Rethinking Strategic Risk



Risk professionals have traditionally deployed a number of enterprise risk management frameworks that focus on monitoring financial indicators and the evolving regulatory environment (for example, the global risk framework of ISO 31000). Many of the most commonly deployed frameworks rely on strategies and hedges based on prior performance and past negative events. But they do not necessarily serve to detect future strategic risks or predict future performance.

In determining the nature and extent of strategic risks facing their companies, executives should concentrate less on current or static threats and instead turn their focus to the future. These risks can encompass such complex variables as future marketplace decisions by competitors and the consequences that these decisions have on market share or reputation.

However, determining the composition and nature of strategic risk going forward requires a more dynamic and fluid approach. Traditional models—despite their best intentions and design—tend to encourage passive monitoring of risk: a “set it and forget it” mentality. Companies will likely need to make modifications to include sustained interaction with data and ongoing changes to the strategic risk profile.

In other words, companies need to constantly call into question their fundamentals: everything from the products and services they offer to their price points and how that connects with the mission of the company. Naturally, this implies an ongoing review and assessment of business partners and vendors. As supply chains and partnerships grow ever more complicated, the risk of a weak link increases exponentially.

On the reputation side, companies must confront the information explosion that has occurred in the past decade, something Tom Friedman of the New York Times calls “The Great Inflection.” We now live in a hyper-connected world grounded in social media, cloud computing, 4G wireless, ultra-high-speed bandwidth, smart phones and tablets. Managing a company’s reputation in such an environment requires much more than listening to customer feedback. The accepted information hierarchy, such as newspapers and established media outlets, has rapidly given way to an information matrix where no single voice necessarily dominates. Information and opinions of all kinds are easier to access, but also more difficult to assess. For corporate stakeholders, the strategic risk implication of the Great Inflection is that once-common reputational risk assumptions can be neither common nor readily assumed anymore.

One approach to master strategic risk in this changing environment—both in terms of focusing on fundamentals and managing the digital space—is to leverage “big data” and data analytics. In adopting and deploying data analytics, companies may be in a position to better monitor the vast information (and misinformation) available on the internet. This includes monitoring news, tips and rumors about competitors as well as following or influencing the changing tastes and demands of consumers. These tastes and demands are shaped by an ever wider set of influences and trends that can originate anywhere in the markets where companies choose to do business.

To assess and adequately address these digital age strategic risks, companies must look outside the traditional corporate structure to adopt more of an “outside-in” perspective in terms of assessing their strengths, challenges and opportunities. This means a new focus on gathering data and appreciating external perspectives from outside sources, whether it is customers, bloggers, information trendsetters or marketplace and security analysts. Big data analytics also raise new possibilities. Information gathered from a CEO’s direct reports no longer constitutes a sufficient first-line of defense in shaping a company’s risk profile. The data these executives supply are typically generated from an “inside-out” perspective and do not necessarily factor in the other avenues of information.

Of course, not all data is pertinent or valuable to assessing strategic or reputational risk. So the challenge of data analytics is to sift through the information, determine the most important risks and their indicators and, finally, establish a model to follow and appraise the data while also continuously updating the strategic risk profile.

As executives continue to ponder strategic risks and the means to address them, the aftershocks of 2008 will continue to make themselves felt. Even so, it is time to move forward and dare to posit and answer new questions about the changing fundamentals of strategic risk. That requires looking at opportunities offered by big data analytics, and focusing on appropriate business models and related risk management issues to ensure that investments of capital and assets are reexamined through the lens of the digital age.

Henry Ristuccia

More articles by »

About the Author

Henry Ristuccia is a partner at Deloitte & Touche LLP and co-leader of the company’s governance and risk management services.



  • Well said.

  • Jacquetta

    ISO 31000 is not limited as claimed here to 'monitoring financial indicators and the evolving regulatory environment'. The very definition of risk in ISO31000 focuses on the effect of uncertainty on objectives, and there is also a strong emphasis on understanding the internal and external environment, which include but are in no way limited to regulatory or financial concerns. As a framework it can be used very effectively to consider strategic risks, indeed if you use ISO31000 as your guide to developing an ERM framework all risks can be considered in a strategic framework.

    I wonder if the author was thinking instead of COSO with it's strong emphasis on financial controls and compliance?

  • Well, in any case, a good risk management tool would be needed to help register and juggle with the output of the assessment. Unfortunately these software are often expensive and/or in the cloud (meaning some exposures for your exposures!). I found this interesting FREE Excel add-in that does it all: risk register, heat map, and many additional analysis. I hope that helps…


Leave a reply