Chess boardRisk and strategy, much like chocolate and coconut, is a winning combination you can’t argue with. There has always been a great amount of “noise” from consulting firms and experts on the fact that companies should integrate both risk and strategy, and over the past few months this topic seems to be an increasing trend in publications. They all agree on one conclusion: companies should do it but very few provide guidance on how exactly to achieve it.

EY’s 2015 global governance, risk and compliance survey findings indicate that “97% of organizations have made progress in linking their risk management objectives and business objectives…”. But the most interesting statistic is at the end of the sentence “… but only 16% of the 97% consider them to be closely linked today”. To me, this is the problem. Much like risk management itself, you know you should do it, but many just don’t know where to start.

I don’t intend to write another article on the fact that risk and strategy should be linked, as there are many recent whitepapers, points of view, blogs, etc. that explain this. What I will try to do instead is provide a few suggestions on how to do it. Hopefully the number of organizations that can benefit from this association increases well above the 16% identified by EY.

Step 1 – Identify Your Target

To start, you need to know what you are looking for. Your top executives will have communicated at some point the strategies of the company, and most likely asked their area managers to translate these into quantifiable business objectives. These are the basis for the measurement of key performance indicators or KPIs.

These business objectives are really the ones you should be focusing on. If these business objectives are not met, then the company’s strategies will be endangered.

As for risk events, where you mitigate the drivers to reduce their likelihood of occurrence, the same goes for strategy: protect the business objectives and you will – de facto – protect the company’s strategies.

Step 2 – Associate Business Objectives and Business Risks

If you already have a risk register or are building one, then ask the risk owners to select among the business objectives that you have identified in step 1 . They should select ones that apply to their business area, the ones that would be threatened by their risk.

Interestingly, most companies ask the area managers to do this exercise, but I would beg to differ. Involving the risk owners, who are in essence the business experts, can give you a more precise and realistic view.

Step 3 – Report on the Two Together

Now that you know which risks can endanger which objectives, report on the two together so that managers and executives can really see what is threatening their targets and what the threat level is.

Due to resource constraints that we all experience, they will most likely have to prioritize the important business objectives so they can focus attention on those that are at high risk.

Step 4 – Take Proactive Measures

This is where KPIs and KRIs meet and work together. KPIs represent the historical performance and help you understand where you sit today. But, as I mentioned in a previous blog (GRC Tuesdays – Key Risk Indicators in a Sound Risk Management Process: What Are They Really?), key risk indicators are forward looking and act as an early warning system.

Assigning KRIs to the risks you associated to your objectives will let you know, in advance, if there are signs that your risk is manifesting. This gives you the timely information needed to mitigate the risk and therefore reduce the likelihood that something could prevent your organization from achieving its business objectives.

Do you like the idea of being seen as the woman or man whose mission is to protect the company? Well, I’m not saying that this will transform you into this hero or heroine straight away, but it will get you on the right track.

I look forward to reading your thoughts and comments either to this blog or on Twitter (@TFrenehard)!