Which comes first: strategy or risk? Is strategy the result of identifying opportunities and risks, how you optimize the balance of risk and reward? Or, do you set strategy based – in part – on risk-related information – so risk is an input to the strategy-setting and management process?

This seems to be a continuing discussion. I first had this come up in conversations with highly respected risk practitioners, who felt that governance in general was a subset of risk management: including not just the setting of strategy, but oversight of management as they deliver value to the stakeholders. It came up again last week in an email dialogue (initiated by one of my blogs) with an experienced chief audit executive.

There is definitely a critical relationship between risk and strategy:

1. The processes of setting strategy and managing performance need risk information if they are to be effective.
2. The more critical risks to manage are those relating to the achievement of organizational strategies, goals, and objectives.
3. When risk levels change, consideration should be given to changing strategy.

The case for risk coming first is interesting but, for me, not convincing. Certainly, one can say (and people I respect do say) that the risk management program provides the information from which strategy is determined. But I have issues, all of which are rooted in the ISO 31000:2009 standard:

1. ISO defines risk as the “effect of uncertainty on objectives”, with a critical clarification in Note 1: “an effect is a deviation from the expected – positive and/or negative”. I contend that the ‘expected’ referenced in the definition is what is projected and expected in the strategy.
2. In the Introduction to ISO 31000:2009, two of the benefits of risk management are that it “increase(s) the likelihood of achieving objectives”, and “establish(es) a reliable basis for decision making and planning”.
3. Note 3 to the definition of a risk management framework says: “the risk management framework is embedded within the organization’s overall strategic and operational policies and practices”. This is repeated in section 4.3.4.
4. Section 4.3.1 of the standard asks the user to understand the (external and) internal context of the organization before starting the design and implementation of the risk framework. One of the elements of the internal context (which clearly precedes and is external to the risk framework) is “policies, objectives, and the strategies that are in place to achieve them.”
5. The final nail in the coffin of the argument that strategy-setting is included in risk management is the fact that the process for setting strategy is not part of the ISO standard’s process.

So, my conclusion is that the organization sets strategy, and risk management is embedded within both the strategy-setting process and the process for managing performance against the strategies. Risk management is about identifying and enabling the management of risks that might affect the achievement of organizational goals and strategies.

Do you agree? Chicken or egg?

By the way, if you are interested in my posts, please consider following me on Twitter at http://twitter.com/normanmarks