By: James Creelman


Strategy and risk are two sides of the same coin. No organization can implement a strategy without taking some level of risk. The more ambitious the strategy, the greater the risk: a simple equation.

To stay one step ahead of the competition (and even simply stay in the game) in this disruptive, digital era, firms are increasingly challenged to implement “inventive” strategies.  These strategies require the introduction of breakthrough products and/or the instilling of a radically new way of competing and so are, by some distance, riskier than conventional incremental strategies (doing what we do now, but a bit better) as the ultimate results are to a large extent unknown: they are a set of assumptions.


A Corporate Governance Issue


As well as providing day-to-day headaches for executive leaders, the opportunities and risks of competing in the digital era is an issue for non-executive boards.


The financial crisis illustrated that in this the digital era, strategies cannot be responsibly executed by organizations without fully considering and managing the accompanying risks and, perhaps most importantly, their appetite for risk: after all, most of the financial institutions that suffered catastrophic losses believed they had sophisticated risk management instruments and processes. Appetite, alas, was hardly considered. As Citigroup’s Chief Executive, Charles O. Prince, said back in July 2007, just before the crunch, “As long as the music is playing, you’ve got to get up and dance. We’re still dancing.” And dance they did, all the way to a 90% fall in their share price.


Few would argue that the competitive landscape is less hazardous today than it was when the crisis hit in 2008. Most would argue it is significantly more so and much less predictable. To manage in unpredictable markets, I would argue that we need an approach that enables corporate boards and executive teams to keep one eye on performance and one eye on risk.

Risk-Based Performance Management

My 2013 co-authored book, “Risk-Based Performance Management: Integrating strategy and risk management” introduced the Risk-Based Performance Management (RBPM) framework and methodology. RBPM provides organizations with an integrated strategy and risk management approach that places risk, and specifically risk appetite, at the core of strategy execution. Let’s consider each framework component.



The most important element of the RBPM approach is that of appetite. This is about defining the organization’s appetite for risk within the context of strategy and then executing accordingly.

Bringing strategy and risk closer together is right and proper and fundamentally important, but it is working within the parameters of appetite – “the amount and type of risk that an organization is willing to accept, and must take, to achieve their strategic objectives and therefore create value for shareholders and other stakeholders” – that will enable organizations to both establish the controls and inculcate the agility that are required in today’s markets.

Appetite is not just about the financials. For instance, back in the 1990s the once monolithic Arthur Anderson was destroyed overnight when its reputation was destroyed through the Enron scandal.  If the organization instituted a zero-appetite policy with regard reputational damage, it would not have made such unethical decisions in pursuit of aggressive revenue growth.  Reputation provided the firm with its competitive advantage.

By defining a clear statement of risk appetite, the board and executive leadership team can establish clear boundaries within which the organization can execute the strategy and manage risk. It also provides the foundation for cascading the strategy and risk management disciplines through the organization, thus shaping the organization culture.


Set strategy

In the context of RBPM, the Strategy Management discipline is about developing a clear sense of direction as to where the organization is going, how much risk it is willing or required to accept to get there, and what the key opportunities and threats are along the way.

At the formulation stage, risk appetite plays a central role in that it broadly defines the risk boundaries for the subsequent execution phase. Risk appetite should play a key role in strategic options evaluation and the decision-making processes around which option(s) the organization will pursue.


Managing Performance

For this discipline, RBPM draws mainly from the Balanced Scorecard strategy execution framework that comprises a Strategy Map and a scorecard. The Strategy Map


describes how value is created through cause-and-effect relationships between objectives. Supporting the Strategy Map is a scorecard of Key Performance Indicators (KPIs), targets and strategic initiatives


The Strategy Map and scorecard are collocated according to four perspectives (although the exact number and even titles are not mandated) that are described hierarchically, with shareholder (or financial) at the apex and then flowing down through customer, internal processes and learning and growth. A slightly different hierarchy is typically used in the public sector.


Three Types of Indicators

At the measurement level, the RBPM methodology brings clarity through the use of three types of indicators, KPIs, Key Risk Indicators (KRIs) and Key Control Indicators (KCIs). While working in unison, each have different purposes.


KPIs enable organizations to assess progress toward strategic objectives and targets. KPIs are used to answer the question are we achieving our desired level of performance.


KRIs are used to help an organization assess its risk profile and monitor changes in that profile. They help answer the question how is our risk profile changing and is it in within the tolerance range.


KCIs are used by an organization to define its controls environment and

monitor levels of controls relevant to its tolerance thresholds.  They help answer the question are we, as an organization, in control.


Managing risk

Strategic risk management is all about understanding the risks the organization faces in pursuit of its objectives, and the continuous monitoring and management of those risks. It is also about understanding that risks can present opportunities as well as threats.


As with objectives, a broad set of key risks are identified as part of the strategy management process. These are then monitored and managed to increase the probability that the objectives of the organization will be delivered.

