Corporate risk management still lags behind

Canary Wharf

The good news is strategic risk management is beginning to gain traction. The bad news is practitioners still think traditionally.

A survey released recently by Deloitte and Forbes Insight, celebrates the fact that corporations around the world “have changed their approach to strategic risk management over the past three years.” It goes on, “companies are integrating strategic risk analysis into their overall business strategy and planning processes.”

This is good news. Deloitte says the report “offers deep insights” into how companies use strategic risk management to “create greater business value.” It is recommended reading if you want to get a glimpse of what remains to be done.

Though progress is encouraging, the report also hints at what holds managers back in their efforts to restructure corporate risk management functions. Many corporations have a long way to go before their efforts fulfill risk management’s potential for value creation. A corporation must cause risk management to permeate its culture from the C-suite to the staff level. Central to the effort is understanding risk management’s role in the value chain and recognizing its ability to help create competitive advantage.

Is adequate a goal?
No doubt about it, real progress has been made by some organizations. But for the majority a long road lies ahead. If the best Deloitte can say is “61 percent [of companies surveyed] now believe their risk management programs are performing at least adequately,” we can conclude the programs have yet to create much value. It is doubtful those companies’ strategic plans call for “at least adequate performance” in other activities driving competitive advantage.

Fortunately, some companies are moving beyond the traditional concept of risk management long espoused by too many experts. If we are to help solve the risk management challenge corporations face today, it is necessary to define the problem correctly. As Deloitte states, traditional risk management approaches:

are generally grounded in audited financial statements, [so] the resulting risk strategies and hedges are largely driven by prior performance and past negative events and do not necessarily serve to detect future strategic risks or predict future performance. As such, they are more focused on protecting value than creating it.

Having worked in energy trading, this analyst learned that viewing risk management from the accountancy perspective was an expensive mistake. Risk management is based fundamentally on forward-looking analysis. Accounting is not. Building risk management strategies on prior performance destroyed much more value than it created. It still does.

It was never possible to find future strategic risks and future performance in financial statements. We discovered back then you cannot drive a car by watching the rear view mirror.

Misunderstandings and muddled thinking
The report also shows that, despite progress over the last three years, broad misunderstandings about business strategy too often tend to muddle thinking about risk analysis and risk management. To characterize creating value through risk management as “taking advantage of uncertainty and volatility to maximize gains” is to advise a narrow and experience-battered “traditional risk management” approach.

A corporation that confuses risk with uncertainty very likely understands neither risk nor strategy. The phrase, “taking advantage of volatility to maximize gains” is an odd expression, one more suggestive of speculation than prudent risk management. Speculation is not a reliable method of value creation. Hedging, the more appropriate tool, is but one component of comprehensive risk management, or Enterprise Risk Management (ERM).

Risk management linkages
Risk management creates value through its impact on the value chain. Michael Porter writes in Competitive Advantage: Creating and Sustaining Superior Performance that the value chain, which defines competitive advantage, “is a system of interdependent activities.” To add value, risk management must be interdependent with other activities in the corporation. One of the problems with the “traditional risk management approach” is that risk management was often put in a silo by itself, detached from much corporate activity.

Risk management helps shape what Porter calls ‘linkages,’ the relationships between value creating activities. The value chain is defined by its links and most every value creating activity generates risks that need to be managed. “Though linkages within the value chain are crucial to competitive advantage,” Porter writes, “they are often subtle and go unrecognized.” The most subtle linkages “are those between primary activities,” and these “are often the most difficult to recognize.”

Value Chain w RM

Risks are very often subtle. They can be vague, almost abstract; ambiguous. They can be exceedingly difficult to recognize, much less define. But their impact is very real and palpable. Corporations feel it. The more subtle the risks are, the harder they are to recognize and pin down, the more likely they are to go undetected and unmanaged. The function of risk management is to ferret out the most subtle of risks, describe them, analyze them, understand them, and develop and implement proper strategies and actions to neutralize them. Doing this well creates value.

In a previous post, I stated that “risk management…interacts with and influences both primary and support activities.” The graphic depiction of the value chain shows how risk management activity is present in all primary activities while at the same time influencing support activities. Porter comments that creating value usually requires “exploiting linkages” so that “optimization or coordination…cuts across conventional organizational lines.”

Value creating linkages exist not simply within the company’s value chain but also between the company’s value chain and the value chains of other firms up and down the supply chain. These linkages “provide opportunities for the firm to enhance its competitive advantage.” Managing supply chain risks well creates value.

Strategic risk management is the activity that takes place in the linkages between value creating activities, managing the risks generated by value creation itself, with the explicit mandate to generate strategies and actions to reduce present and future costs associated with the activities. This is how risk management creates value and contributes to competitive advantage. This is why risk management and risk analysis should be integrated into overall business strategy and planning processes.

More on risk management from GRI:

Why risk management needs to be integrated in corporate culture

Companies fail to see risk management as competitive advantage

A Secret for Business Success: Understanding Risk

Why Companies Need Political Risk Analysis


Tags: , , , , , , , ,

Categories: Economics, International

Author:Steven Slezak

Steven Slezak is on the faculty at Cal Poly in San Luis Obispo, California, teaching finance, strategy, and risk management. His research is supported by the university’s Farm Credit Program in Finance and Appraisal. Previously, he taught financial management and financial mathematics at the Johns Hopkins University MBA program. He holds a degree in Foreign Service from Georgetown University and an MBA in Finance from JHU. He has worked in fields as diverse as international economics, national security, commodities trading, and risk management. He consults on business management and strategy.


Subscribe to our RSS feed and social profiles to receive updates.


  1. Is risk management a component of competitive advantage? | Global Risk Insights - December 11, 2013

    […] previous posts argue that strategic risk management creates value for a corporation by operating within the […]

  2. Why corporate culture needs risk literacy | Global Risk Insights - July 3, 2014

    […] corporation that confuses risk with uncertainty very likely (doesn’t) understand risk,” argued a previous post. Even at the highest levels of corporate governance in many sophisticated organizations, general […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: