Reasons For Failure To Prepare A Risk Management Strategy

In the present economic scenario with escalating risks, it is imperative for organizations to have a risk management strategy. However, more than half of the GRC departments do not prepare an integrated risk management strategy. Despite knowing that lack of it can put the organizations into jeopardy. The graph below from Economist Intelligence Report “Too Good to Fail?” covering financial institutions and insurance companies supports my assertion.

Too Good To Fail? - Economist Intelligence Unit

On an average in Asia-Pacific region just over 50% of financial institutions have a regularly monitored risk management strategy. It would be fair to assume that the percentage will be much lower for all industries.

Hence, the question arises – why are GRC departments not preparing a risk management strategy?  I am discussing below five reasons for the same. Check it out to assess the barriers in your organization for forming a risk management strategy.

1.    Non-involvement in business strategy formation

 As per the survey “Fall guys: Risk management in the front line – A report from the Economist Intelligence Unit Sponsored by ACE and KPMG” – just 41% of the organizations involve risk management function in formulating and implementing corporate strategy. Non-involvement in business strategy formation results in risk managers failing to get the bigger picture and understanding business strategy risks. Hence, GRC departments’ plans focus on addressing tactical and operational risks. Therefore, risk managers fail to do strategic “risk management”.

2.    Lack of accountability at senior management level

 Most reports mention that risk managers do not have adequate authority. The second challenge is that they do not report to the CEO and GRC department heads are reporting to different functional heads. These challenges give a level of anonymity to the functioning of risk management departments. Their annual strategies are merged with the functional department strategies to which the GRC head is reporting. For example, if CAE is administratively reporting to the CFO, the finance department strategy swallows up internal audit plan and strategy. This results in lack of accountability at CEO and Board level. Hence, there is no focus on preparing an integrated risk management strategy for the company.  

 3.    Minimal organization focus on strategy development

Sometimes organizations do not have a strategy formation process. The “McKinsey 2010 Strategy Survey results show that just 6.5% of the organizations have an effective strategy development process. Secondly, 20 % of organizations view corporate strategy development as an aggregation of business unit strategies. Management does not make any exclusive effort on building a corporate strategy. In such scenarios, the risk management departments’ strategy is an accumulation of individual balance scorecards of department heads. Without a right strategy development culture, it is unlikely that GRC departments’ heads have a formal dialogue with senior management to develop an integrated risk management strategy.

4.    Lack of knowledge on strategy formation

While it might sound unlikely that risk managers, the predictors of doom and gloom, do not know how to develop a strategy, it is a possibility worth exploring. It might appear to be an odd failing for people geared towards numbers but one must take into account that most risk managers do not receive formal training on strategy formation. Second aspect to think about is that strategy is much more than numbers. Third aspect is that risk managers in their reports focus on dollops of operational and financial risks but there is just a smattering of strategic risks. Hence, there is a high probability that they lack skills to prepare a strategy.   

 5.    Outdated GRC departments

 Many will raise hands raised to say that GRC departments have more teeth after the financial crises. However, in my view some may still be navigating without a compass. Due to internal politics of the organization, GRC departments may work in silos and execute work with a checkbox mentality. The GRC department heads may put more boots on the ground to do better risk coverage rather than develop risk management strategy. In such situations, GRC heads form blind spots due to poor prioritization of risks, lack of awareness of competitor skills and minimum awareness of new risk management approaches. Therefore, sometimes GRC departments are working with an outdated mindset and skills.

 Closing thoughts

 In my opinion risk managers cannot play the blame game, and hue and cry over lack of visibility at CXO /Board level if they are not focused enough to develop a risk management strategy. One cannot reach a destination without a roadmap and minus a risk management strategy, risk managers are aimlessly conducting various activities. In this volatile business climate, strategic agility is a key competitive advantage. Hence, rather than be mentally resistant to sober analysis, risk managers need to do some introspection to assess the reasons constraining them from preparing a risk management strategy. A successful adoption of risk management strategy will enable their organization to wade through this turbulent economy. To conclude :

“Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat.” – Sun Tzu


  1.  Report: Too good to fail? New challenges for risk management in financial services – By Economist Intelligence Unit
  2.  Fall guys Risk management in the front line A report from the Economist Intelligence Unit Sponsored by ACE and KPMG


2 comments on “Reasons For Failure To Prepare A Risk Management Strategy

  1. Sonia, thanks for sharing these views. I would like to understand what you mean by a ‘risk management strategy’. At first, I thought it meant having a strategy for the risk management function. However, after reading your blog I think you may be referring to a corporate strategy that considers and manages related risks. Can you help with that?

    Also, you talk about GRC departments and again they seem only to include risk management. Is that correct?

    • Norman,

      Thanks for reading the blog post and sharing your thoughts.

      I think you have hit the nail on the head. We appear to have a lot of confusing nomenclature regarding risk management strategy. When we talk of strategic risk management, it could mean two things – “strategic risk” management or strategic “risk management”. In the first case we are talking about the business strategy risks and risk managers role in faciliating management is addressing business strategy related risks. In the second case – strategic “risk management’ we talk about addressing risk management functions strategically. Here, risk management functions would incorporate all GRC departments. For the purpose of ease of understanding I have mentioned a requirement for an integrated risk management strategy.

      If you look at the data provided in the post, risk managers are not doing a great job on both aspects. If you are looking for information on “strategic risk” management, I have written a number of posts on it. Just see it in the SRM category. Hope it helps.


Comments are closed.