How to Conduct Effective Strategic Risk Reviews

The process of risk management is well documented, with various standards and whole industries created to identify and manage risk. It is one of those areas of governance that appears on all Board Charters, often has its own Board committee established, and is a bit of a buzzword traded between Directors and management to show that it is being duly monitored and managed.

However, in most cases, current risk management practices do not fully unlock the potential of risk. Monitoring and management of risk only go so far. What is missing? How can we use a strategic risk review to unlock this potential?

Strategy, Innovation and Risk 

Most Directors, when asked to define risk, describe their view of risk as: 

• Something negative that happens to the organisation 
• The potential for loss 
• Something that can go wrong 

When asked how their staff view risk, the descriptions can be even more depressing: 

• It is complicated and difficult 
• Something we have to monitor and reduce 
• Primarily a compliance issue that we have to do 

If these are the prevailing points of view on risk, then how will risk be managed by the Board and staff?

What if risk was something completely different?

What if risk was actually strategic advantage, hidden potential opportunity and the source of potentially amazing innovation? If the organisation chose to view risk from this point of view, how would the Board and staff view risk, and how would risk be identified and managed?

If risk is seen as a compliance and minimisation strategy, then that is all that will be focused on. If, on the other hand, risk is seen as the flipside of opportunity, and another way of looking at strategy, then strategic advantage and significant opportunity can be explored, managed and monitored as part of the risk management process. 

The point behind risk management is to identify all the potential risks, rank them according to potential to occur and possible impact if they do occur, determine the quality of existing controls on the risks, develop new controls and strategies for the risks (called ‘treatment’ in risk jargon), monitor these and extract strategic advantage from the whole process. This is a simple process which is often made very complicated and difficult by the points of view that people hold about what risk is. And most organisations do not extract strategic advantage from the risk management process.

Risk should be an ongoing strategic conversation, not a compliance reporting function. The strategic conversation should be about

1. What innovative strategies can we implement that will reduce the possibility of the risk occurring, and how can we turn each of these strategies into opportunities and possibly revenue creators?
2. What innovative strategies can we implement that will reduce the impact of the risk if it were to occur, and how can we turn each of these strategies into opportunities and possibly revenue creators?

Even the main standards on risk articulate this view. The two main formal definitions of risk are from Standards Australia (Australia) and the Committee of Sponsoring Organizations of the Treadway Commission (COSO, USA). They are very similar in intent, and focus on the strategic potentiality of risk, rather than on the negative loss point of view.

For example, AS ISO 31000:2018 defines risk as:

The chance of something happening that will have an impact on goals 

and risk management as: 

The culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects. 

Once the organisation has made this mind shift to viewing risk as another way of looking at opportunity, then it can begin looking at the revenue opportunities that are possible from managing the potential and the impact of this risk. Truly understanding the risk and putting in place strategies for managing its potential to occur and its impact if it were to occur will always lead to future possible revenue streams.

Insight one: 

Refocus attention of risk managers, senior staff and the Board on strategic opportunities arising from managing the risks, and possible revenue potential. Ensure risk is not seen as just a compliance issue but also as a strategic issue that could provide competitive advantage.

The role of the Board and risk 

At a practical level, the Board sets the tone for how risk is viewed, managed and monitored. 

If the Board takes a strategic view of risk, then risk management becomes the strategic response to potential problems and opportunities that arise during the planning and implementation of an activity or a longer-term strategy. The strategic response to these risks also includes developing strategies to turn the management of the risk to strategic opportunity and advantage.

An often-misunderstood tool available to Boards is the Risk Appetite Statement.

A clear Risk Appetite Statement:

• Allows for a better understanding of the organisation’s strategic goals, culture, context and sensitivity to risk
• Contributes to the embedding of a risk culture that supports strategic planning and decision-making processes 
• Facilitates a proactive risk management approach to mitigate risks that impact strategic and operational objectives 

The Risk Appetite Statement articulates, in a meaningful and actionable way, the acceptable limits within which the Board, management and staff must operate in their roles and make decisions on behalf of the organisation.

One of the key functions of any Board is to agree on critical risks and ensure that management is monitoring those risks and has robust treatment strategies in place in case the risks do occur. Regular Board reports that analyse these risks and their treatment should provide the Board with critical information regarding the key drivers of the business, potential innovation and strategic opportunity, and enable the Board to protect and advance the interests of stakeholders. Board risk reports should focus on the agreed key risks (usually three or four), rather than obfuscating the potential strategic discussion by providing a full report on all risks. Too often, it is unclear what the Board should be doing with a risk report other than noting it.

Risk is the same as strategy. It should never be for noting. There should always be questioning, exploring, testing and focusing on how risk management is creating impact and creating the future.

In addition, robust and active risk management monitoring may provide some protection to Board members in the event that anything goes significantly wrong. As stated by Standards Australia:

The lack of embedded risk management practices within the governance structure of an organisation is regarded as one of the highest risks facing an organisation. 

An effective strategic risk review process

Reviewing risk is not just about adding new risks to the risk register. It should also be a review of all key processes involved in risk management to ensure risk is an integral part of the strategic conversations the Board is having. As part of an effective strategic risk review, each of the following areas should be assessed.

Board responsibility: 

1. Does the risk management policy address the opportunity aspect of risk? 
2. Is the Risk Appetite Statement in line with our strategic priorities, and do staff and Board find this useful guidance?
3. Does the Board Committee charged with risk oversight regularly review risk management progress with senior executives? 
4. Does our Board receive succinct reports on the two or three Board-approved critical risks that have the potential to significantly impact the organisation, and do they find these reports useful in shaping strategic conversations? 
5. Is the culture of our Board one of risk mitigation or strategic opportunity? 
6. Has our Board established one or two key performance indicators (KPIs) for the CEO that reflect this risk management role? 
7. Conduct an annual review of the key risks asking the questions: What has worked with managing this risk? What has not worked? What have we missed? What should we add? What should we take out? 

Insight Two: 

Add two extra columns to risk management plans - “Strategic Opportunities” to facilitate looking at risk as also a strategic opportunity, not just a compliance issue, and “Revenue Possibilities” to identify possible new revenue sources.

Risk committee responsibility 

1. Have we identified key risks from stakeholder perspectives? 
2. Are our risk criteria still suitable?
3. Have we reviewed key risks based on the risk criteria? 
4. What has changed with the key risks? 
5. How are we turning to our advantage the management of potential to occur and impact if it does occur? What are the opportunities? 
6. Have we looked at the revenue possibilities from managing these risks? 
7. Are we keeping key stakeholders informed of our risk management approach? 

Insight Three

Regular reports to Board should focus on the agreed three or four key risks, how they are being managed, what else could be done to better manage, how to extract strategic advantage and where revenue streams might be possible.

Senior executive responsibility 

The Board has the responsibility of ensuring that risk management is embedded into the organisation, and is responsible for monitoring the critical risks and their treatment. The staff are responsible for developing the risk management policy (not approving it), identifying and ranking risks, developing reporting mechanisms, delivering education and performance measurements that reflect the risk culture and priorities, and allocating appropriate resources.

Embedding risk into Board Processes

• Board Charter 
• Board Induction 
• Board Agenda 
• Board Committee 
• Annual Report 
• Annual Board Evaluation 
• CEO Evaluation 

If you're looking for a tool to streamline your Board processes, check out BoardPro - an all-in-one software solution designed specifically for Boards and busy CEOs!

Schedule a demo with our team today and begin to experience a whole new way of meeting.