History is replete with examples of once good and even great companies that were unable to keep up with the rapidly changing global business risk landscape and either disappeared or were diminished to a mere skeleton of their former selves. The stories of AOL, Blockbuster, BlackBerry, Borders, Cambridge Analytica, Kmart, Kodak, and Yahoo, for example, all include strategies that failed or backfired.
While a strategy can prove unsuccessful for a variety of reasons, neglecting the risks associated with its formulation and execution is a prominent reason for failure. Stakeholders want to see clearly defined strategic initiatives that drive long-term value. Long-term value creation is commonly measured using growth in share prices and profit, as this quantitatively measured information is readily available. Yet these are lagging indicators that don’t necessarily provide assurance regarding the sustainability of value creation. Stakeholders, therefore, demand evidence that organizations are evaluating risks associated with strategy formulation and execution, and appropriately responding to the need for strategic renewal.
There are a number of approaches to managing and evaluating risk, depending on the type of risk, industry, and organization type. Each has its own set of strengths and weaknesses. Without a complete, holistic approach to strategic risk, however, companies face gaps in their strategic risk management that could lead to failures in their business.
We propose an approach to strategic risk management that integrates the principles and components of the 2017 enterprise risk management (ERM) framework from the Committee of Sponsoring Organizations of the Treadway Commission (COSO), Enterprise Risk Management—Integrating with Strategy and Performance (COSO ERM), with the Levers of Control framework (LoC), a practice-oriented framework intended to achieve control over strategy introduced by Robert Simons based on his study of dozens of businesses (see Levers of Control, Harvard Business School Press, 1995).
While traditional frameworks intend to manage or mitigate risk, our proposed combined framework aims to optimize strategic risk—some risks must be avoided, some risks must be managed and mitigated, and some risks must be exploited. Companies that fail to do this won’t be resilient, will fail to create sustained value, and will fall prey to disruptors. We believe integrating LoC with COSO ERM will provide a comprehensive and robust framework for managing risk related to the formulation and execution of strategy.
THREE CATEGORIES OF STRATEGIC RISK
The IMA® Statement on Management Accounting Enterprise Risk Management: Frameworks, Elements, and Integration separates total risk into hazard, financial, operational, and strategic. Risks that pose existential threats are generally regarded as strategic risks. Strategy has two stages: formulation (also known as strategy setting, strategy selection, or strategic planning) and execution (strategy implementation). We can separate strategic risk into three categories that span the formulation and execution stages (see Figure 1):
- Risks of strategy: At the strategy formulation stage, management should evaluate alternative strategies, considering whether the inherent risk of each alternative matches the risk appetite of the organization. Management, in consultation with the board and other stakeholders, must assess the implications of the chosen strategy on the risk profile of the organization. Failing to do so increases the risks of strategy. An example of a risk of strategy would be the COVID-19-related supply chain disruptions that companies faced (or are facing) due to the outsourcing strategies they chose.
- Risks from strategy: During strategy formulation and execution, management should assess whether the chosen strategy aligns with the organization’s vision, mission, and core values. A misaligned strategy threatens an organization’s very existence as well as its brand and reputation, i.e., risks from strategy. Wells Fargo’s growth strategy based on cross-selling, which backfired and led to fraudulent activities, is an example of a risk from strategy.
- Risks to strategy: During strategy execution, internal and external factors can affect the relevance and viability of an existing strategy. The sudden emergence of the COVID-19 global pandemic is a classic example of risks to strategy.
Thus, an effective approach to strategic risk management should aim to fully address all three categories, ensuring that there aren’t any gaps.
STRATEGIC RISK AND ERM
Since the early 2000s, most large public companies have embraced ERM, which at its best provides entity-level risk assessment and management via an integrated and holistic approach to identify, evaluate, and mitigate risks facing an organization.
