan to manage and monitor its strategic risks. However, enterprise risk management should not be regarded as a one-time, annual procedure, but as a continual, ongoing process that can be built upon and strengthened. As such, these steps should be repeated as frequently as needed in response to significant external events that can affect the business, such as the 2008 financial crisis or the 2020 COVID-19 crisis. Furthermore, leveraging risk management software can help streamline and centralize the risk assessment process, creating the foundation for a mature ERM program. To learn how AuditBoard can help you manage your risk management plan from end to end, contact us by filling out the form below.