Likelihood X Impact

A key part of the risk management process is regularly assessing risk to understand the level of risk that the organization is taking. Typically, this is done based on a Likelihood × Impact assessment, which provides an “at risk” value, and can be used as one of the steers to identify where risk mitigation interventions are required.

One of the main ways that risks are managed is via an effective controls’ environment. Controls are the processes, policies, practices or other devices or actions designed to affect control over the risk. Key controls should be defined for each risk identified and the effectiveness of those controls regularly assessed. The key controls can be either preventive, that is, designed to reduce the likelihood of the risk materializing, or detective, that is, controls that are designed to detect when a risk has materialized.


Aligning Risk-Taking with Strategy

A key component of operating within appetite is appetite alignment: the process of continuously aligning current risk exposure to the defined risk appetite.

 Translated into simple terms, it is about understanding if an organization’s current risk-taking is aligned to its chosen business strategy; that is, are we operating within appetite? The RBPM methodology introduces a new and innovative tool for managing and assessing appetite, the Appetite Alignment Matrix, which assesses an organization’s exposure to risk against its agreed appetite levels


One of the key benefits of paying close attention to appetite and one that is rarely recognized is that doing so sometimes leads organizations to take on more risk, because in doing so they are still “operating within appetite”.


It is generally agreed that a failure of corporate governance was a major contributor to the Credit Crunch. Such failure was somewhat surprising as corporate governance was hardly new and codes such as Cadbury, Turnbury and Greenbury had been in place since the 1990s.


Corporate Governance was believed to be essentially in good shape – robust and effective, as was risk management. It was, therefore, something of a surprise that many experts and reports pointed to a failure of corporate governance being a major cause of the financial crisis – or more markedly, a failure to properly understand and manage the firms risk profile and exposure.


Governance is embedded into the RBPM approach, supporting the corporate level obligations and enabling those commitments to be cascaded through the organization. A greater focus by the board on demanding the parameterizing of risk appetite and then supervising how executives execute strategy within those boundaries is now a critical governance role and has been stressed in many reports by regulatory and expert bodies.


However, as part of the RBPM approach, governance also has a more operational, day-to-day role to play within an organization. This approach to governance is based on the RACI framework which has been widely used within the program and project management world. RACI is an acronym for Responsible, Accountable, Consult and Inform, and is used to clarify individual roles in the achievement of objectives and management of risks.



Culture is perhaps the ultimate strategy and risk management tool. The importance of getting the culture right is often overlooked in major change efforts. Although few organizational leaders would publicly state that culture is less important than process, structure or technology, the fact is that due to its being so nebulous, and so difficult to define and to equate a precise financial figure to its effective management, it is more often than not “dealt with” through a nice sounding value statement and then either forgotten about or handed over to the HR function to manage. Many organizations live to regret this oversight.


The importance of getting the culture right cannot and should not be underestimated. Culture is, quite simply, a showstopper. Indeed, an August 2012 article in the Financial Times reported a survey of risk managers that found that 62% of major risk events were the result of culture, leadership or behaviour.


Get the culture right and objectives will more likely be achieved and risk managed. Get the culture wrong and failure will be just about inevitable; even though ultimate failure might well be preceded by a period of stunning financial success, as we have seen with many organizations that suffered catastrophic failure.


Communication is a key management discipline in any circumstance, and especially when large-scale change is taking place. Communication is critical when an organization is setting out to take an integrated approach to strategy and risk management and so has been included as a discipline within the RBPM approach – most notably in getting the appetite message across and in driving the correct behaviours.

Crucially, communication should be an ongoing process, rather than a one-off exercise repeated on an ad-hoc basis. Messaging must be a constant part of reinforcing the dos and don’ts around strategy, risk and risk appetite and the importance of balancing risk and reward must be fully inculcated. If these are not done, there is a pressing danger that decision-makers and indeed all employees might revert to inappropriate behaviours.  

Parting Words

The rigour provided through the seven RBPM disciplines might go a long way toward ensuring that the organizational (especially financial) value delivered is sustainable over the longer term; that the pursuit of profit and the delivery of short-term and superior returns to shareholders is not at the expense of long-term value, or even continued survival.


As well as a day-to-day system for effectively managing the business, it provides a mechanism for effective performance oversight by corporate boards. The RBPM approach, with its emphasis on the integration of strategy and risk management, and specifically risk appetite, provides a framework for boards and senior executives to ensure that from a strategic direction and risk-taking perspective they can deliver lasting success as well as meet their corporate governance obligations.


Specifically, internal auditors should consider risk exposure versus appetite when assessing the rigour and robustness of the organizational controls on performance. When the former exceeds the latter on critical strategic thrusts, be they financial, customer, process, people or technological, the enterprise might, and often unknowingly, be engaging in a dangerous dance. The corporate boards of firms such as Enron, Arthur Anderson and many financial institutions would no doubt agree.