Recent economic events and increased regulatory scrutiny have fundamentally shifted how organizations think about risk. Although many organizations have invested in resources to better manage risk, those investments often do not address strategic areas.
Yet, the stage is set for executives to align risk management with business strategy, as most commonly accepted risk management frameworks and charters are linked to strategy in their purpose or objective. Because internal auditors typically include strategic risks in their risk universe, they are positioned to help management embed these risks into their strategic-planning and decision-making processes.
Start at the Top
By definition, strategic decisions affect the ultimate success or failure of the organization. As a result, they are usually evaluated and made by the top executives. Risk management can contribute meaningfully and consistently to the organization’s success as defined at the highest levels.
To achieve this objective, top executives first must believe there is substantial value to be gained by embracing risk management. The best way for the risk management executive to engage these executives is to align risk management with the organization’s vital performance targets, and use it to drive better decisions and outcomes with a higher degree of certainty.
Next, top management must trust the risk management executive as a peer who provides valuable perspective. This executive must earn trust and respect by consistently exhibiting insightful risk and performance management competence, and having a deep understanding of the business and its strategic vision, objectives, and initiatives. He or she must simplify risk discussions by focusing on uncertainty relative to strategic objectives and categorizing these risks in a meaningful way. Moreover, the risk executive must be willing to take a contrarian position, relying on objective evidence where readily available, rather than deferring to the subjective. Because internal audit shares many of these same traits, the CAE can help risk executives gain that trust and respect.
Most people view risk as something that should be avoided or reduced. However, experienced risk managers realize that risk is valued when it can help achieve a competitive advantage.
Studies show that investors and other stakeholders place a premium on management’s ability to limit the uncertainty surrounding their performance projections. One way to enhance confidence in its forecasts is through performance-driven risk management, which is the practice of understanding and addressing the drivers of uncertainty.
Performance-driven risk management enables strategic alignment by focusing first on what matters most to chief decision-makers. This approach begins with ensuring that the organization’s primary objectives and performance indicators are commonly understood and represent shared expectations of the executive team, board, and shareholders. With this emphasis, risk management becomes synonymous with understanding and managing sources of significant risks that drive the uncertainty related to desired outcomes.
Support for Complex Decision-making
To improve the discussion of the risks driving uncertainty relative to strategic goals, risks must be categorized in a meaningful way. In a 2012 Harvard Business Review article, researchers Robert Kaplan and Anette Mikes introduced a taxonomy for classifying different types of risk events into three distinct categories — preventable, strategic, and external — and potential responses.
Preventable risks are those that can be eliminated, avoided, mitigated, or transferred cost-effectively. Continuous improvement initiatives, such as Lean Six Sigma, often thrive in this environment. Strategic risks tend to be more complex, with a focus on balancing risk and reward. External risks are those outside of the organization’s control. Organizations focus on limiting exposure from such risk events occurring by optimizing resiliency.
Adopting this taxonomy can help streamline information used to determine the best possible solution. It also can simplify risk discussions at the executive and board levels by arranging decision-making materials and exchanges of ideas in accordance with the organization’s circle of influence, knowledge, and related alternatives.
In a study published in the March 27 issue of the Arizona State Law Journal, legal scholars Susan Bandes and Jessica Salerno wrote, “Emotion helps us screen, organize, and prioritize the information that bombards us. It influences what information we find salient, relevant, convincing, or memorable.” However, certain unchecked emotions, such as fear, anger, and greed, can create biased decisions, leading otherwise knowledgeable, experienced, and respected individuals or groups to ignore obvious flaws in reasoning. Complexity and tight deadlines often amplify this emotional effect.
Some executives may decide to move forward with large, multiyear projects, such as construction initiatives or new product lines, after getting emotionally invested in the potential upside and feeling pressured to make a quick decision. In such cases, those leaders tend to embrace information that supports the project’s targeted outcomes and discount or dismiss evidence that indicates downside exposure. Often, this tendency results in major project overruns and failures, which can lead to debilitating losses and bankruptcy.
The key to avoiding this outcome lies in embedding risk management within the strategic decision-making process. This includes seeking evidence of downside exposure to assess the potential impact and mitigation options, as well as to make the best-informed decisions. If management agrees to proceed, this same information can create a platform for designing and implementing effective risk management and monitoring activities.
Objective information is revealing and can temper emotional reactions for better decision-making. For example, variations of risk-adjusted return modeling can be supported with objective data and tools such as Monte Carlo simulation.
Internal auditors can help management recognize when emotional responses are clouding decision-makers’ judgment by asking questions such as:
- Is management’s current structure and approach inspiring enough diverse thoughts and experiences?
- Who is responsible for challenging whether relevant, reliable, and timely information is considered appropriately?
- How familiar is management with considering risk appetite and tolerance as they relate to likely future strategic decisions?
Realizing the Benefits
Today’s internal auditors must recognize the importance of understanding and managing the risks that drive uncertainty about their organization’s success. They should use this knowledge and their objective position to assess the existing environment and advise management and the board on how to improve their use of risk management for strategic decision-making.