The Building Blocks of Risk Strategy

Crises always reveal the true value of an adaptable, integrated approach to risk management. COVID-19 is no exception. Indeed, throughout the current pandemic, financial services firms have realized the benefits of establishing malleable risk levels that can be quickly recalibrated to suit fast-moving changes in the business environment.

Brenda Boultwood

The ability to meld enterprise risk management into the strategic planning process is a sure sign of a mature risk management organization. But this can only be achieved when a firm’s risk plan-of-action is aligned with its risk appetite and its initiatives-driven business strategy. To achieve this objective, a firm must understand the core concepts of business strategy, the purpose of strategic initiatives, and the steps necessary to build a risk/business bridge.

Business strategies can take a variety of forms, but they typically involve a core concept and some dreams – aka strategic initiatives (see diagram, below).

Core and Initiative Components of Business Strategy

Core strategy is typically about customers, product and operations - and can be connected largely to financial and operational risks. Often, it sounds generic. Large “Bank A,” for example, may say it’s committed to advancing sustainable solutions for its clients and within its operations. Large "Bank B," meanwhile, may say it seeks to execute well to ensure customer loyalty, while large "Bank C" may say its strategy supports an ambition of being the preferred international financial partner for its clients.

Banks, however, must also support these generic soundbites with some legitimate strategic initiatives (e.g., “address climate change” or “digitize offerings and dominate fintech”) that align capital, people and skills training. Each strategic initiative can be pursued organically or inorganically.

Strategic Initiatives: Planning and Risks

A bank’s strategic initiatives can be risk managed as projects. The major risks are timeline, budget and people - as well as legal, governance and customer-adoption threats that become more critical with time.

Let’s now take a quick look at each of the steps involved in developing these initiatives:

Step 1: Risk Appetite Agreement

The board of directors need to agree with management recommendation on appropriate levels of risk to achieve the strategy.

Step 2: Management Alignment

In the simplest risk appetite approaches, the core strategy will be primarily tied to operational and financial risks, and will employ well-established risk methods for risk identification and risk measurement. 

Although risk appetite can get tricky when we factor in strategic initiatives, the best approach is to keep it simple and to explain it clearly, taking into account the firm’s budget, timeline, governance, and customer-adoption policies.

Each new initiative, of course, will lack a history, and we can therefore not apply standard risk measures like metrics and risk control self-assessments. Instead, most often, you’ll need a detailed project plan to execute each initiative. In addition to weighing the risks of execution, this plan should also consider the risks of inaction.

Step 3: Stress Test

Naturally, we should stress test the risks in the core strategy and the execution of the strategic initiatives. But do not forget to run scenarios about the overall business environment to understand strategic impacts, which could include: changes in speculative asset prices (e.g., Bitcoin prices); the possible continuation of the pandemic; the likelihood of a rise in the U.S. debt ceiling; and transitory versus permanent inflation impacts.

Parting Thoughts

Aligning risk appetite with strategy will draw on standard risk management techniques, but this process must be fluid and frequently reassessed. With this setup, we’re halfway home to making risk appetite the most powerful tool in the CRO’s toolkit.

Governance, monitoring and action plan management are the remaining issues a firm would need to address to build a comprehensive ERM framework that lines up risk and business needs.

Brenda Boultwood is the Director of the Office of Risk Management at the International Monetary Fund. The views expressed in this article are her own and should not be attributed to IMF staff, Management or Executive Board.

She is the former senior vice president and chief risk officer at Constellation Energy, and has served as a board member at both the Committee of Chief Risk Officers (CCRO) and GARP. Currently, she serves on the board of directors at the Anne Arundel Workforce Development Corporation.

Earlier in her career, Boultwood was a senior vice president of industry solutions at MetricStream, where she was responsible for a portfolio of key industry verticals, including energy and utilities, federal agencies, strategic banking and financial services. She also previously worked as the global head of strategy, Alternative Investment Services, at JPMorgan Chase, where she developed the strategy for the company's hedge fund services, private equity fund services, leveraged loan services and global derivative services.