Which comes first ... managing risk or strategy-setting? Both! Effectively integrating risk management with the strategy-setting process enables management to focus on achieving its expected return while controlling its accepted risk exposure.

• Author: Gibbs, Everett

In what can be viewed as the proverbial which-comes-first, chicken or egg scenario, businesses continue to grapple with a fundamental issue: Should a business strategy be formulated prior to conducting an enterprisewide risk assessment, or vice versa? The nature of the question in itself suggests the need for effective integration of risk management with strategy-setting.

An enterprisewide risk assessment can help management determine whether there are risks that are inconsistent with or in excess of the organization's risk appetite. Because the operating environment is constantly changing, strategy-setting is a dynamic process that never ends. The same applies to risk assessment.

So, management should never set strategy without evaluating risk. Managers will naturally gravitate to the opportunities with the highest return, regardless of the risk. That is why a risk evaluation must be performed when strategy is formulated, because each enhances the other.

In those situations when a risk assessment is conducted after the business strategy is developed, the strategy must be reevaluated to consider risks not identified during the risk assessment. Business strategies often warrant revisiting once the risks inherent in those strategies are fully understood. Thus the entity's goals and objectives may be further refined when an enterprisewide risk assessment is conducted.

An Enterprisewide Approach

Whatever the enterprise's proxy for measuring value, the most important contribution of risk management is to help executives make better strategic choices. Not only is this contribution an important one as companies face an increasingly uncertain future, it can make or break the formulation and execution of a successful strategy.

Over the last 10 years, Protiviti Inc. has conducted several research projects involving senior executives. The most recent survey was conducted in the third quarter of 2005 and involved 76 C-Level executives of Fortune 1000 companies. The research during this 10-year period has consistently found that six of 10 senior executives lack high confidence that their organization is identifying and managing all potentially significant risks.

During times of substantial change, integrating risk management with strategy-setting is the key to increasing the relevancy of and the confidence in risk management capabilities.

Traditional risk management tends to focus primarily on loss prevention and managing uncertainties around physical and financial assets and related contractual agreements. As such, traditional risk management is often a fragmented, reactive, sporadic, cost-based, narrowly focused and functionally driven activity.

Integrating risk management with strategy-setting, such as an enterprise risk management (ERM) approach, helps an organization manage its risks to protect and enhance enterprise value in three ways. First, it helps to establish sustainable competitive advantage. Second, it optimizes the cost of managing risk. Third, it helps management improve business performance. These contributions redefine the value proposition of risk management to a business.

Just as potential future events can affect the value of tangible physical and financial assets, so also can they affect the value of key intangible assets such as customer assets, employee/supplier assets and the entity's distinctive brands, differentiating strategies and innovative processes and systems. This is the essence of what ERM contributes to the organization--the elevation of risk management to a strategic level by assessing all sources of value, not just physical and financial ones. ERM transforms risk management to a coordinated, proactive, continuous, value-based, broadly focused and process-driven activity.

Under an enterprisewide risk approach, the focus is on integrating risk management with strategy-setting.

The Focus on Enterprise Value

While the strategy-setting process takes many forms in different organizations, it generally includes the following continuous cycle of activities: assessing the environment, evaluating alternatives, formulating strategy, establishing metrics and monitoring execution. Integrating risk management with strategy-setting transforms risk management from "avoiding and hedging bets" to a differentiating skill for protecting and enhancing enterprise value as management seeks to make the best bets in the pursuit of growth and returns.

Enterprise value is the value placed upon an organization by its stakeholders. While value can be expressed in...