Companies need to understand all of the perils that could impede the success of their business objectives. The problem is that risk management is often reactive in nature. It occurs at a process or transactional level, aimed at remediating a problem. For example, shipments of goods are frequently delayed; so then management examines the processes to determine how to make sure it doesn’t happen again.
“It’s reactionary. It’s targeted. It’s very narrowly focused on the pain point at that point in time, and at that moment — the squeaky wheel gets the oil,” says Laurence Talley, CPA, CIA, senior director of Risk Advisory Services at BDO USA LLP. “I think all organizations are guilty, to one extent or another, of operating like this.”
When organizations are assessing risk they may consider financial, operational and compliance risk, but the one that gets ignored is strategic risk, Talley says.
Smart Business spoke with Talley about using risk management to not only protect but also enable your strategic goals.
Where do you see organizations misstep when it comes to strategic risk?
A company’s strategic goals are well developed — supported by data, tested in the market and communicated to boards, advisers and even customers. What’s lacking can be a supplement to the strategic plan or objective that prompts an organization to pause and consider what could go wrong, and its tolerance for those risks.
Employers need to ask: ‘What things have historically been barriers to us satisfying similar goals? What processes and controls can help us successfully navigate through this potential risk, either from a preventative or detective standpoint?’
You want to build an entitywide, top-down approach to thinking about and identifying risk, and then respond to those risks in an uniformed, forward-thinking way. This is how risk management can be used to help satisfy and meet strategic objectives, versus just simply protecting and preventing the occurrence of perils as you do business.
If you have a headache you can take aspirin, but it’s better to drink water and get enough sleep to avoid a headache in the first place. Be preventative — focus on the entire health of your organization, entitywide, not just the current problem or pain point.
What’s an example of strategic risk?
A common strategic initiative is that your organization wants to grow by acquiring a smaller competitor. Some associated risks are that your pursuit strategy is leaked, or your purchasing approach isn’t well received. So, put some forethought into these pitfalls, developing a risk strategy to mitigate them before they occur.
Should companies be formal with this planning? Can it be an informal discussion?
There are merits to both. Informal discussions allow for expediency but you forfeit accountability and consistency. If you formalize it, however, you can socialize it throughout your organization in a systemic and consistent manner. If your executive team talks about the risks and what you’ll do when you face them, there’s a benefit to that. But perils present themselves at all levels. You need to make sure all of your people, from executives to staff, have a similar understanding. It’s often the employees in the field, serving clients and making your products who can identify the most impactful risk and take steps to mitigate it.
What are other best practices for proactive risk management?
Think about strategic risk from the standpoint of people, processes and technology. Have the right people participate in the risk strategy activities — from executives on down — to get a diverse set of thoughts on how you manage risk. Make risk strategy activities an ongoing process with evaluations, in order to stay a step ahead. And don’t be afraid to leverage tools and data.
For example, many consumer product companies use analytics to predict what’s trending in order to develop cutting-edge products; therefore, flip that premise and use technology with different data points to predict and understand what perils may be likely.
Today, people have a better understanding of the value of risk management. But when you can use it to help protect your company, enable the success of strategic initiatives and accomplishment of goals, that’s when the real buy-in occurs.
Insights Accounting & Consulting is brought to you by BDO USA LLP