How to conduct effective strategic risk reviews

The process of risk management is well documented, with various standards and whole industries created to identify and manage risk to ensure good governance best practice. It is one of those areas of governance that appears on all board charters, often has its own board committee established, and is a bit of a buzzword traded between directors and management to show that it is being duly monitored and managed.

However, in most cases, current risk management practices do not fully unlock the potential of risk. Monitoring and management of risk only go so far. What is missing? How can we use a strategic risk review to unlock this potential?

Strategy, innovation, and risk 

Most directors, when asked to define risk, describe their view of risk as: 

• something negative that happens to the organisation 
• the potential for loss 
• something that can go wrong 

When asked how their staff view risk, the descriptions can be even more depressing: 

• it is complicated and difficult 
• something we have to monitor and reduce 
• primarily a compliance issue that we have to do 

If these are the prevailing points of view on risk, then how will risk be managed by the board and staff?

What if risk was something completely different?

What if risk was actually a strategic advantage, a hidden potential opportunity, and the source of potentially amazing innovation? If the organisation chose to view risk from this point of view, how would the board and staff view risk, and how would risk be identified and managed?

If risk is seen as a compliance and minimisation strategy, then that is all that will be focused on. If, on the other hand, risk is seen as the flipside of opportunity, and another way of looking at strategy, then strategic advantage and significant opportunity can be explored, managed and monitored as part of the risk management process. 

The point behind risk management is to identify all the potential risks, rank them according to potential to occur and possible impact if they do occur, determine the quality of existing controls on the risks, develop new controls and strategies for the risks (called ‘treatment’ in risk jargon), monitor these and extract strategic advantage from the whole process. This is a simple process which is often made very complicated and difficult by the points of view that people hold about what risk is. And most organisations do not extract strategic advantage from the risk management process.

Risk should be an ongoing strategic conversation, not a compliance reporting function. The strategic conversation should be about:

1. What innovative strategies can we implement to reduce the risk of the risk occurring, and how can we turn each of these strategies into opportunities and possibly revenue creators?
2. What innovative strategies can we implement that will reduce the impact of the risk if it were to occur, and how can we turn each of these strategies into opportunities and possibly revenue creators?

Even the main standards on risk articulate this view. The two main formal definitions of risk are from Standards Australia (Australia) and the Committee of Sponsoring Organizations of the Treadway Commission (COSO, USA). They are very similar in intent, and focus on the strategic potentiality of risk, rather than on the negative loss point of view.

For example, AS ISO 31000:2018 defines risk as 'the chance of something happening that will have an impact on goals'.

It defines risk management as 'the culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects'. 

Once the organisation has made this mind shift to viewing risk as another way of looking at opportunity, then it can begin looking at the revenue opportunities that are possible from managing the potential and the impact of this risk. Truly understanding the risk and putting in place strategies for managing its potential to occur and its impact if it were to occur will always lead to future possible revenue streams.

The role of the board and risk

At a practical level, the board sets the tone for how risk is viewed, managed and monitored. 

If the board takes a strategic view of risk, then risk management becomes the strategic response to potential problems and opportunities that arise during the planning and implementation of an activity or a longer-term strategy. The strategic response to these risks also includes developing strategies to turn the management of the risk to strategic opportunity and advantage.

One tool available to the board is the Risk Appetite Statement.

A clear Risk Appetite Statement:

• Allows for a better understanding of the organisation’s strategic goals, culture, context and sensitivity to risk
• Contributes to the embedding of a risk culture that supports strategic planning and decision-making processes 
• Facilitates a proactive risk management approach to mitigate risks that impact strategic and operational objectives 

The Risk Appetite Statement articulates, in a meaningful and actionable way, the acceptable limits within which the board, management and staff must operate in their roles and make decisions on behalf of the organisation.

