Resiliency and Strategic Risk Management

In today’s volatile and uncertain global economy, all companies need a forward-looking and strategic view of how risk is assessed, monitored, and managed. According to continuing applied research at the DePaul Strategic Risk Management Lab, McKinsey & Company, and other organizations, strategic resiliency and strategic risk management skills can help organizations to both create value and protect value, taking a positive risk governance approach that seeks to manage threats as well as create value based on the opportunities of extreme risk events and scenarios.

The past decades have seen unexpected and extreme risk events, which can be referred to as “unthinkable risks” or black swans. Past examples include major weather-related events, such as the 2011 tsunami in Japan or Hurricane Katrina in 2005 in the United States, or financially related events, such as the 2007-2008 collapse of the credit markets. Recent severe risk events and scenarios include the global pandemic, supply chain disruptions, cybersecurity attacks, energy supply disruptions, international conflicts, and technological disruptors to business models. The recent banking crisis involving Silicon Valley Bank (SVB) and other banks demonstrates the need for developing resiliency and strategic risk management in all companies.

How can executive teams and boards consider the possibility of such extreme events and develop and support risk assessment and risk management processes, capabilities, and cultures to enable the creation of long-term sustainable value? A key requirement to address this question is having a disciplined focus on long-term sustainable value creation. CFOs, finance organizations, and boards can take a leadership role in establishing and supporting strategic resiliency and strategic risk management skills as core competencies focused on creating and protecting long-term value.

PART 1: LONG-TERM VALUE CREATION

According to the latest research from the Return Driven Strategy Initiative at DePaul University’s Strategic Risk Management Lab, short-termism can be a major barrier to long-term value creation. Long-term value creation requires a disciplined commitment to avoid excessive short-termism, which can result in creating risks in not investing in strong, dependable, and secure infrastructure and technology to avoid major operational breakdowns as recently seen at Southwest Airlines. Short-termism can also result in under-investing in cybersecurity capabilities, processes, and culture, which are important in protecting a company from cybersecurity threats.

MARK L. FRIGO: The Return Driven Strategy framework (see Figure 1) represents the strategic activities of high-performance companies and is used in strategic risk management. The most important part of the framework is to “ethically maximize wealth,” which means ethically creating long-term value and avoiding the pressures of excessive short-termism that can hinder long-term value creation. What advice would you give to board members in their role of strategy oversight to help focus the company on long-term value creation and avoid the pressures of excessive short-termism?

DENNIS H. CHOOKASZIAN: Public company boards generally have both short-term- and long-term-oriented investors, and their objectives are often in conflict. There are some strategies that would be valuable for building the long-term value of the company, but the investment required may depress earnings in the short term and may put downward pressure on share price. The most important decision for a board to make is to determine whether they’re attempting to build the long-term value of the company or whether they’re focused on increasing short-term share price. Failure to discuss the issue creates a less effective decision-making environment because some directors may be focused on the long term and others may be focused on the short term. It’s critical for directors to reach an agreement regarding their focus and to have it clearly communicated in their company financial filings and in discussions with employees so that all constituents have a clear understanding of the strategy. 

FRIGO: From your perspective as a CEO, what advice would you offer to CFOs and finance organizations relating to the pressures of short-termism?

CHOOKASZIAN: Short-termism has increased substantially over the past decade, driven in part by activist shareholder funds. These pressures have caused some boards to react by taking actions that increase short-term share price at the expense of long-term value creation. Some boards have divested parts of their company, which might have important long-term value-creation possibilities, but the sum of the parts may have a greater value than the whole and the share price can in some situations be increased significantly by selling part of the company. CEOs face these pressures and must drive the company strategy. The most important action of a CEO should be to lead a board executive session discussion regarding long-term vs. short-term value creation. The CEO needs to remain open to either direction because both are valid approaches, depending on the circumstances. The CEO should lead this discussion every year to ensure a clear focus that’s supported by the board. It’s very important to have the strategy discussion and to state the company’s position before an activist becomes involved as a shareholder.