Yet a review of recent surveys and research on ERM indicates that it hasn’t reached a mature state for most companies. For example, State of Enterprise Risk Management 2020 from ISACA, CMMI Institute, and Infosecurity Group found that only 7% of respondents reported having optimized risk management processes. Executive Perspectives on Top Risks 2020 from the Enterprise Risk Management Initiative of North Carolina State University and Protiviti found that respondents are mostly focused on operational risks (risks that might affect key operations in executing strategy), with six of the top 10 risks cited pertaining to operational issues. And Aon’s Global Risk Management Survey 2019 states that silo vision still exists and true integration into ERM is still lagging. This raises the question as to whether ERM comprehensively and sufficiently captures and mitigates strategic risks.
The COSO ERM framework is based on five interrelated components supported by 20 principles at a very granular level. The five components are: governance and culture; strategy and objective-setting; performance; review and revision; and information, communication, and reporting. To evaluate whether COSO ERM provides adequate guidance to manage entity-level risk related to strategy, we matched the three categories of strategic risks with the relevant COSO ERM principles and the five components. As Figure 2 shows, COSO ERM principles touch on all three categories of strategic risk. Given the formidable challenge of managing strategic risk in today’s volatile, uncertain, complex, and ambiguous (VUCA) business environment, it’s critically important for users of COSO ERM to be aware of any gaps that exist. So we looked closer to see if there are any strategic risks that aren’t fully addressed.
Click to enlarge.
GAPS IN COSO ERM
The first gap pertains to the strategy and objective-setting component. Figure 2 shows that COSO ERM principles are heavily geared toward addressing the risks to strategy. Yet it appears that the COSO ERM framework doesn’t support risks from strategy and risks of strategy with the same intensity and emphasis as it supports risks to strategy.
Risks to strategy are generally addressed by risk-centric, informal ERM frameworks that existed even prior to the initial release of the COSO ERM framework in 2004. Because risks from and risks of strategy pertain to strategy formulation (in determining the path the organization takes), it’s critical that these two categories are prioritized. Generally, one reaps what is sown, and a flawed strategy formulation process will reveal itself in execution.
The second gap we identified pertains to the fourth COSO ERM component: review and revision. The COSO ERM framework states, “By reviewing enterprise risk management capabilities and practices, and the entity’s performance relative to its targets, an organization can consider how well the enterprise risk management capabilities and practices have increased value over time and will continue to drive value in light of substantial changes.” Given today’s fluid business environment, organizations must review and revise the methods used to identify, assess, and evaluate strategic risk; the controls used to mitigate strategic risk; and the strategies themselves. Because any strategy can be upended by a changing environment, the quality of environmental scanning and speed of anticipation of emerging risks are crucially important.
The global business experience in 2020 and 2021 in the wake of the COVID-19 pandemic clearly demonstrates the importance of an all-inclusive approach to reviewing and revising risk management. The pandemic has highlighted the importance of feedback loops, and the term “agility” has gained unprecedented importance. Agility, in the context of strategy, refers to the speed with which one can make changes to strategy to adapt to changed circumstances.
The World Economic Forum’s Global Risks Report 2020 predicted the likelihood of infectious disease risk (categorized as a societal risk) at less than 3 (5 being the highest) and impact from infectious disease slightly above 3.5. Almost all risk surveys indicated economic slowdown, cybersecurity, and regulatory changes as the top risks for 2020. COVID-19 was a total surprise, forcing companies into uncharted territories—some companies may have had their strategy slates wiped clean. Others, fighting to survive, were compelled to make an abrupt but complete overhaul of their strategy within a matter of days—involving changes that would normally take a few years.
The review and revision component of COSO ERM includes three principles that intend to provide guidance on risk management when there are major changes: assesses substantial change, reviews risk and performance, and pursues improvement in ERM. For some companies, a changing business environment poses risks; to others, the same changes may present opportunities. Let’s take a closer look at both of these aspects in relation to COSO ERM.
