If we accept the idea that risk management is part of a corporation’s competitive advantage, and thus part of its value chain, important implications follow. Key among them is Enterprise Risk Management.
Thirty years ago, Michael E. Porter of Harvard University published two books: Competitive Strategy: Techniques for Analyzing Industries and Competitors (1980), and Competitive Advantage: Creating and Sustaining Superior Performance (1985). In them, he lays out his thinking about competitive advantage and the value chain.
In the 1998 edition of Competitive Advantage, Porter explains that competitive advantage “shows how all advantage can be connected to specific activities and the way activities relate to each other…. Strategy is … the particular configuration of activities a firm adopts compared to its rivals.” He goes on to introduce the concept of the value chain, “a basic tool for diagnosing competitive advantage and finding ways to create and sustain it… The value chain,” he continues, “focuses on how these activities create value and what determines their cost.”
Porter makes little mention of risk management in his writings about strategy. A Google Books Ngram Viewer search for “risk management” and “competitive advantage” shows both phrases were lightly used in 1980. Risk management as a strategic concept just was not on Porter’s radar. It is interesting that the frequency of usage for both phrases tracked closely until 1997, then began to diverge.
When you include “strategy” in the Ngram Viewer search, things become even more interesting. Popular usage of “strategy” dwarfs “risk management” and “competitive advantage” by a factor of at least 10,000.
Though far from scientific, the second Ngram chart is an effective illustration of the scale of the chasm separating risk management from strategy in the practice of many business leaders and in the minds of many business thinkers.
I argued in a previous post that risk management is properly considered a significant contributor to competitive advantage and the corporate value chain. Putting the case in Porter’s terms, risk management is a specific corporate activity that relates to other activities and is part of the configuration of activities a particular corporation adopts. As such, risk management helps define the corporation’s ability to create value and determine its costs. In this light, it is not difficult to imagine the strategic importance of risk management and its contributions to competitive advantage and the value chain.
Porter’s value chain describes the activities a company engages in and divides them into two broad categories: primary activities (those involving the physical creation, sale, and service of the product) and support activities (those functions constituting the company’s infrastructure). Risk management is distinctive because it interacts with and influences both primary and support activities. Risk management overlays the four support activities and spans the five primary activities, as illustrated below.
The four support activities are corporate infrastructure – including finance and treasury – human resources, technology, and procurement. Each is involved in developing and defining strategic risk management. Risk management returns the favor by helping shape and define the four support activities. Likewise, the nature of the primary activities – the inbound supply chain, operations and production, the outbound supply chain, marketing and sales, and after-sales service – help determine the risk management strategies required, while risk management shapes the execution of the activities themselves.
Risk management is a strategic concern for any corporation. The influence risk management has on shaping the configuration and execution of activities defining the company’s value chain demonstrates risk management’s role in the firm’s competitive advantage.
It should be evident that there is a distinct benefit to corporations ensuring that few, if any, activities are beyond the purview of risk management. This benefit accrues through the enhancements risk management provides to value creation and their competitive advantage. It is not enough to think value is created by talking about risk management in a strategic context, as some business consultancies suggest. Risk management creates value as part of the strategic context through competitive advantage and the value chain.
Viewed in this all-encompassing context, what we are really talking about is Enterprise Risk Management (ERM). The more specific concepts of risk management we encounter in the corporate world – financial, operational, supply chain, business, insurance, and so on – are important subtexts to the larger story. When we speak of risk management in terms of its influence on all corporate activities and their ability to enhance value creation, we cross into the realm of ERM, where C-suite executive and boards of directors are responsible.
If we have learned anything from the Great Recession it is, to paraphrase Clemenceau, that risk management is too important to leave to the quants. ERM is shaped, and its effects limited by, corporate culture.
A corporate risk management culture is necessary for an effective ERM. All corporate culture begins at the top of the organization, with chief officers and the board. If risk management is to fulfill its strategic role, that is to permeate all primary and support activities that define the organization and enhance its competitive advantage, the direction must come from the highest levels.
It is not necessary for every company to have a chief risk officer, but someone at the top must be accountable for risk management activities throughout the organization. The Board must be educated in risk management issues pertinent to the particular industry (see Porter’s Five Forces Model), and a risk committee, composed of officers, staff, and directors, needs to write up a guiding set of risk policies and make sure they are implemented and modified as necessary.
Most importantly, all employees and staff up and down the corporate structure must understand that risk management is part of their job descriptions and that they must help manage the risks they encounter as part of their work. It cannot be otherwise, since all employees, from top to bottom, have some responsibility for competitive advantage.
