In recent years, banking regulators have pushed towards a more integrated view of risk under the concept of Enterprise Risk Management. Banks have responded with new governance models for risk, enhanced risk management and reporting frameworks. Despite tremendous progress, a few risk categories continue to pose challenges. Among them is Strategic Risk.

The starting point for any risk management program within a bank is the definition of those risks by their respective regulators. Based on the last revision in late 2015 the OCC (Comptrollers Handbook: Community Bank Supervision Booklet, pages 169-171) defines strategic risk as arising from: 

  • adverse business decisions
  • poor implementation of business decisions
  • lack of responsiveness to changes in the banking industry and operating environment. 

Based on the OCC guidance, there are four indicators for "Low Quantity of Strategic Risk" including 

  • The adoption of policies by the Board consistent with business strategies and risk appetite
  • Sufficient capital to support initiatives
  • Compensation programs in the spirit of "pay for performance" 
  • A strong due diligence process for new products and services.

Additionally, there are seven indicators of "Strong Quality of Strategic Risk Management" including 

  • Depth and technical expertise of staff
  • Well defined planning process and a record of achieving stated goals
  • Sound due diligence in support of initiatives
  • An assessment of reversing or modifying initiatives as part of the planning process
  • Effective communication of the strategic goals
  • A strong Management information system
  • Awareness and effective technology management as part of the strategic plan

As a strategist, I would concur with the OCC that these indicators are valid and related to strategic risk. But I would also submit that they feel fragmented, drawn from very different vantage points, and are lacking an integrated view on the subject. The following contains some suggestions to provide just that. 

The Nature of Strategy as a Portfolio of Activities

When banks discuss Strategic Risk, they are at times tempted to isolate "the big risks" as being strategic risks. That approach ensures that a heightened degree of management attention and risk controls are directed towards activities with the potentially highest adverse impact. But the true nature of strategy is not merely the result of a small number of large bets. Rather, it is the sum of all parts, the pattern of risk-taking across business units and across strategic initiatives. To effectively illustrate a pattern across a portfolio of activities, we need to utilize a visual framework.

Strategy Content and Strategy Process - The "What" and "How" of Strategy

The Strategy "Content" reflects the "what" of a business activity or initiative. Which markets and which customers are targeted, with what value proposition, what are the industry and competitive dynamics, what is the experience of the organization in this arena, etc. The primary gauge of strategy content risk is the degree of uncertainty that an organization is taking on.

The Strategy Process deals with the "how" of planning for and implementing a business activity or strategic initiative. Independently from the content, the strategy process can add its own risk elements depending on which information was utilized, how decisions were made, how the implementation is supported and monitored, etc.

If we combine the two dimensions, we arrive at a simple matrix. The combination of high vs. low strategy content risk with high vs. low strategy process risk gives us four quadrants.

The Strategic Risk Matrix

The Strategic Risk Matrix

Assessing Strategy Content Risk and Strategy Process Risk

Each bank should go through the process of defining what content risk and process risk encompass and define measures, ranges, and values. There is no one single right or wrong approach. Once consistent definitions have been developed, they can be applied to each business unit or major business activity and key strategic initiative. Below are a few considerations on how to operationalize each dimension.

Candidate elements for Strategy Content Risk (among others): 

  • Market characteristics: How proven is the market, how intense is the competition, how dynamic is the product cycle
  • Value Proposition: How clear is the positioning, how validated is customer response, how proven is the ability to deliver against the value proposition
  • Barriers to entry: How regulated is the arena, how capital intensive is the entry, how long is cycle to enter successfully

Candidate elements for Strategy Process Risk (among others):

Planning Risk 

  • Inadequate processes to prepare and conduct strategic planning efforts including executive decision making
  • Lack of awareness of material external drivers requiring a strategic response
  • Unrealistic expectations for the outcome of strategies
  • Incomplete or inaccurate assessment of internal capabilities to execute envisioned strategies

Implementation Risk

  • Delayed, incomplete, or incorrect action on committed strategies and initiatives
  • Lack of execution tracking and/or reporting, resulting in limited visibility, awareness of, and management dialogue about implementation success/challenges and actual outcome vs. goals
  • Inability to correct originally envisioned goals and action plans once the understanding of external or internal drivers have changed materially

Indicator of Magnitude of Exposure

A final dimension for the assessment is the magnitude of the exposure. A simple measure could be the amount of revenue associated with a business activity or initiative. More sophisticated measures might be available through the stress testing exercises (at least at larger institutions) and could include the risk to earnings under adverse conditions (as defined in the stress testing scenarios) if these can be isolated at the activity of initiative level. Another option is a categorization of value at risk into High/Medium/Low based on financial indicators and/or historical volatility.

By defining each of the three aspects at the business activity and/or initiative level, we can create a powerful visual of the risk pattern embedded in the bank's strategy.

Portfolio View of Strategic Risk

Portfolio View of Strategic Risk

The Journey is the Goal

What has been introduced in this article is not a "plug and play, ready to go" approach to defining and managing strategic risk. It is a framework for thinking about strategic risk in a portfolio view leveraging three dimensions: (1) Strategy Content Risk, (2) Strategy Process Risk, and (3) Magnitude of Exposure. Each institution has unique circumstances and business realities which will shape specific definitions, indicators, and metrics for each dimension. 

Oliver Buechse is the founder of My Strategy Source. Over the past 20 years he held the positions of Chief Strategy Officer at Associated Bank (Green Bay), Head of Strategy at Union Bank (San Francisco), and Head of North American Strategy at MUFG (New York/Tokyo). He started his career in strategy with McKinsey&Co.