By Kerrin Anderson, Lewis Atkinson, And Valerie Macleod

 

Managing risk is critical to an organization’s ability to achieve its objectives. Deloitte Research (2012) compared the relative contribution of different types of risk to observed business underperformance.

 

They found that 75% of underperformance comes from failure to consider how strategic risks may result in unanticipated outcomes. Unfortunately, traditional approaches to risk management fail to adequately manage interdependent risks because of the heavy emphasis on operational compliance. The myopic perspectives of individual business units obscure the way different risks can interact and how strategy selection can amplify their impact on organizational goals – for good or bad. The objective of this article is to propose an outside-in cascading approach that integrates risk considerations into strategy selection. In the context of this article, a strategy can be defined as a course of action taken to attain one or more strategic objectives (Hadaya et al, 2024).

 

The Oxford Dictionary defines risk as a situation that involves exposure to danger. This definition applies well in the safety engineering field and in traditional risk management, where risk is a known threat with predictable probabilities of occurrence. However, new definitions of risk focus on uncertainties and their impact on an organization’s ability to achieve its objectives. For example, Warren Buffett famously said, “Risk comes from not knowing what you’re doing.” This infers a willful state of ignorance of the organizational context and operating environment, leading to sub-optimal strategic positioning and blind spots.

 

The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Enterprise Risk Management (ERM) framework adopts the new definition of risk not solely focused on events that could cause loss for the organization but also on potential opportunities that may arise from the risk. The new definition focuses on any uncertainty that could have an effect, whether positive or negative, on the organization’s ability to achieve its objectives. 

 

There are numerous classifications of risks in the literature depending on industry and application (Kaplan and Mikes, 2012). Particularly relevant is the one proposed by Deloitte Research (2005) with four broad risk categories which are adapted from the COSO framework:

• External risks: Emerging from the ecosystem within which the organization operates over which it has little or no agency, such as an industry crisis, political or economic issues, terrorist acts, and public health crises.

• Strategic risks: External to the organization over which it has agency, such as demand shortfalls or failures to address competitor moves.

• Corporate risks: Internal across the whole of the organization, such as high debt, poor financial management, and trading losses. 

• Operational risks: Internal to the organization at a business unit level, such as cost overruns, failures in internal controls, and personnel management failures.

In addition to COSO’s ERM, there are several approaches in the literature (Orellano and Gourc, 2025). These traditional risk management approaches usually encompass the following steps:

• Risk Identification: Registering all potential risks that could impact the organization, whether operational, financial, technological, reputational, or otherwise.

• Risk Analysis: Analysing the likelihood and potential impact of each identified risk.

• Risk Evaluation/Prioritisation: Evaluating and prioritising risks allowing for focused resource allocation.

• Risk Treatment: Developing and implementing courses of actions to address the identified risks, including avoidance, mitigation, transfer or acceptance of the risk.

• Risk Monitoring: The ongoing process of tracking the effectiveness of risk management measures, identifying new risks, and adjusting strategies as needed.

 

Despite all their strengths, those approaches have certain limitations and/or are insufficiently comprehensive, including (Deloitte, 2015):

• Risk interactions either not identified or only in a limited way.

• Lack of clarity between board and management regarding risk appetite and management.

• Different parts of the organization defining and reporting risk in different ways, leading to poor coordination.

• Strategy selection made without conscious risk consideration and those chosen fall outside the organization’s risk profile.

 

To address these limitations and properly integrate risk into strategy selection, we propose the outside-in cascading approach. This approach is designed to ensure the:

• Alignment of risk profile with the organization’s vision, mission, and objectives.

• Measurement and tracking of key risk indicators and the early warning of the impact of risk events.

• Clarity in assessing, managing, reporting, monitoring, and reviewing impact of the risk in strategy selection.

• Provision of a process to support the creation of a risk aware culture throughout the organization.

 

Shown in Figure 1, this approach has six steps, each cascading from the outside-in to develop a risk management process fit-for-purpose for achieving an organization’s strategic objectives. It provides management with guidance for strategy selection to remain within the risk profile of the organization. By providing this explicit guidance on acceptable risk limits, it is also an effective way for the board to mitigate moral hazard (Rowell et al., 2012). The following paragraphs describe each cascading step by stating its objective, activities involved, the tools that are of use, and its link to strategy selection.