PART 2: CYBERSECURITY AND RESILIENCY

Cybersecurity risks have recently attracted a lot of attention. But many companies still treat cybersecurity risk primarily as a technology problem rather than a core strategic risk that’s closely interrelated with company strategy. This narrow view on cybersecurity risks can create vulnerabilities in the way cybersecurity risk is assessed, monitored, and managed. A previous article in this series (“Strategic Management of Cybersecurity Risks,” Strategic Finance, January 2022) described how a strategic risk assessment process can be used to assess and manage cybersecurity risks and to develop cybersecurity risk profiles and action plans that include readiness and preparedness as primary elements.

FRIGO: What are some key things boards need to know about the cybersecurity capabilities and processes of an organization to help them with their oversight of building cybersecurity capabilities to create and protect value? How should cybersecurity risk be integrated in enterprise risk management (ERM) processes in an organization?

CHOOKASZIAN: It’s important for a company to have a chief information security officer (CISO) that doesn’t report to the head of information technology. The CISO function is similar to the chief risk officer (CRO) function, and both need to be independent in the same manner that the chief internal auditor reports to the audit committee chairman. The CISO could report to the board or could report to the CEO or one of the CEO direct reports, depending on the structure of the company. In some situations, the CISO could report to the CRO. The CISO should provide frequent reports to the board on the state of cybersecurity protection of the company. It’s also useful for the board to have one member designated as the cybersecurity expert to increase the focus on the issue. The issues regarding cybersecurity are very technical, and most board members don’t have the technical background to understand the complexities. A board needs to rely on the independent CISO and, in some instances, to have an outside cybersecurity expert who provides a full assessment of the cybersecurity risks.

PART 3: RESILIENCY AND STRATEGIC RISK ASSESSMENT

Strategic resiliency means taking a forward-looking and strategic view of risk assessment and risk management consistent with the strategic risk assessment process. In step 1 of the strategic risk assessment process, we use Return Driven Strategy as a holistic framework for understanding the risks embedded in a business strategy. In the framework, a key foundation is referred to as “vigilance to forces of change,” which represents positive risk governance focused on creating and protecting value. The pyramid shape of the framework represents the Greek symbol for change in mathematics, delta, which forms the backdrop of the framework. Business environments are incredibly dynamic. Therefore, management must leverage opportunities and manage threats arising in pursuit of each of the interrelated tenets in the holistic framework. Major areas for vigilance include government, legal, and other regulatory change; demographic and cultural shifts; scientific and technological breakthroughs; industry; and competition.

FRIGO: How can CFOs, finance organizations, and board members ensure that a good resiliency-driven culture exists using a strategic risk assessment approach? How can companies evaluate and develop strategic resiliency and strategic risk management skills in an organization? Creating long-term sustainable value means having the right risk management capabilities, culture, and knowledge. What advice would you offer to boards and executive teams in developing risk management capabilities to help executive teams and boards to identify and understand the risks that could hinder long-term value creation?

CHOOKASZIAN: It’s critical for a board to establish a risk-oversight process that’s board driven. In recent years, many boards have created a separate risk management committee rather than assigning oversight to the audit committee. The separate committee has increased the focus on risk management. It’s also important to appoint a CRO that coordinates the ERM process in the organization. One of the most important tasks of the ERM process is to hold an annual “think the unthinkable” meeting where there is a robust discussion of emerging risks and low-probability but high-severity exposures. The most common cause of major disruptive events comes from areas that weren’t properly considered in the ERM process, and this type of discussion can focus on the “unthinkable” exposures. The recent pandemic is a very good example, and some companies were better prepared than others to deal with emerging events.

PART 4: REPUTATION AND RESILIENCY

FRIGO: Reputation risk is a key area to monitor and manage in creating and protecting value, which can be driven by extreme events and scenarios. What advice would you offer to executive teams and boards in assessing, monitoring, and managing reputation risk?