MANAGING RISKS RESULTING FROM CHANGE
COSO ERM acknowledges that entities’ strategy, business objectives, ERM practices, and capabilities change with shifting business context. The “assesses substantial change principle” refers to internal and external environmental changes that may substantially affect strategy and business objectives. We would expect COSO ERM to provide guidance on what the organization should do when the strategy becomes irrelevant or goes awry because of changed or changing circumstances (when risks to strategy escalate).
The “reviews risk and performance principle” concentrates on assessing whether the entity performed as expected and achieved its targets as well as the appropriateness of the risk level. This involves taking another look at risks that may affect performance and achievability of targets. COSO ERM then provides a conditional statement: “If the performance variance exceeds the acceptable variance in performance or results in a different risk profile than what was expected, then there may be a need to review business objectives, strategy, culture, etc.”
What if the entity performed as expected and achieved its target (a lagging indicator), but the external environment is showing signs of major changes that may make the existing targets irrelevant? Today’s business environment is highly fluid and full of disruptors. Whether due to technological advancement, regulatory changes, natural disasters, or infectious diseases, almost every target is a moving target. Examples in the business world where disruptive changes have doomed businesses include Kodak’s failure to understand and respond to digital photography, Blockbuster’s failure to understand and respond to streaming media, and Borders’s failure to understand and respond to e-books.
Therefore, an effective framework must highlight the need for reevaluating and modifying strategy based on identified risks. It should encompass an interactive, forward-looking control system—not a control system based on lagging indicators alone, but one informed by leading indicators as well.
When properly conceived and implemented, an interactive control system—one that provides feedback based on strategic uncertainties and therefore facilitates strategic renewal—will adhere to the logic that today’s controls must pave the way for tomorrow’s strategy. After all, organizations shouldn’t necessarily be chasing current best practices, but rather “next practices”—much like the advice from the legendary hockey player Wayne Gretzky: “Skate to where the puck is going, not where it has been.” In summary, COSO ERM discusses the need for organizational stability, resilience, and agility due to the change in the environment, yet the concepts of interactive controls and modification of strategy or emergent strategy aren’t mentioned.
EXPLOITING OPPORTUNITIES PRESENTED BY CHANGE
Companies that successfully pursue new opportunities as they emerge become renowned disruptors. Therefore, in today’s environment, risk management frameworks must optimize risk, not just mitigate it. Optimizing risk involves balancing downside risk (threats) and upside risk (opportunities).
COSO ERM acknowledges the importance of exploiting opportunities: “For-profit entities create value by successfully implementing a strategy that balances market opportunities against the risks of pursuing those opportunities.” The framework distinguishes between positive outcomes and opportunities. A positive outcome occurs when performance exceeds the original target; opportunity occurs when an action alters goals or approaches for creating, preserving, and realizing value. The framework also emphasizes the importance of seizing opportunities, but it falls short on guiding the user as to how.
Specifically, COSO ERM could have added more value to users by providing more guidance (through principles) on how to identify risks that can be pursued as opportunities—not just during the strategy-setting process, but on a continuous basis—and how strategies should be modified. We therefore identify lack of guidance on exploiting opportunities and modifying strategies accordingly as a gap left unfilled by COSO ERM.
SUPPLEMENT COSO ERM WITH LEVERS OF CONTROL
As mentioned earlier, LoC is a framework intended to achieve control over strategy—at formulation as well as during execution. LoC incorporates a dynamic view of controls over strategy, captures the two-way relationship between strategy and risk, and discusses controls that capture this reciprocal relationship. Key aspects of this framework can be used to fill the identified gaps in COSO ERM.
LoC identifies four constructs that managers must analyze and understand for the successful formulation and implementation of strategy: core values, risks to be avoided, critical performance variables, and strategic uncertainties. LoC then presents a system of controls (or levers), where each system is intended to control a single construct. Entity-level success is achieved by balancing the four levers: boundary, diagnostic, belief(s), and interactive. Figure 3 provides an overview of the levers and constructs.