 

The objective of this step is to look outside the business to identify any future trends that may impact the achievement of organizational objectives. The changes in trends should be monitored and reported by the Executive team to the board after collaborating on four activities: 

1. Scanning the external environment to identify future trends and industry shifts on a quarterly basis.

2. Reviewing any emerging trends and assessing their implications for achieving organizational vision, mission, and objectives.

3. Determining if changes are necessary to the organizational vision, mission, and objectives; Reviewing any recommended additions to the register of key strategic risks (external uncertainties that impact an organization’s ability to achieve its goals).

4. Approving strategic risk indicators. If this happens the board wants to know about it, and management must monitor and report any significant changes.

 

Any external environmental scanning tool can be used to identify industry shifts and emerging trends, then validating those trends with adaptive action questions like “What? So What? Now What?” 

 

 

Risk context analysis hence reveals adjustments to goals or strategies needed to ensure the organization adapts early to emerging threats and opportunities.

 

The objective of this step is to define the tolerance of the organization to overall risk in pursuit of its objectives. Figure 2 illustrates the notional “sweet spot” for the trade-off between optimal strategic risk-taking in return for maximizing organizational value (by either mitigating loss or creating gain). Establishing risk tolerance involves three activities conducted by the board: 

1. Identify the key strategic, operating, and corporate risk areas for each strategic objective.

2. Estimate the limits of acceptance to judge whether chosen strategies expose the organization to either “insufficient” and/or “excessive” risk-taking in pursuit of these goals.

3. Review the combined risk limits across all objectives to ensure that the overall risk to the organization is acceptable.

The SMART tool can be used for setting measurable goals. In turn, a grid can be used to visualize the interrelationships between goals, vision, and mission (Haines, 2007). Finally, to decide how much risk to assume in pursuit of each goal, use a combination of force field analysis and triple loop learning by asking “What is right for us?” (Atkinson et al., 2023).

In establishing these risk tolerances, the board explicitly defines the acceptable amount of organizational value it is willing to put at risk in pursuit of goal achievement, such that management can calibrate its strategy selection to fall within the range deemed acceptable.

 

The objective of this step is to establish clearly defined risk assessment parameters such as key risk criteria (standards or benchmarks that define the acceptable level of risk) for each key operational and corporate risk area (key organizational risks). It involves four activities conducted by the board:

1. Define a risk consequence table by describing the potential impact that results from a materialized risk.

2. Define a risk likelihood table by estimating occurrence – unlikely, moderate, likely, and almost certain.

3. Combine consequence and likelihood to create a risk matrix (visual representation of risk profile) to give clear meanings for what constitutes “low,” “medium,” “high”, and “extreme” risk.

4. For each key risk area, assess if the risk level is ‘high’ or ‘extreme’ or outside the organization’s risk appetite such that it requires board review and on-going monitoring by management.

 

A set of common risk management tools can be customized to set the risk profile of the organization: Risk Consequence Rating Table, Risk Likelihood Rating Table, Risk Matrix Heat Maps, and Risk Matrix Rating Table.

 

Determining the risk profile provides a shared understanding of risk parameters and allows management to meaningfully assess strategy selection in the context of risk appetite statements and key risk indicators to judge if it is acceptable or requires changes to fit within risk profile.

 

The objective of this step is to set parameters around the level of organizational risks that can be assumed in pursuit of objectives. This step involves four activities conducted by management:

1. Identify the key organizational risk areas.

2. Establish a risk appetite statement for each area by considering “How much risk are we willing to assume in this area?” Articulate this using the risk profile established by the board.

3. Identify critical events or indicators (key organizational risk indicators) to be monitored to ensure the organization remains within the limits of its risk appetite in each risk area.

4. Seek board approval for the appetite statements and indicators.

 

It is good to use simple statements without weasel words (open to interpretation). They clearly define the willingness to assume risk and support consistency in risk management across the organization. For example, for the statement “In key organizational risk area X, the organization has a (low, medium, high) risk appetite in…” and for matching indicator “Any strategy that puts the organization X% (above or below)… (a particular risk threshold limit).”

