Towards a new form of risk management
“In recent years, risk management has become more important and garnered more interest. Of course, the financial crisis was a contributing factor as it was partly caused by inadequate risk management systems and processes. Organisations in and outside the financial industry were forced to professionalise their risk management, due to new regulations”, says Regine. “As a result, they now better understand the financial and operational risks, for example. But doing this is not enough if you want to be a success in today’s dynamic and unpredictable environment, with disruptive innovations and rapidly changing consumer behaviours. If you want to respond flexibly to technological trends, market threats and opportunities, geopolitical risks and radical changes in regulation, then you have no other choice as an organisation than to approach risk management proactively and strategically.”
The three Ps
Regine and Bart selected ten leading, successful European companies from almost the same number of industries. They conducted in-depth interviews with the CXOs to map how these organisations tackle their risk management.
Telecom providers, for example, are confronted with changes in consumer expectations, and the self-driving car is turning insurance companies’ business model on its head, while pharmaceutical and energy companies must respond flexibly to all kinds of changes in regulation. Regine: “While the organisations in our study have to find a fitting answer to very different external factors, they have all implemented one form or another of what we call ‘strategic risk management’, taking a strategic approach to three building blocks of risk management.”
- Processes: where possible, risk identification and analysis are integrated into the developed strategy and the strategic planning process, with content and timing integration.
- People: the role of risk management has evolved from a merely operational one that focuses on compliance to that of a strategic business partner of senior management.
- Practices: the organisation actively supports the strategic risk management approach by organising scenario planning exercises and meetings, during which information is exchanged about the most important risks, the use of digital technology such as data analytics and the development of a high level of risk awareness throughout the entire organisation.
“The well-considered combination of these three building blocks allows leading companies like the ones in our study to be both resilient and agile. And that is exactly what you need to survive in the current market. All the organisations we studied have one thing in common: their management made the conscious choice to implement a form of strategic risk management. We noticed that risk is an explicit aspect of the strategic dialogue at the management level, even in those organisations that do not have a strongly formalised strategic planning process in place.”
While taking a strategic approach to risk management may seem obvious, it is anything but in practice. Many organisations tend to get bogged down in the traditional approach to risk management, i.e. adhere to a very procedural approach focussing on compliance and protection against known risks, which unfortunately often gives organisations a false sense of “control”, meaning they often fail to respond or their response is too little, too late. In any case, this is why risk management’s bureaucratic image should come as no surprise.
Strategic risk management puts paid to the idea of people who tick boxes and who have limited added value for your business. “Instead of approaching risks as threats which you need to protect yourself against and which you need to minimise the impact of, this proactive approach identifies and analyses new and emerging trends, even if they are nothing more but weak signals. Because they may create interesting opportunities for those organisations that can respond to them rapidly and flexibly”, Regine explains. “So while new technology and start-ups may pose a threat to existing business models, they can also inspire new, profitable business initiatives.”
No quick fix
“You shouldn’t think of strategic risk management as a ready-made solution”, Regine cautions. “It’s a capability you must develop, which requires adapting your processes, your people and your practices. And this takes time. Moreover you can’t just copy what another company did. You must always tailor your approach to your organisation’s needs and reality. Not every company should strive towards a maximum integration of its risk management and strategic planning processes as this comes at a considerable cost. If you face strong market turbulence, process integration will be more beneficial for you than for a company that operates in a more stable market environment. The idea is to strike the right balance. We also noticed this in the companies we studied. They all implemented strategic risk management in their own unique way, weighing the cost of process integration and the available capabilities against the benefits.” And she concludes: “Developing a strategic risk management competence is not a one-off effort. A company’s needs change all the time and the way in which you develop this risk management competence will change accordingly.”
Source: The paper ‘Transforming under deep uncertainty: A strategic perspective on risk management’ was published in Business Horizons (2018) and can be requested from Professor Regine Slagmulder. Article from the Vlerick.com Website
About the authors: Regine Slagmulder is a Partner and Full Professor of Management Accounting & Control at Vlerick Business School. Her research and teaching focus on strategic performance management, risk management and board effectiveness. Bart Devoldere was employed by Vlerick Business School as a postdoctoral researcher. He currently works as a strategy consultant for TNO and a strategic business designer at TomorrowLab.