Respondents recognize the need to better identify and evaluate emerging risks and to adapt their company’s business strategy accordingly. Eighty-five percent said opportunities exist to further improve the linkage between risk and business performance. But 77% limited their ability to adjust their business strategy to the changing risk landscape because they evaluated their company’s risk profile annually instead of continuously.
To better take advantage of risks worth taking, to prevent counterproductive risks, and to be prepared for external risks that are outside of the company’s control, Venture Captive recommends these six steps:
- Identify and assess risks that impact business strategy. To identify new and emerging risks, companies need to routinely evaluate their business strategies and determine the level of risk they can handle to generate value. Each identified risk should then be assessed in strategic and business planning discussions and its likelihood, potential impact, or trealizationisation determined.
- Design a risk response to reduce the downside and take advantage of the upside potential. Once key risks are classified as strategic, preventable, or external, they can be aligned with the company’s risk appetite to figure out what amount of risk is acceptable. A cost-effective and efficient risk response plan helps balance the mitigation of risk with the expected benefits of the strategic programme.
- Align the functions to execute the organisation’s risk response strategy. Identify the three lines of defence to define clear ownership and accountability for risk activities. This enables a company to validate risk coverage and foster a culture in which all parties understand their role in executing the company’s risk strategy. In a sound risk culture, the tone from the middle tier of management is aligned with the tone from the top tier. Governance and business models support the delivery of desired risk behaviours and enable strong accountability and effective challenge. The risk-management framework is embedded in the way the business manages risk. And employee incentives support the delivery of desired risk-management behaviours.
- Develop risk processes to facilitate better co-ordination, communication, and reporting. Risk-management policies and processes are integral to influencing behaviours, co-ordinating activities, establishing communication protocols, and facilitating risk reporting.
- Design solutions that prevent, balance, or limit risk. Design risk and control frameworks that seek to eliminate preventable risks from arising and that can be monitored and tested to deter or detect preventable risks if they arise. Companies balance and manage strategic risks through solutions such as risk modelling and analytics, which enables them to monitor the risk exposure in real time and adjust the business strategy accordingly. Stress-testing, scenario planning, and war-gaming enable companies to assess the impact of outside forces on their business strategy, determine how to limit the external risks, and help bring the company back to business as usual.
- Implement technologies to effectively execute and sustain solutions. For risk prevention, optimise internal control frameworks to eliminate duplication and automate controls. Also, adopt continuous process monitoring solutions to further enhance and automate controls and to improve the second line’s and the third line’s ability to monitor internal controls. Scorecards, dashboards, and other forms of reporting, such as monitoring key risk indicators and key performance indicators, provide the board and executive management visibility into the risks that affect business strategy and the business’s risk profile.