By Paul J. Sobel – Chairman, the Committee of Sponsoring Organisations of the Treadway Commission (COSO)
Responsibilities of board members continue to increase across the globe.
Among the myriad expectations for boards, the G20/OECD Principles of Corporate Governance, last updated in 2015, states that the board should fulfil certain key functions, including: ‘reviewing and guiding corporate strategy, major plans of action, risk management policies and procedures…’ Boards have long understood their responsibility to oversee strategy setting and risk management, but the link between those two responsibilities has not been clear.
Fortunately, the Committee of Sponsoring Organisations of the Treadway Commission (COSO) covered this topic in its updated enterprise risk management (ERM) framework in 2017. That framework, Enterprise Risk Management – Integrating with Strategy and Performance, highlights the role of risk in strategy selection.
The framework’s executive summary states that strategy selection is about making choices and accepting trade-offs. So, it makes sense to apply enterprise risk management to strategy as that is the best approach for untangling the art and science of making well-informed decisions. Risk is a common consideration in strategy setting, but its role tends to be too narrow. The framework provides a more comprehensive way of understanding and assessing risk in the strategy-setting process.
Enterprise risk management and strategy
The COSO framework emphasises that enterprise risk management helps an organisation better understand how its mission, vision and core values provide the foundation for understanding what types and amount of risk are acceptable when setting strategy. That foundation results in three distinctively different ways that risk arises in the process:
- The possibility that strategy and business objectives may not align with the mission, vision and core values
- The types and amount of risk that the organisation potentially exposes itself to by choosing a particular strategy
- The types and amount of risk inherent in carrying out its strategy and achieving business objectives and the acceptability of this level of risk and, ultimately, value
Figure 1, below, illustrates strategy in the context of mission, vision and core values and as a driver of an entity’s overall direction and performance.The figure starts with the organisation’s mission, vision and core values, which define what it wants to be and how it wants to conduct business. Essentially, these three make up its basic business model and reason for existence. The middle of the figure depicts the ongoing operations of the business, focussing on the establishment of strategy and business objectives and day-to-day performance of activities to achieve the strategy and objectives. Effective strategy, business objectives and performance will drive enhanced performance, which, ultimately, leads to the creation of enhanced value.
When conducting strategic planning, it’s easy to see the future through rose-coloured glasses. That is, imagining the possibilities for success isn’t that difficult. But recognising the potential challenges to that success is much harder. However, studies have shown that the most significant causes of value destruction are embedded in the possibility of the strategy not supporting the organisation’s mission and vision and the implications from the strategy.
The COSO ERM framework discussed three different types of risk that may arise as a result of determining strategies and business objectives. The following discussion and examples are extracted from the framework.
Possibility of misaligned strategy and business objectives
An organisation’s mission and vision provide a top-down view of the acceptable types and amount of risk for the entity. They help the organisation to establish boundaries and focus on how decisions may affect strategy. An organisation that understands its mission and vision can set strategies that will yield the desired risk profile. A misaligned strategy increases the possibility that the organisation may not realise its mission and vision, or may compromise its values, even if the strategy is successfully carried out.
To illustrate the risk of strategy not aligning with mission and vision, the framework provides an example of a healthcare company. Such an organisation would consider the risks associated with providing high-quality care (part of its mission) and convenient and timely access (part of its mission) and being a terrific place to practice medicine (part of its vision). Considering its high regard for quality, service and breadth of skill, the organisation is likely to seek a strategy that has a lower risk profile related to quality of care and patient service. This may mean offering in-patient and/or out-patient services, but not being a primary on-line presence. On the other hand, if the organisation had stated its mission in terms of innovation in patient-care approaches or advanced delivery channels, it may have adopted a strategy with a different risk profile.
There are many famous examples of an organisation pursuing a strategy that doesn’t align with its stated core values. For example, Enron developed a strategy that it believed would result in great commercial success. However, that strategy was not aligned with its core values (at least its stated core values). As a result, individuals charged with pursuing Enron’s business objectives made decisions that, ultimately, resulted in the company’s demise. Similar examples from that time period include WorldCom and Tyco. More recently, we see the impact on otherwise well-respected companies, such as Volkswagen and Uber
.”The COSO framework emphasises that enterprise risk management helps an organisation better understand how its mission, vision and core values provide the foundation for understanding what types and amount of risk are acceptable when setting strategy”
The key is for those involved with strategy setting and the boards that oversee the process, to leverage the principles of enterprise risk management to help the organisation avoid misaligning a strategy. The board can provide the organisation with insight to ensure the strategy it chooses supports the entity’s broader mission and vision for management and board consideration.
Implications from the strategy chosen
Enterprise risk management does not create the organisation’s strategy, but it helps in understanding the risks associated with alternative strategies being considered and, ultimately, with the adopted strategy. Decisions must be made on the trade-offs inherent in development of a strategy. Each alternative strategy has its risks – these are the implications arising from the strategy. The board of directors and management need to determine if the strategy works in alignment with the organisation’s risk appetite and how it will help enable the establishment of business objectives and allocation of resources that, ultimately, will lead to value creation and enhanced performance. Stated differently, the organisation needs to evaluate how the chosen strategy could affect the entity’s risk profile, specifically the types and amount of risk to which the organisation is potentially exposed. Failure to properly consider such implications may result in unintended consequences.