CHOOKASZIAN: Reputational risk is a much more important area for the board to focus on than it was in the past because of the viral expansion of social media. The reputation of a company can be attacked in many ways that weren’t possible in the past, and each company needs a mechanism to monitor and evaluate its reputation. A company should have a social media expert or should hire an outside firm to broadly evaluate on a continuous basis any references or comments regarding the company in the broad array of social media outlets. The starting point for understanding the reputation of a company is for the board to have a clear strategic direction regarding the values and principles that the company is based on. If you don’t have a clear set of values and principles, you can’t build an enduring reputation. Once you have established your values and principles, a senior officer should be assigned the task of developing a strategy to enhance and monitor the reputation of the company. This is one of the most important responsibilities of the CEO, and the board needs to engage the CEO to ensure that there’s an active program in place to continuously improve the company reputation.

PART 5: SKILLS FOR BUSINESS LEADERS

FRIGO: You serve as an adjunct professor of strategic management at the University of Chicago Booth School of Business. What advice would you give to business schools in including strategic resiliency and strategic risk management in business school curricula? What advice would you give to CFOs and the finance organization in terms of developing their capabilities and knowledge in helping executive teams and boards to identify and understand black swans and unthinkable risks?

CHOOKASZIAN: Strategic resiliency and strategic risk management should be an important part of any business school course on corporate governance. The curricula should include methods of developing a strategic plan based on the values and principles of the company and should be a board-driven process. It’s the responsibility of the CEO to develop the strategic plan for review and approval by the board. The CEO should be focused on the long-term strategy of the company and the potential risks that the company faces. The CEO should work with the CFO to develop mechanisms to evaluate and discuss the enhancement of the strategy and the determination of appropriate measures to mitigate risk. It’s critical for the CFO to build an organization that has a broad set of skills to build the strategy of the company and the monitoring processes to manage risk.

PART 6: STRATEGIC LIFE-CYCLE ANAYLSIS

FRIGO: A previous article in this series (“Strategic Life-Cycle Analysis: The Role of the CFO,” Strategic Finance, October 2020) described applications of strategic life-cycle analysis (as shown in Figure 2) to analyze the long-term value-creating performance of companies during different phases of a competitive life cycle, reinvestment strategy based on the phase of the life cycle, and on investments in intangibles which drive much of the value creation in today’s economy (including research and development, technology, organization capital, and brand). The article recommends CFOs use life-cycle reviews as a way to communicate the reinvestment strategy of the company to board members. Based on your experience as a board member, would this type of analysis be useful?

CHOOKASZIAN: The life-cycle review as described in your article with Bart Madden is a useful tool for a CFO to utilize in communicating the strategy of the company to board members. As they mature, companies evolve through four phases, and each requires a different governance structure and leadership characteristics for it to succeed. The four phases in the life-cycle in use are: start-up, growth, established, and mega.

Each phase has different leadership characteristics, and the role of the board adapts to the changes. The CFO has a very important role in defining the growth and investment requirements of the company and should provide the board with an understanding of where the company is positioned in the strategic life cycle. A company must continue to invest in innovation and growth to continue its development to an established company.

PART 7: LESSONS ON RESILIENCY FROM BANK FAILURES

FRIGO: The recent banking problems at SVB and other banks show the importance of developing resiliency and strategic risk management at companies. Some companies were caught by surprise and unprepared to deal with the situation. What advice would you offer to CFOs and board members in adapting the lessons learned from the recent banking problems?

CHOOKASZIAN: The failure of SVB points out the need for all organizations to have at least two active banking relationships. This allows the organization to act quickly in the event of a liquidity crisis at one of its banking partners. It’s also important to regularly monitor the status of leverage ratios and bond ratings. If any deterioration is indicated by a change in rating or status, the company should consider a movement to a safer banking relationship.

FRIGO: Here are five takeaways for CFOs and finance organizations based on the discussion in this article:

1. Focus strategy on long-term value creation: Develop the strategic thinking skills of the finance organization and evaluate how well performance metrics support long-term value creation.

2. Develop and support cybersecurity capabilities as a top priority: Take a leadership role in supporting the development of cybersecurity capabilities of the company as a strategic asset.

3. Use a strategic risk assessment process as an integral part of ERM and for developing risk assessment briefings for the board.

4. Consider reputation risk as a key risk to monitor and manage: Take a leadership role in supporting reputation risk monitoring and management capabilities.