Business strategy and risk management occupy separate spaces in
most organizations. Business strategy sits at an enterprise or executive level,
but risk management usually functions at a tactical and operational level. A
chasm often exists between the two groups, removing important risk-based
context from pivotal business decisions.
To bridge the chasm, risk management professionals must
demonstrate to business leaders the value of the information they possess for
one primary reason: the long-term growth and good of the business. Risk
management today, bolstered by advances in technology, contains vital data that
can inform executive decision-making to support business strategy, reduce risks
and ensure long-term growth. To that end, risk management professionals need to
take four steps.
1: Understand Enterprise-level Objectives, Outcomes, and Metrics. Objectives might include increasing revenue, launching a new product or providing customer support in a timelier fashion. These objectives are strategic in nature and can be broken down into specific business outcomes such as increasing production by a certain percentage or publishing a set number of technology upgrades or enhancements each year. The business outcomes, in their own turn, are tracked and measured using business metrics.
2: Correlate Business Objectives with Risk Management Activities. Risk management professionals can assess how enterprise-level concerns correlate to what risk management is doing on a day-to-day basis. This requires a distinct shift in perspective, since activities such as conducting risk assessments, establishing controls to mitigate the impact of risks and assessing residual risk—while incredibly important for risk managers—do not directly tie into the enterprise’s business objectives and strategies.
3: Establish Leading Key Indicators that Tie to Business Outcomes. Risk management personnel need to establish a leading key risk indicator (KRI) that has a direct relationship with the desired business outcome. Typically, key indicators tend to be lagging in nature, such as tracking the number of cyberattacks that happened over the past quarter. This is useful information, but it is not effective in influencing business metrics or business outcomes. A leading indicator, in contrast, is one which provides advance notice of a situation before a risk event is experienced so that action can be taken to avoid or mitigate the impact of the event.
4: Present Metrics that Support Decision-Making. Risk management professionals must also present these metrics in such a way that it supports decision-making by the target audience. In particular, risk metrics and key indicator need to be presented in their business context and in a manner that drives action. When a risk metric or key indicator shows that action must be taken to avoid loss or achieve gain, it becomes valuable to business leaders and decision makers.
Driving value related to business strategy requires both time and
commitment on the part of risk management professionals. Once that value is
proven, target audiences will begin to rely on and request KPIs and KRIs to
support decision-making. They will understand the relationships between risk
metrics and business outcomes. With this deeper understanding, risk management
will no longer be viewed solely as an operational risk mitigation function. It
will also be seen as a strategic function that contributes vital intelligence
necessary for the long-term growth of the enterprise.