Risk management with strategy

The codes of our neighbouring countries include a broader approach. In Germany and Austria, the risk situation and risk management are mentioned in connection with strategy, planning and business development. The Management Board is supposed to respond to deviations in the course of business from the established plans and targets by stating the reasons for such deviations. The latest version of the ISO9001:2015 quality standard takes this aspect into account to some extent.

The application of risk management in strategic management is particularly interesting, because here - unlike in operational management - threats are also faced with opportunities. The challenge is to weigh these up against each other. First, some considerations on strategic management will follow. Then, decision-making with risk appetite and risk perception will be illuminated.

Risk management as a management task
If we look at the common risk definitions of ISO 31000 or ONR 49000, where risk is defined as "the impact of uncertainty on objectives, activities and requirements", it becomes clear that risk management has a strategic, operational and also compliance-relevant dimension.

Strategic management has the task of adapting an organization to the changes in its environment. Today, people perceive changes and the associated uncertainties much more clearly than they did a few years ago. Therefore, there are also different views in strategic management:

• Ansoff's traditional approach assumes a proactive understanding of strategic leadership that is planned for the long term and characterized by rational decision-making and action.
• Ansoff's traditional approach assumes a proactive understanding of strategic leadership that is planned for the long term and characterized by rational decision-making and action.
• Mintzberg's critical approach to strategic management states that successful strategies are rarely the result of rational, deliberate planning. Rather, unplanned, surprisingly unfolding strategies would prove to be successful.

Mintzberg's critical approach gives special importance to uncertainty and emphasizes the ability to deal with it through learning, flexibility and creativity. The connection to risk management is established: It becomes all the more important in the development and implementation of corporate strategies the greater the uncertainties of information, assumptions and framework conditions.

How does decision-making in strategic management come about? It is well known that risk is the generic term for opportunity and threat and it is a question of finding the best way between the two poles. It is also known by the common term "risk appetite".

The theory of "risk appetite
The term "risk appetite" is very popular in the Anglo-Saxon world. However, it often leads to more questions than answers: "The definition of risk appetite is about determining the total accepted entrepreneurial risk. At its heart is the question of how much risk a company is willing to take in order to take the opportunities that come with it." That's clear in theory. How do you determine and measure risk appetite? Superficially, it is a matter of purely technical issues, specifically "total risk " and not just one or more individual risks.

The solution is risk aggregation with Monte Carlo simulation. Quantiles can be chosen, e.g. for the threats 80 %, 90 %, 99 % or for the chances 20 %, 10 %, 1 % etc.. One speaks of the "Value at Risk" and means with it the value, which is not exceeded or fallen below with a certain, small probability. The value determined for the risk of loss (threats) is then compared with the available equity of an organisation. Conclusions can be drawn about the risk capacity of the organisation.

The practice of "risk appetite
In reality, quantitative models are not used much. This is due to various reasons: In the management of strategic risks, there is generally no statistical basis.In the management of strategic risks, there is usually a lack of statistical foundations, which are (tacitly) assumed for the functioning and reliability of such models. If numerical data facts are missing, simulation results can be manipulated. This is a shortcoming. It can be put into perspective with consensus-based expert estimates.

The bigger problem with risk appetite in corporate strategy is probably more to do with risk perception. The more ambitious the strategic goals are, the more quickly the risks taken are overshadowed. The commitment of top management to an ambitious strategy quickly dwarfs risk communication and leads to a high risk appetite. The following examples can illustrate this:

Decline of Swissair (2002): Switzerland's national airline intended to build up its own alliance under Swissair's leadership by implementing the so-called "Hun-ter strategy". The core element of this strategy was to consolidate the alliance through financial investments. However, rather unprofitable investment partners were available on the market. The acquisitions of the holdings led to considerable losses, which ultimately led to insolvency. Swissair's management was aware at the time that the chosen strategy was risky. The dangers and difficulties of taking over ailing airlines were underestimated. The once respected airline ended in insolvency.

Volkswagen diesel scandal (2015): The Japanese car manufacturer Toyota was able to gain significant market share in the USA with the technology of hybrid vehicles (Toyota Prius). The German VW Group did not have the corresponding technology at the time. VW therefore intended to expand its market position in the USA with the "Clean Diesel". For reasons that have not yet been fully clarified, the technicians manipulated the exhaust emission values, which remained undiscovered for a long time. Volkswagen's internal audit report mentioned this breach of the law as early as 2011, but management did not react because this risk might have called the entire strategy into question. But in 2015 the manipulations came to light.

In such cases, the risks were suppressed and the risk analyses were hardly carried out. The great "risk appetite" has much to do with the fact that the strategic goals were dominant and therefore prioritized. The timely analysis and control of risks was missed. In many cases, the deeper cause may also have been that in these companies and at the highest hierarchical level, it was not permitted to talk about the risks that were in themselves easily recognizable. Authoritarian leadership stifled the risk discussion. An open risk culture was not desired or allowed.

Risk perception and risk culture
The concept of risk appetite in strategic management proves to be difficult to operationalize and unreliable. It must be supplemented with further criteria such as risk perception, risk communication and an open risk culture. One possible approach to consolidating an open risk culture in strategic management is the increasing discussion of compliance and ethics. The company must take into account the social expectations of its business activities. Misconduct leads to mistrust and reputational risks. Risk management must be supplemented by such metrics, so that strategic decisions can take into account the
relevant criteria.