Content area
Full Text
Organizations know they must manage strategic risk to create and protect value. Here are some guiding principles that might help.
What is strategic risk management (SRM)? Is it the same as or different from enterprise risk management (ERM)? What kinds of events or risks are strategic risks? Boards of directors and management teams have been asking these questions a lot lately.
One of the lessons many organizations learned from the global financial crisis is that they need to clearly link strategy and risk management and be able to identify and manage risk in a highly uncertain environment. Another is that they must focus risk management on creating value as well as protecting value. In this article, we present a working definition of and guiding principles for SRM that management teams and directors can use to help link ERM with strategy and strategy execution and to focus risk management on creating and protecting value. This insight is based on some of the latest developments in strategic risk management from the work we're doing with management teams and boards, research in the Strategic Risk Management Lab at DePaul University, and through collaborative research with the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and other universities and professional organizations.
The Relationship between SRM and ERM
In 2004, COSO issued its Enterprise Risk Management-Integrated Framework with this definition of ERM (see www.coso.org):
Enterprise risk management is a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
That definition describes a broad set of processes that apply across the enterprise and involve everyone from the board of directors on down. (Note that ERM is directly related to "strategy setting.")
The Integrated Framework provides the key principles and components of enterprise risk management and is grounded in the concept of ERM focusing on the achievement of an entity's objectives. The Framework groups entity objectives into four categories: strategic, operations, reporting, and compliance. A particular objective may overlap certain categories, but the four categories allow an organization to focus...