“Risk is a consideration in many strategy-setting processes. But risk is often evaluated primarily in relation to its potential effect on an already-determined strategy”
When evaluating potential risks that may arise from strategy, management also must consider any critical assumptions that underlie the chosen strategy. These assumptions form an important part of the strategy and may relate to any of the considerations that form part of the entity’s business context. Enterprise risk management provides valuable insight into how sensitive changes to assumptions would affect achieving the strategy.
For example, the healthcare organisation illustrated before can consider what risks may result from the chosen strategy – risks related to medical innovation may be more pronounced, risks to the ability to provide high-quality care may elevate in the wake of cost-management initiatives and risks related to managing new partnerships. Those and many other risks result from the choice of strategy. Yet, there remains the question of whether the entity is likely to achieve its mission and vision with this strategy, or whether there is an elevated risk to achieving the set goals.
Understanding the risks and their implications is not easy. Consider Wells Fargo. Recognising that the financial services industry was changing and looking for new ways to create revenue and market share, the company established a strategy to increase the number of client accounts. At a high level, this seemed like a prudent business strategy. However, management and the board failed to consider the possibility that the sales incentives to open new accounts might motivate employees to open accounts without their customers’ permission. After opening as many as two million unauthorised accounts, Wells Fargo was faced with more than $1billion in US dollars in fines and the incident forced turnover at the board and executive level. The long-term effect on its brand is yet to be determined. Clearly, a seemingly sound strategy had severe unintended consequences.
Risk to implementing the strategy and business objectives
Risk is a consideration in many strategy-setting processes. But risk is often evaluated primarily in relation to its potential effect on an already-determined strategy. In other words, the discussions focus on risks to the existing strategy: we have a strategy in place, so what could affect the relevance and viability of that strategy?
There is always risk to carrying out a strategy. An organisation must consider whether it has the capabilities (for example, people, processes, systems and information) to carry out the strategy. Lack of the necessary resources creates a risk to strategy achievement. Sometimes, the risks become important enough that an organisation may wish to revisit its strategy and consider revising it or selecting one with a more suitable risk profile.
The risk to carrying out strategy may also be viewed through the lens of business objectives. An organisation can use a variety of techniques to assess risks using a common measure. Wherever possible, the organisation should use similar units for measuring risk for each objective. Doing so will help to align the severity of the risk with established performance measures.
Assessing risk to the strategy and business objectives requires an organisation to understand the relationship between risk and performance – referred to in the ERM framework as the ‘risk profile’. An entity’s risk profile provides a composite view of the risk at a particular level of the entity (e.g. overall entity level, business unit level, functional level) or aspect of the business model (e.g. product, service, geography).
This composite view allows management to consider the type, severity and interdependencies of risks and how they may affect performance. The organisation should initially understand the potential risk profile when evaluating alternative strategies. Once a strategy is chosen, the focus shifts to understanding the current risk profile for that chosen strategy and related business objectives.
A key board responsibility is to contribute to and oversee the development and execution of the organisation’s strategies and business objectives. Since the inception of enterprise risk management, it has become common to consider the risks to achieving a given strategy and related business objectives. Boards routinely question management on their capabilities to achieving their strategy and business objectives and receive periodic updates on the organisation’s progress in doing so. This focus on the risks embedded in strategy and business objectives remains critically important.
However, there are two other aspects of risk that arise during the strategic planning process. The first, the possibility of misaligned strategy and business objectives, relates to the risks that arise when a seemingly sound strategy doesn’t align with the organisation’s mission, vision and core values. Such misalignment can result in tragic consequences, as evidenced by many examples of corporate failures in the past decades. The second relates to the potential unintended consequences of a strategy chosen. A strategy viewed through one lens may seem appropriate, but there may be hidden risks that could have dire consequences to the organisation. The extra step in strategic planning of considering potential implications of unintended scenarios is a prudent step.
By definition, risk involves uncertainty and, therefore, no board can be certain that all three types of risk are comprehensively considered at the culmination of the strategic planning process. However, taking the time to consider the three ways risk can arise in strategic planning will increase the likelihood that the chosen strategies and business objectives are successful.
About the Author:
Paul J. Sobel, CIA, QIAL, CRMA, was unanimously elected by COSO’s Board of Directors to serve a three-year term as COSO’s Chair beginning Feb. 1, 2018. Paul is widely recognised as a leading expert on governance, enterprise risk management, compliance, and internal control, and was a key member of the Advisory Council that provided input for the 2017 update to COSO’s ERM Framework, Enterprise Risk Management—Integrating with Strategy and Performance. His previous involvement with COSO includes working on panels and in focus groups that provided input to the COSO Board on other COSO guidance.