Home > RSM Resources > Articles > Advantage > Risk Management > Four steps to help your business take a strategic approach to risk management

RSM Resources

Back to RSM Resources
Risk Management
Four steps to help your business take a strategic approach to risk management
 
Four steps to help your business take a strategic approach to risk management

In recent years, many midsized companies havetaken a more sophisticated approach to defining risks that may affect businessfinance, production and operations. However, a growing number of experts saysuch an inward view leaves a company exposed to a wide range of externalthreats.

"Business leaders have not historically consideredoutside risks in an organized, systematic fashion," says Bill Shenkir, abusiness professor in the McIntire School of Commerce at the University of Virginiaand co-author of Making EnterpriseRisk Management Pay Off. "Now, however, you’re beginning to seesigns that enterprise risk management is redefining how companies do strategicplanning. Instead of SWOT analyses that focus too much on strengths andopportunities, you’re seeing more specifics on how companies will mitigateoutside weaknesses and threats."

A string of recent events has underscored thepotential gravity of external risks. These include a devastating U.S. hurricaneseason that battered energy production, snarled transportation systems andclosed scores of businesses in the hardest-hit areas. Those unforeseen eventseliminated more than 500,000 jobs, according to the Congressional BudgetOffice, and dampened projections for overall growth in gross domestic product(GDP) for the final two quarters of 2005.

External threats can be defined in a number ofways. In a recent Harvard Business Review article, author AdrianSlywotzky identifies seven strategic risks: industry, technology, brand,competitor, customer, project and stagnation. Company leaders, he suggests,should scrutinize each of these areas for possible threats such as unforeseennew competition or the stagnation of previously profitable products orservices. Then they should define the probability and quantifiable effect ofeach potential business threat and draft clear steps to counter possibleproblems.

A simpler way to address this process, Shenkirsays, is for midsized companies to link risk management with overall businessplanning. Several multinational firms, including General Electric, have takensteps in that direction, because it moves the discussion of risk fromdepartmental silos to enterprisewide strategies.

"When you have cross-functional groups comingtogether to talk about risk, you often have one part of the businessidentifying risks that another part of the company never thought about,"he says. "That’s a really valuable conversation."

Shenkir and other experts agree that anydiscussion of risk is incomplete without consideration of unforeseen"worst-case" scenarios. That step connects risk management to businesscontinuity planning, improving a company’s ability to respond quickly andeffectively should disaster strike.

Overlooking this element can have painful results,as beverage giant Coca-Cola discovered when school-age children in Belgium and France fell ill after drinking itsproducts in 1999. After a very slow and confused response to the problem, thecompany was forced to pull 30 million cans and bottles of its products fromEuropean shelves — the biggest recall in company history. Meanwhile, Belgium bannedall Coca-Cola products from sale.

"This was a classic situation where a CEO andan organization reacted too slowly to the outcome of a risk," Shenkirsays. "After that, shareholder value diminished, and the CEO (DouglasIvester) was forced to resign."

If your company has not yet embraced riskmanagement as a strategic issue, experts suggest the following steps as a wayto get started:

Take stock of your current risk-managementapproach. For many midsized companies,risk-management responsibilities may be scattered among finance, operations andhuman resources. Review your firm’s risk-management roadmap, and determine whatthe company is spending on risk-related insurance premiums, loss claims andrelated costs. Finally, assess the range of risks your existing system covers.If the scope is limited to internal issues such as finance or operations,experts say the approach is not strategic.

Choose a risk-management model. Several years ago, when a handful of high-profilecompanies suffered through highly publicized financial meltdowns, otherbusinesses struggled to develop a comprehensive approach to strategic risk. Asa result, in 2004 the Committee of Sponsoring Organizations of the TreadwayCommission (COSO) released an integrated enterprise risk-management frameworkto help businesses define, evaluate and manage key internal and externalissues. Thisdocument provides key principles and concepts, a common risk-managementvocabulary, and clear planning tools that focus on strong internal controls andcross-functional risk assessments within an organization. The strategic focusof the COSO initiative may be of more interest to larger corporations, whilemany midsized companies remain focused on traditional models that addressfinancial, operational and compliance risks.

Take a broad view of where risk may reside. In recent years, experts say savvy executives have builtrisk-management principles into a surprising variety of regular business tasks.For example, during due diligence for mergers and acquisitions, Shenkir saysmany companies are identifying and ranking potential outside risks — such asmarket shifts, cultural incompatibility or undisclosed leadership issues — aspart of the investigation process. When such mergers are complete, apost-merger audit evaluates steps taken to reduce identified risks.

In another area, an increasing number of companiesare building risk-management steps into research and development of products orin annual budget planning for the organization. That approach can helpcompanies head off prospective problems and increase potential profits.

"When a business does its budget and profitplan for the upcoming year, it can also look at the internal and external risksembedded in that budget, and design a risk map to show how it can navigatearound them," Shenkir says.

Take the lead on ensuring strategic riskmanagement. While many midsized companiesmay not have the resources to hire an experienced chief risk officer, expertssay that’s no excuse for leadership to ignore the issue. Senior executives,especially the CEO and chief financial officer, are the most importantchampions, with the clout to elevate risk management from tactical afterthoughtto vital strategy. However, to provide an additional checkpoint, outsidedirectors on a company’s board should also help develop and oversee a strategicrisk-management program.

"Effective risk management really needs to comefrom the top," Shenkir says. "That’s especially critical for midsizedcompanies, since their capital reserves tend to be smaller, and a major hitfrom an unforeseen risk can wipe them out."

By taking these steps, you can assess if your company is managing its risksstrategically.

 
RSM McGladrey Inc. and McGladrey & Pullen LLP have an alternative practice structure. Though separate and independent legal entities, the two firms work together to serve clients’ business needs. RSM McGladrey is not a licensed CPA firm.

RSM McGladrey Inc. is a member of RSM International - an affiliation of separate and independent legal entities.

2007 RSM McGladrey Inc. All Rights Reserved. Contact us toll-free at 800.274.3978