The belief and interactive controls are positive and inspirational, whereas the other two are constraints and pertain to compliance. As such, boundary and diagnostic controls are risk-centric (pertaining to execution of strategy), while belief and interactive controls are objective-centric controls (pertaining to formulation and modification of strategy).
Belief control systems are the explicit set of organizational definitions that senior managers communicate formally and reinforce systematically to provide core values, purpose, and direction for the organization. In a broad sense, belief controls define and gain adherence to the organizational culture. Formulation of the organization’s mission, vision, and core values and aligning goals and strategies with mission, vision, and core values fall under belief controls.
Interactive control systems focus attention on strategic uncertainties and enable strategic renewal (with the intention of validating strategies). Strategic uncertainties may threaten or invalidate the current strategy of a business. Interactive controls help managers search for new ways to strategically position the organization in an evolving and dynamic business setting. The focus is on identifying “risks and opportunities” and on shaping emergent strategy as opposed to intended strategy.
In some situations, strategic uncertainties lead to new opportunities. To seize emerging opportunities, it isn’t sufficient for managers to ask, “What are the critical things that a business must do well to achieve its intended strategy?” They must also ask, “What assumptions or external factors could block the achievement of our vision in the future? What can we do to reap the optimal benefits in the new reality?”
Interactive controls force managers to collect information related to strategic uncertainties, especially by tapping into the information possessed by lower-level employees. Being in the trenches, they may have the best knowledge of the situation and valuable ideas on how to seize unexpected opportunities and deal with problems. Over time, the organization will adjust its strategies to capitalize on the learning, especially the learning that originated at lower levels (emergent, bottom-up strategy-setting process).
Boundary control systems define the acceptable domain of activity at the strategic level (e.g., what kinds of business opportunities shall be avoided or pursued), at the business level (e.g., the protocol followed in qualifying a supplier), and at the individual level (e.g., prohibited behaviors). Boundary controls exist both to exclude undesirable actions and to specify expected behavior (codes of conduct).
Diagnostic control systems are mostly applicable at the operational level and should motivate employees to execute their assigned responsibilities and to align individual and organizational goals. Performance measures often fall under the realm of diagnostic controls.
As you can see, LoC is at a broad conceptual level. In contrast, COSO ERM goes into more granular detail by specifying three to five principles for each of the five components. Therefore, to provide granularity and increase the practical usefulness of LoC as a framework, we expanded each lever into several action items (see Table 1). To be consistent with COSO ERM, and for comparison purposes, we label the action items as principles. (Note: An expansion of LoC was first published in Ramji Balakrishnan, Ella Mae Matsumura, and Sridhar Ramamoorti’s “Finding Common Ground: COSO’s Control Frameworks and the Levers of Control,” Journal of Management Accounting Research, Spring 2019. We modified the expansion to better fit strategic risk management.)
AN INTEGRATED FRAMEWORK TO OPTIMIZE STRATEGIC RISK
COSO ERM and LoC each have their own merits and drawbacks. Neither framework on its own is sufficient to handle all facets of strategic risk in the VUCA business environment. We therefore combine the principles of COSO ERM and granulized LoC to create an integrated framework that will better optimize strategic risk (see Table 2).
Click to enlarge.
Harvard Business School senior fellow Bill George suggests a fitting response to business environments where volatility, uncertainty, complexity, and ambiguity are certain: Leaders should possess commensurate vision, understanding, courage, and adaptability (VUCA 2.0). Others have underscored agility and resilience when confronting such environments. As COVID-19 demonstrated, some risks are unpredictable; even if the risk itself is conceivable, the likelihood and impact may be unpredictable.
Strategic risk may arise during the strategy formulation or execution stages, and it may appear in the form of risks of strategy, risks from strategy, and risks to strategy. We believe the suggested integrated strategic risk management framework provides practitioners with a more comprehensive and robust approach to managing risks during strategy formulation and execution in today’s volatile, uncertain, complex, and ambiguous business environment.
December 2021