Before a boxer enters the ring, he and his team have sized up the competition, and his coach has equipped him with various tactics to counter the most likely attacks. Swing right, the competitor is weak on his left. He always comes out strong, but his stamina is low, so give him time to tire himself out before you put your energy into it. He’s fast, but you’ve got the weight, so make sure you’re not wasting punches. When the boxer steps into the ring, he knows his strategy, and he’s confident it will lead him to a successful outcome.

Strategy is a critical component of every plan, but with any strategy comes the possibility that things may not go to plan. This is known as strategic risk. For the boxer, mitigating strategic risk is knowing the next move when that opponent has changed his tactics — like building up strength on his left side.

For companies, gauging possible strategic risk is completed by assessing potential internal and external risks to the delivery and performance of the business plan. This type of assessment requires the Board and C-suite to understand all of the critical dependencies that could be disrupted by events that they can’t control — market risk, competition risk — and those that they can control — culture, strategic decisions like new product entry, material outsourcing, new market entry, mergers, divestitures and acquisitions, or business integration.

In most companies, there is a range of possible risks such as financial, operational, reputational. This is known as a risk taxonomy. All company decisions, including those in the paragraph above, have a risk profile that sits somewhere within this taxonomy. So, when a company is initially creating its business plan or when it must pivot the Board and C-suite need to assess how each decision or change might impact the company.

Strategic risk can be defined as the risk of loss to a company because they have failed to mitigate a threat adequately or because they have not maximised on opportunities. This failure can often be attributed to ineffective, inefficient, or inadequate Board and C-suite processes around the design, creation, delivery, and governance of business strategy and planning.

The way companies assess risks to their business strategy may impact the delivery method of the plan and the level of governance required of the Board and C-suite. Scenario testing of the business plan is essential to help the Board and C-suite understand:

• The relevance of stress triggers in protecting core elements of the company
• The level of stress the plan can withstand before changes to the plan are required
• What preemptive measures could be taken to mitigate widescale impact
  
  

The importance of this kind of process is becoming abundantly clear for many companies as the COVID-19 pandemic continues to spread. Before the pandemic, companies may have based their planning on economic conditions that assumed low, yet still positive, growth given concerns over a downturn. Few companies tested their business strategies against an extreme contraction in economic conditions. As a result, companies are seeing limited capital reserves to protect critical elements of the business plan, or even their core business, which would position them to capitalise on opportunities after the current crisis is over.

During this period of an almost global lockdown or once the world emerges from the devastation the pandemic has created, companies will have the chance to embed the practices of strategic risk management into their updated or new business plans. Companies may want to look at:

• Collectively assessing external and internal risks to determine how they might affect the business plan in various scenarios and in what ways they could disrupt the company’s ability to deliver products or services to customers and return on investment to shareholders.
• How to use scenario and stress testing methods to determine at what point aspects of the business plan are no longer viable and how the company might be able to scale back to protect the core business. This is particularly useful in the case of economic contraction or cyclical recessions.
• Understanding elements within the business plan where there are potential risks such as new capital raising, new product introduction, etc.
• Determining the impact of strategic risk from other risk types such as operational, financial, and reputational risk.
  
  

Scaling back to the core business

You should embed scenario and stress testing into your strategic risk management framework allowing you to consider at what point aspects of the business are no longer viable and will require scaling back or shutting down to protect the core business.

Stress testing should be conducted periodically to capture new and evolving risks — and performed against pre-defined events that could lead to impact in the delivery of the plan, such as in the case of a cyclical change in the industry, a crisis event, the emergence of new influential competitors, etc.

Stress testing should include all aspects of the company, to understand how strategic risk scenarios could impact the running of the company and affect its overall risk profile. Consider this in the context of risk appetite by identifying where either too much risk or not enough risk is being taken in pursuit of the strategy/plan.

