First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Always-on risk and strategy management

always-on strategyI like the idea of “always-on” strategy and performance management, as discussed in a piece by members of the BCG consulting firm.

Always-On Strategy hardly mentions the word “risk”, but it’s there in a major way.

Consider this:

To increase the odds of success in today’s turbulent environment, leading companies are complementing their annual strategy-setting process with something more dynamic. We call it always-on strategy.

Always-on strategy gives companies a systematic way to scan for signs of disruption and explore unexpected changes to the strategic environment. Companies identify the most pressing strategic issues and regularly engage senior leaders in formulating a response.

Doesn’t this sound like risk identification, assessment, monitoring, and response?

Aren’t “issues” the same as risks?

Later, the authors say:

Always-on strategy complements the annual [strategy] process by giving senior leadership a regular forum in which to monitor and discuss issues that warrant continual attention, including those identified during the annual process and during the course of the year.

Isn’t this what we strive to achieve with risk management, addressing the issues that might affect the achievement of strategies and objectives?

But the authors see issue or risk monitoring as the responsibility of the Chief Strategy Officer:

The chief Strategy Officer (CSO) and the strategy team are ideally positioned to identify issues from the top down, both in the business units and externally. They can provide a structure and tools to capture and filter information from the broader organization.

CSO doing this instead of the CRO?

What does this mean?

If the language of strategy and issues resonates with leadership, use it instead of the technobabble of risk.

I met one CRO who reports to the CSO.

Is that a model that makes sense (in non-regulated industries – because the regulators have a risk-averse view of risk management)?

Maybe it does.

Maybe it allows and stresses an emphasis on achieving objectives instead of ‘managing risk’.

What do you think?

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

Send to Kindle

, , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.