CHAPTER 1
Strategy and Risk: Two Sides of the Same Coin

Strategy and risk are two sides of the same coin. Both aspire to create profits in an uncertain future.1 The classic strategy question is: What business is the organization in? This starting point determines the organization's purpose, that is, what problem it is solving for its targeted market, and should make clear what inherent risks it will face. For example, if you are a detergent maker in 2020, it is important that your product not only cleans safely but also is environmentally friendly and childproof. Because a major goal of the firm is to create economic value, not just accounting profits, risk management with the calculation of economic capital is fundamental to the strategy process. Both strategy and risk management confront important cash flow, income statement, and balance sheet issues. Strategy and risk meet in pricing and capital because these are the two tools to deal with expected losses (ELs) and unexpected losses (ULs) arising from the risks that an organization takes in creating and claiming value.2 Because we will say more about economic capital later, for now, let us provide a simple definition. Economic capital is the capital required to support the economics of the business including the necessary infrastructure (critical assets for operations) and risks. This means if the unexpected happens, you have a reserve that enables you to survive for a length of time calculated by probability and market conditions. The higher the relative economic capital, the longer you are likely to stay in business. But the more challenging it is to achieve return on equity (ROE) or return on asset (ROA) goals, the higher the capital reserve you'll likely need.

However, it is important to realize that the firm's strategy, specifically the goals and the position created by the value proposition, is the starting point: it initiates the dialogue that leads to strategy formulation and implementation. In practical terms this means that the strategic processes determine what risks/uncertainty the firm must accept and manage. By manage we simply mean that the firm first identifies, then accepts, certain risks, mitigates others, and transfers others. In the strategy-risk-governance process shown in Figure 1.1, it is important to recognize the feedback loops linking strategy and risk. Strategy informs risk and, in turn, risk informs strategy.

FIGURE 1.1 The Strategy-Risk-Governance Process

Table 1.1 illustrates the similarities and complementarities among strategy, risk, and brand management. We decided to include brand management and culture because it helps to illustrate that management of risk involves the entire organization, as does brand management, and it is affected by the organization's culture. This is not to downplay the role of the C-Suite specialists, but rather to highlight that the specialists coordinate the activities of the entire organization to achieve the desired outcomes. This will be amplified in our later discussion of the three lines of defense model.3

If risk-taking is fundamental to business and profits, then it must be understood ex ante in order to deal with identifiable risks through pricing and contingency reserves (capital), and this requires that it be an essential part of the strategy formulation and execution process.5 Once one starts to probe the relationship between pricing and positioning in the classic Porter6 sense, as well as the role of capital in sustainable competitive advantage, it becomes obvious that risk identification and management is built into the DNA of strategy; the only question is whether it is explicit or implicit. Fundamental to our approach is to portray how the process of resource allocation basic to strategy, suggests the development of risk capacity as part of the implementation process. In order to avoid execution pitfalls, including mispricing, the creation of risk capacity must also predate strategic moves. We do accept that this capacity may take place in a dynamic context so that it may need further development as strategic plans unfold, but the essential components must be in place prior to the strategic move if the dialectic of strategy and risk is to be realized.

TABLE 1.1 Strategy, Risk Management, Brand, and Culture

It similarly follows that the risk capacity of the organization should be greater than its risk appetite, which should be greater than its risk tolerances and limits.7 A specific statement of risk appetite is the essential complement to the articulation of strategic goals. The risk appetite statement provides the authority to take risk and, importantly, helps to tell the organization what not to do-which is also fundamental to strategic positioning to avoid mission creep. This is important because mission creep can lead to a misalignment of the organization's aspirations and its ability to manage the associated risks. However, the mere statement of a risk appetite without having developed the organizational capability to understand, assess/measure, monitor, and report on the risks is meaningless. These resources include management time to determine whether the risk capacity is matched to the risk appetite aspirations. Similarly, performance must be evaluated against both the strategy and the risk limits.

The board delegates authority to the CEO to execute the board-approved strategy. Similarly, creating a clear risk appetite statement is critical for corporate governance because this is a key board-approved statement of authority for the CEO and organizational leadership. It needs to clearly articulate the risks the management is authorized to take. There have been many papers and texts on risk appetite frameworks since 2012 when the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released the discussion paper, "Enterprise Risk Management-Understanding and Communicating Risk Appetite."8 COSO made it clear that this was an important topic for all organizations. Financial institutions (FIs) implemented approaches based on the principles provided by the Financial Stability Board (FSB) released in 2013.9 This results in a great deal of commonality in the frameworks and advice. Key elements of risk appetite frameworks invariably include these elements:

• The concepts of risk capacity and appetite
• Governance requirements in terms of policies, authorities, principles, and ongoing monitoring and reporting
• Metrics, limits, and triggers linked to income and capital for approved risk-taking
• Management plans for risk incident responses
• Communication requirements to ensure all risk-takers are aware of the appetite and requirements

The FSB explicitly notes that "for the purpose of these Principles, the risk appetite framework does not include the processes to establish the strategy, develop the business plan, and the models and systems to measure and aggregate risks."10 However, increasingly, good risk appetite statements are capturing the integration with strategy and the business plan and begin with a statement such as "[The organization] will take risks only in support of executing its business...