When a risk appetite statement is meaningful and clear, management can determine with relative certainty whether the strategy chosen or under consideration falls within the organization’s risk profile.

 

The objective of this step is to ensure that the strategies selected in pursuit of organizational objectives fit within the risk appetite and risk tolerance of the organization. It involves four activities done at a business-unit level:

1. Identify potential strategies to achieve for each objective.

2. Highlight the major threats and benefits of each strategy and mitigating factors.

3. Find a balance between potential threats and benefits to select the most appropriate strategies. 

4. For each objective, assess whether the combined impact of all the strategies selected fall within the risk appetite and risk tolerance of the organization.

 

Customized Ansoff’s and MacMillian’s matrices, along with SWOT analysis, are appropriate tools to use during these activities.

With clearly defined risk appetite and risk tolerance, business units can consciously consider how the strategies they choose link to the type of risks relevant to the goal they are contributing to and manage their consequences.  

 

The objective of this step is to integrate risk management processes into strategy implementation. This step requires four activities to be conducted by management:

1. Negotiate risk management KPIs to cascade down all levels of the organization.

2. Monitor and report key risk areas and associated indicators to adapt operations or strategies 

as required.

3. Update the key risk indicator report (to monitor key indicators of emerging risks) and risk status report (to report current level of risks against risk appetite and risk tolerance) to highlight any potential or actual variations outside the limits for any particular objectives.

4. Seek board approval of these reports and for any recommended changes to objectives and/or to pursue strategies outside the parameters set by the board.

 

These activities can be supported by corporate governance templates and tools that are customized to generate a risk management policy and procedure for the organization. These documents make reference to a set of common risk management tools (see listed above) that are critical and intrinsic to the full implementation of the policy buttressed by risk appetite statements and key risk indicators.

 

The outside-in cascading risk management approach was successfully implemented by Micah Projects Limited (MPL), a non-profit, non-faith-based, specialist homelessness services provider working under contract to government. While preparing its 2020 strategic plan, the board identified a need to review and consider the organization’s risk management framework, and its risk appetite. The board lead the development of a risk management policy and procedure which allowed management to choose strategies that fell within its risk profile (Table 1).

 

We have demonstrated an outside-in cascading approach that integrates risk considerations into strategy selection and implementation. In the future, we hope to investigate how AI can complement external environmental scanning tools to help make early identification of unanticipated risk interdependencies and model how strategy selection can amplify their impact on goals – for good or bad.  

 

Atkinson, L., and Collins, B. (2023) Is This Strategy Working?: The Essential Guide to Strategy Development, Evaluation, and Goal Achievement. Systems Thinking Press.

Deloitte Research (2012) The Value Killers Revisited: A Risk Management Study.

Deloitte Research (2005) Disarming the Value Killers: A Risk Management Study.

Deloitte (2015) The Risk Intelligent Enterprise™: ERM Done Right.

Hadaya, P., Stockmal, J., et. al. (2023) IASPBOK 3.0: Guide to Strategy Management Body of Knowledge. International Association for Strategy Professionals.

Haines, S. G. (2007) Strategic Planning Simplified: The Systems Thinking Approach to Building High Performance Teams and Organizations. Systems Thinking Press.

Kaplan, R. S., and Mikes, A. (2012) Managing Risks: A New Framework. Harvard Business Review, 90(6).

Orellano, M., and Gourc, D. (2025) What Typology of Risks and Methods for Risk Management in Innovation Projects? A Systematic Literature Review. International Journal of Innovation Studies, 9(1). 

Rowell, D. and Connelly, L. B. (2012) A History of the Term “Moral Hazard.” Journal of Risk and Insurance, 79(4). 

 

 

Kerrin Anderson, Dr. Lewis Atkinson, and Valerie MacLeod are Global Directors at The Haines Centre for Strategic Management trading as The Systems Thinking Approach®. 

E: This email address is being protected from spambots. You need JavaScript enabled to view it.

E: This email address is being protected from spambots. You need JavaScript enabled to view it.

E: This email address is being protected from spambots. You need JavaScript enabled to view it.