Interest in strategic risk management is increasing, but obstacles remain at many organizations to successfully implement the approach to managing risks. Among the challenges are the lack of defined risk appetites at many companies, poor internal communications, and a perception of risk that doesn't consider potential positive and negative outcomes.

“I think there's definitely a lot of interest, and I think risk professionals are definitely moving in that direction,” said Carol A. Fox, director of the strategic and enterprise risk practice for the Risk & Insurance Management Society Inc. in New York.

As with any new discipline, Ms. Fox said there are “early adopters” of strategic risk management, commonly defined as identifying, assessing and managing the risk in an organization's business strategy. Others move more slowly.

Much of the interest in taking this approach to risk management is driven by company boards, Ms. Fox said.

“In our discussions, the boards are very interested in this area,” she said, and are looking to their organizations' risk professionals to move the concept forward.

Linda Conrad, director of strategic business risk, Zurich Global Corporate at Zurich Insurance Co. Ltd. in New York, sees similar drivers for much of the increased interest in strategic risk management.

“We're seeing a lot of focus and pressure and requests from the board and C-suite to have a greater level of certainty and assurance, and making sure all of these risks are on the table and they won't be surprised by anything,” Ms. Conrad said.

Among the reasons for the boards' interest in strategic risk management are pressures by regulators and rating agencies.

%%BREAK%%

However, “regulatory and compliance are some of the impetus behind it, but to my mind if we leave it there it's kind of a shame,” Ms. Conrad said. Instead, she said strategic risk management should be used to help organizations better embrace opportunities. “For me it's about turning risk into results,” she said.

For many organizations, the reasons for adopting strategic risk management are similar to those that prompted them to adopt enterprise risk management, said Damon Levine, vice president of enterprise risk management at Assurant Inc. in New York.

“Some of the reasons would be similar to the idea behind ERM. It's not enough to look at things on a stand-alone basis,” Mr. Levine said. “You want to have an understanding of your risk/reward profile in the aggregate. You want to be aware of how concentrations might grow.”

Often, though, organizations “just focus on risks that move the needle on an enterprise level” and adopt enterprise risk management, Mr. Levine said.

It's possible, however, that while individual risks might not have an enterprisewide effect by themselves, many of them together — including the failure to meet a number of individual objectives — could have an effect on an organization's ability to meet its strategic goals, Mr. Levine said.

“Our general view on this is that we do see an increased adoption of SRM/ERM approaches,” said Eric Jones, manager of FM Global's business risk consulting group in Dallas. “The thing that we see, though, is that there are still a lot of flaws out there involving a lack of robust processes around this.”

In many cases, organizations still lack a good definition of their risk appetite, and it's difficult to make good decisions about acceptable levels of risk without such a definition, Mr. Jones said.

Not understanding the how some risks or events are interrelated is another problem, he said.

“Also, I think there's a failure to identify certain types of risks,” Mr. Jones said. And organizations often fail to understand worst-case scenarios, he said.

%%BREAK%%

Meanwhile, poor internal communications and silo mentalities coupled with a focus on protecting rather than sharing data limits many organizations' chances for success with strategic risk management, Mr. Jones said.

“The companies that we see that are the best at managing risk are the ones that share data across the company,” he said.

Ms. Fox said that how organizations perceive risk often is an obstacle to adopting strategic risk management. “I think the biggest challenge for many organizations is the perception of risk,” she said. “In many settings, people think about risk as loss.”

It's up to RIMS and others to lead the conversation about risk being neutral, with both potential upsides and downsides, Ms. Fox said, adding that it takes time for companies to develop that mindset.

An organization's risk culture can be another obstacle, Mr. Levine said.

“Buy-in is sometimes difficult to attain depending on the risk culture,” he said. In some organizations applying risk management to strategic decision-making could be construed as “just holding us back,” he said.

A mindset of estimating outcomes on a single-point basis also can hinder adoption of strategic risk management, Mr. Levine said. A single number “is of little use from a risk management standpoint,” he said. Instead, what's wanted is a range of possible outcomes to allow considering the upside and downside of risk.

Organizations that successfully implement strategic risk management enhance their chances of meeting their strategic objectives and their ability to recognize and capitalize on opportunities, experts say.

“Putting the focus on strategic risk management allows us to go more on the opportunity side,” Ms. Conrad said. “Risk can be managed as an opportunity as well as mitigating the downside of risk.”