Determining the impact of strategic risk

Companies should be thinking about strategic risk on all levels across the entire risk taxonomy. For instance:

• Financial risk in the case of a bad acquisition
• Reputational risk in the case of significant model changes
• Operational risk in the case of major technical failures
  
  

Risks across the taxonomy can disrupt the viability, performance, and delivery of the strategic business plan. For example, failed technology re-platforming can lead to material operational disruption and significant financial damage, consuming capital otherwise planned for strategic investments. One such case was the Dieselgate scandal in which German automakers were accused of cheating emissions tests. In addition to fines and costs of around $30 billion, one major German car manufacturer, denounced the use of diesel cars in the wake of social outcry. To repair the reputational damage, they announced that they would fund an additional €50 billion of research into battery cells for electric vehicles.

The above example demonstrates how events seemingly unrelated to the business strategy, such as failures in business conduct and ethics, can lead to consequences that could result in a material impact on the viability of the company. In this case, the company found themselves entering an unexpected large-scale capital restructuring and having to make significant changes to their business strategy and core values. 

In creating a business strategy, it is essential to consider how unrelated risks and decisions taken while running a company can affect the aggregated risk profile of the company and its ability to deliver their business strategy.

Strategy doesn’t live in a vacuum

At the heart of strategic risk is culture. A company’s culture defines its approach to risk management and how employees rally behind the business plan. In almost all material disruptions, culture has a role to play.

A culture of imagination and performance may encourage new ideas and fresh thinking and embed that into the functioning of the company. However, a culture of overconfidence or “arrogance” could lead to narrow views on the evolution of the industry and gradually result in loss of a competitive edge.

During the planning phase, companies need to consider the culture required to deliver the business strategy. Culture will impact how a business strategy is created and delivered on several levels. The Board and C-suite must have a thorough understanding of the current company culture to make sure that it is fit for purpose. Having the right fit or planning a cultural change will help to mitigate cultural risks around adoption and delivery of the plan.

As Sir Winston Churchill once said, “I no longer listen to what people say, I just watch what they do. Behaviour never lies.”

Corporate governance starts with the Board and C-suite 

Although everyone in a company is responsible for risk management, it is also true that the overall responsibility for corporate governance and strategic risk management sits with the Board and C-suite. They oversee the creation, monitoring and delivery of the entire business strategy. The business plan should clearly define which members of the Board and C-suite are accountable and responsible for each remit.

There should also be a structured process for the development, creation and approval of the business strategy including:

• The gathering of data-driven analytics for the delivery of strategic initiatives
• External market analysis
• Product analysis
• Impact of new competition and technologies
• Changing consumer behaviours
• Social trends
• New regulations
  
  

At the Board level

Boards should provide consistent oversight and constructive feedback and questions on the content of the strategy to ensure the effective design and delivery of a robust business plan. They should also challenge the C-suite to make sure that the emphasis of the plan is clear and there are measurable objectives rather than just narrative. This will help gain clarity on dependencies and risks within the plan that may impact its overall delivery.

Further, the Board must grow confidence in how the C-suite identifies and responds to emerging risks to the delivery of the business plan, including the governance of actions to mitigate harm to customers, investors, and other company stakeholders.

Working together

The C-suite should conduct scenario tests and report their findings and solutions to the Board. Through this process, they can identify potential threats that would prompt a re-evaluation in the objectives or approach to the business strategy. Frequent testing allows companies to pre-emptively address emerging risks and find methods to protect the core, and often critical, elements of the strategy and plan. Through early detection of materialising risks to the company, the C-suite can engage the Board to assist in proactively addressing the risk and pivoting the strategy.

The C-suite and Board should work together to determine management actions associated with sudden and sometimes unpredictable changes in the internal or external operating environment, providing quick access to information to help inform management’s response and recovery to any events that carry a material strategic risk to the company.

Conclusion

Adopting sound strategic risk management principles and then establishing policies and procedures across the end-to-end strategy management process, from the creation of the business strategy and plan, through to the delivery of strategic initiatives is key for companies. The Board should play an active role in overseeing the C-suite’s actions to identify and proactively address risks to the intended objectives of the current business strategy.

In the scenario of the boxer and the coach, the C-suite is the boxer, moving deftly through the ring to take down his opponent. The Board is the coach, helping the C-suite make decisions and knowing when enough is enough. By introducing new standards of strategic risk management and embedding these practices into the setting and delivery of business strategy and planning, companies can ensure that they are in a much better position to anticipate switches in tactics, mitigate risk, and ensure the route to victory.