One of the key functions of any board is to agree on critical risks and ensure that management is monitoring those risks and has robust treatment strategies in place in case the risks do occur. Regular board reports that analyse these risks and their treatment should provide the board with critical information regarding the key drivers of the business, potential innovation and strategic opportunity, and enable the board to protect and advance the interests of stakeholders. Board risk reports should focus on the agreed key risks (usually three or four), rather than obfuscating the potential strategic discussion by providing a full report on all risks. Too often, it is unclear what the board should be doing with a risk report other than noting it.

Risk is the same as strategy. It should never be for noting. There should always be questioning, exploring, testing and focusing on how risk management is creating impact and creating the future.

In addition, robust and active risk management monitoring may protect board members in the event that something significantly goes wrong.

As stated by Standards Australia:

The lack of embedded risk management practices within the governance structure of an organisation is regarded as one of the highest risks facing an organisation.

An effective strategic risk review process

Reviewing risk is not just about adding new risks to the risk register. It should also be a review of all key processes involved in risk management to ensure risk is an integral part of the strategic conversations the board is having. As part of an effective strategic risk review, each of the following areas should be assessed.

Board responsibility

1. Does the risk management policy address the opportunity aspect of risk? 
2. Is the Risk Appetite Statement in line with our strategic priorities, and do staff and board find this useful guidance?
3. Does the board committee charged with risk oversight regularly review risk management progress with senior executives? 
4. Does our board receive succinct reports on the two or three board-approved critical risks that have the potential to significantly impact the organisation, and do they find these reports useful in shaping strategic conversations? 
5. Is the culture of our board one of risk mitigation or strategic opportunity? 
6. Has our board established one or two key performance indicators (KPIs) for the CEO that reflect this risk management role? 
7. Conduct an annual review of the key risks, asking the questions: What has worked to manage this risk? What has not worked? What have we missed? What should we add? What should we remove?
   
   

Risk committee responsibility 

1. Have we identified key risks from stakeholder perspectives? 
2. Are our risk criteria still suitable?
3. Have we reviewed key risks based on the risk criteria? 
4. What has changed with the key risks? 
5. How are we turning to our advantage the management of potential to occur and impact if it does occur? What are the opportunities? 
6. Have we looked at the revenue possibilities from managing these risks? 
7. Are we keeping key stakeholders informed of our risk management approach? 
   
   

Senior executive responsibility 

The board has the responsibility of ensuring that risk management is embedded into the organisation, and is responsible for monitoring the critical risks and their treatment. The staff are responsible for developing the risk management policy (not approving it), identifying and ranking risks, developing reporting mechanisms, delivering education and performance measurements that reflect the risk culture and priorities, and allocating appropriate resources.

Embedding risk management into your organisation

Regular reports to board should focus on the agreed three or four key risks, how they are being managed, what else could be done to better manage, how to extract strategic advantage and where revenue streams might be possible.

Embedding risk into board processes

Board charter: The purpose of the board charter is to combine purpose, responsibilities, relationships, culture, and reporting requirements of the board. Risk management should be embedded into the board charter as one of the key responsibilities of the board.

Board induction: The board induction process should include a discussion on the two or three key risks, the culture of inquiry around risk, and how the key risks are monitored, managed and leveraged. 

Board agenda: The board agenda should have a discrete agenda item titled 'Risk Management' where reports and discussion about the key risks are received. At least once a year, the key risks of the organisation should be reviewed to discern if anything has changed or if new risks have arisen. 

Board committee: Develop either a risk committee or specifically embed risk as a key component to one of the other board committees, for example finance or audit committees. 

Annual report: Ensure there is a report regarding the organisation’s risk management process, and a short description of the key risks and how they are being managed and turned to strategic advantage.

Annual board evaluation: At least one of the questions asked during a board evaluation should be about how well the board and individual board members understand risk, how any risk discussion focuses on the strategic advantages, and seek evidence that board members agree on the top three or four risks.

CEO evaluation: At least one of the CEO's key performance indicators should be related to the risk management plan. 

Download a copy of this article, including templates for Governance Risk Management Framework, The role of CEO/staff, and a Stakeholder inclusion checklist here.