Recognizing Strategic Risks and the Role of the CRO

Donna Galer , Al Decker


March 8, 2021

Strategic risks can expose an organization to loss and even extinction when unrecognized or unmanaged. Think of the many well-known companies that have ceased to exist due to a failure to recognize the risks coming from new technology, changing customer preferences, heightened competition, new regulatory burdens or socio-economic volatility.

It has always been the responsibility of the board, CEO and senior leadership team to develop, approve and execute the strategy to analyze the risks involved in the direction they have chosen to take. Generally, however, none of the individuals in these roles are trained in discerning risks and some are not inclined to. They are more focused on preserving the status quo, if it is currently positive, or on chasing new opportunities while discounting the risks. The chief risk officer is keenly aware of marketplace risks and knowledgeable about risk management, but if he or she not involved in strategy setting or strategic discussions in their companies, such insight is likely missing when strategic decisions are being made.

Companies underestimate strategic risks to their detriment. To that end, the following are three common strategic risk areas that companies need to take seriously.

The Risk in Too Much Expansion

The risks inherent in significant growth are many and varied. Most management teams know there are risks to major expansion efforts, but do not alwaysdo a thorough analysis on each one with the right group of experts. Some of the specific risks associated with over-expansion include:

  • Expanding into areas that do not share the same characteristics or competitive landscape as currently successful markets or locations.
  • Expanding at the wrong time, such as when retail store chains expanded rapidly while online sales were on the rise.
  • Expanding despite the existence of problematic internal indicators, such as diminishing customer satisfaction or lack of innovation, that need more urgent attention.

The Risk of Maintaining the Status Quo 

Although it has become clear over recent decades that innovation is an essential business characteristic, there are still companies that are not innovating or not innovating enough. Some companies choose to maintain the status quo because they fear change or because they simply lack the skill to innovate. This opens them up to a number of risks.

First, the lack of or slow adoption of new technology has decimated more than one industry sector over the years. At the same time, other industry sectors have tweaked or dramatically modified their business models to integrate the new technology within their customer-facing or back-office operations in a timely fashion. For example, COVID-19 has accelerated the spread of telemedicine, which requires providers to use many different types of advanced technology.

Societal or customer preference changes can also sneak up on companies focused solely on business-as-usual. For example, as consumers have become more health-conscious, some companies continued producing non-healthy foods and their sales and profitability were affected. Other companies were quick to make product modifications or to diversify into different product lines. The risks to such companies should have been identified and addressed before they became disadvantaged in the marketplace. 

Legal and regulatory change can also create risks for companies. This is especially the case now when the attention on climate change is creating restrictions for industries from energy to transportation to manufacturing. As social inflation raises the levels of jury awards, insurers that recognized the trend early put more emphasis on such things as arbitration within policy terms and settlement negotiation training for staff, for example.

The Risk of Rapid Growth

While investors like to see growth, rapid growth can carry risk. Amid rapid growth all the attention is generally focused on getting more products or services out the door. That often means concomitant risks or unintended consequences are ignored.

For example, rapid growth can get ahead of the talent or infrastructure needed to support it. This can strain the bandwidth of management and potentially lead to poor decision-making. In such a scenario, quality diminishes and customer dissatisfaction increases, resulting in growth or profit reversal. Rapid growth can also require cash outlays in advance of new revenue, which can destabilize the balance sheet and even lead to insolvency. Many neighborhood restaurants have failed after becoming the “in” place to eat (in pre-COVID 19 times) because they did not recognize and manage the risks inherent in rapid and significant growth.

Managing Strategic Risks

Like any other risk, strategic risk can be avoided or mitigated by the actions that management teams might put in place before the risks reach damaging or unmanageable levels.

Without the involvement of the CRO in strategic planning, however, there is strong potential that strategic risks will not be treated as risks. It is not that the CRO is expected to be the only person who will identify each risk or develop the appropriate mitigation. What the CRO will be expected to do is: 1) ask the questions that will help identify strategic risks, 2) solicit and contribute to developing mitigation plans to address the risks, and 3) record and monitor the risks and mitigations. In other words, the CRO can provide diligence, insight and structure to better ensure that strategic risks are managed well.

Donna Galer is a senior advisor at Hanover Stone Partners and writes books and articles on the subjects of ERM and strategy. She was the former chairwoman of the Spencer Educational Foundation and held senior management positions at Zurich Insurance, both in the United States and Switzerland, and at Crum and Forster Insurance.
Al Decker is the co-author of several books on ERM, including Enterprise Risk Management – Straight Talk for Nonprofits, and currently a consultant with The Executive Service Corp of the Triangle in North Carolina. A former worldwide executive for security and privacy services at IBM, he has also been executive director of enterprise risk management at Electronic Data Systems (EDS) and the national partner-in-charge of IT security services and national director of IT assurance services at Coopers & Lybrand, LLP (now PWC).