Getting a Grip on Strategic Risks

You might feel these days that you spend all your time struggling with compliance or financial reporting risks, but not really getting to the big risks that really matter.

You might be right.

At least, that’s one conclusion in the latest report from the Corporate Executive Board. Compliance officers would do well to read it, and ponder whether your senior leaders make the same mistakes about risk management that the CEB says many companies do.

The core problem? That businesses spend too little time auditing and managing strategic risks, when those generally pose the most dire threats to company success. Meanwhile, corporate audit and compliance departments do devote plenty of attention to financial reporting and compliance risks, and those threats lead to a significant market decline only 5 percent of the time. Consider the following chart:

According to the CEB analysis, we have a severe misalignment between where audit and compliance executives spend there time, and what really can cause a business to unravel. Yet again, we’re back to the question of compliance and audit’s proper role in addressing strategic risk.

This issue has floated around compliance and audit circles for years, with no clear answer yet. Finding one is so elusive because it requires deft diplomacy around corporate headquarters, often populated with big egos or hidden insecurities. It also gets to deeper, philosophical questions about whether strategic risk is within the purview of compliance and audit executives at all. Isn’t setting strategic direction the job of the board and CEO? Aren’t they supposed to chart the course, and we mere mortals follow that course or seek employment elsewhere?

I look at the CEB’s chart above and instantly think of Research in Motion Ltd., the company that invented the smart phone industry in 2000 when it debuted the Blackberry. Yes, RIM did experience a financial reporting failure in 2007 when it made mistakes in granting stock options. But I don’t think anyone would dispute that RIM’s far greater mistake was a failure to anticipate the future of smart phones, and to deliver a next-generation device that could compete with the iPhone. RIM never managed that strategic threat properly, and now the company (operating under the new name Blackberry Ltd.) is an afterthought in a market dominated by Google and Apple.

There may be a way to navigate this tricky terrain. The CEB paper goes on to note that many companies do have risk management teams—but too often, those teams are focused on one specific risk like financial or environmental, and not tied to any enterprise-wide risk management function. Or when you do have an ERM function, it is disconnected from corporate strategy, existing to mitigate every risk it can find, instead of managing risks that might actually help corporate growth.

To me this sounds like a job for a risk committee, serving a chief risk executive—just like a compliance committee exists to serve a chief compliance officer. The committee members themselves work in the business units, and get guidance from the CCO about compliance risks the company faces. They, in turn, provide valuable feedback to the CCO about business activity that might trigger one of those risks.

The best model I ever heard for such a committee worked like a pyramid: low-level employees formed their own compliance committee to discuss immediate compliance risks (“We’re behind on sealing up some IT security patches”), and the chairmen of those various committees then formed another committee one level up to discuss higher risks (“We don’t have enough staff for top-priority projects this quarter,”), and so forth up the corporate ladder. The chief compliance officer chaired the committee at the highest level, and by then everyone else had distilled specific problems into broad strategic risks: “Our ongoing manpower shortage is causing severe IT security delays, and someone could email R&D’s new plans for a missile guidance system to North Korea tomorrow.” That is the sort of discussion about strategic risk that gets a board’s attention, and in the right way.

The CEB has a few ideas along those lines, of how companies can structure themselves to embrace risk rather than fear it. The key is how you can embrace risk prudently, with good compliance practices and audit oversight baked into the process. If you can do that, you have a strong handle on your strategic risks. And then maybe your company’s product won’t be in everyone’s bottom desk drawer a few years from now, like your Blackberry is today.