Companies can be analyzed in terms of the relative maturity of their risk management practices. This helps us understand how a company uses risk management to create value and develop its competitive advantage.
The PwC and the MIT Forum for Supply Chain Innovation released a study in 2013 that found, of 209 companies it surveyed, 39 percent have “advanced risk reduction” capabilities. The study, Making the Right Decisions to Strengthen Operations Performance, reported that companies with “mature” risk processes perform “operationally and financially better” than the remaining 61 percent which “pay only marginal attention to risk reduction processes.”
That companies with relatively mature risk management capabilities might outperform those with less mature processes is unsurprising. Effective strategic risk management creates value through the set of activities that define a corporation’s value chain and its competitive advantage. Differences in these activities can help us analyze a company’s risk maturity level, which can vary widely from company to company.
MIT Study Number 1
The PwC/MIT study offers a useful method for identifying the four levels of maturity in risk management processes. The least mature risk management processes are ad hoc – static and inflexible, without risk governance and reactive rather than proactive. In the next level, a company begins to align value creation activities through planning combined with basic risk governance, but it has little or no understanding of risks outside the company.
The next step up the ladder is the proactive level, characterized by the analysis of the outside environment, the use of quantitative risk management methods and the anticipation of emerging risks. Finally, the most mature risk management processes use sophisticated strategic risk management – formal risk governance, full alignment of value creating risk activities and real time monitoring and analysis of risk. Mature firms take a fully flexible approach to risk management.
The quality of risk management can also vary across business divisions of a particular company. Before the 2010 Deepwater Horizon disaster in the Gulf of Mexico, BP’s operational risk management practices seem to have lagged behind its risk management efforts in energy trading. This can result from an inconsistent and underdeveloped risk management culture within a company. An immature culture diminishes risk management’s contribution to value creation, the value chain and competitive advantage, when it does not lead to outright catastrophe.
MIT Study Number 2
Another MIT study from 2013 echoes this idea of risk maturity. Uncertainty and Risk in Global Supply Chains by Donald Lessard found that companies with “1) the greatest knowledge about (risks), the greatest ability to mitigate or shape them, and 3) the greatest ability to withstand (their) residual impacts” can create “a form of comparative advantage” by taking on those risks. These three characteristics are consistent with the PwC/MIT study’s definition of the more mature risk processes that improve corporate performance. Furthermore, Lessard’s paper links maturity level to value creation and strategic advantage.
If we look at these ideas of risk maturity, value creation, the value chain and competitive advantage from the perspective of a strategic analysis, risk processes are factors internal to the company. It is clear that relatively mature risk processes constitute a strength, while less mature processes represent a weakness. Less mature risk processes don’t take into account external risks (or Threats, in the language of SWOT: Strengths, Weaknesses, Opportunities, Threats), and so cannot be employed effectively against a company’s external factors. More mature risk processes can be aligned against external Opportunities and Threats, which means they can create value for the firm. Once again, risk management is at the heart of strategy.
A SWOT matrix (below) helps illustrate the relationship between risk management and strategy.
By definition, strategies result from the combination of internal and external factors (for example, a strength meeting an opportunity, or a weakness crossed with a threat). Risk management is unusual in that is both a factor and a strategy. In broad terms, a company’s competitive advantage involves deploying its strengths for two purposes: to exploit opportunities (SO strategies) and to defend against risks (ST strategies). If effective, both offensive (SO) and defensive (ST) strategies can create value.
When a company possesses a mature risk process (an internal factor), it can develop strategies to use it in pursuit of opportunities or to defend against threats (both external factors). For example, a firm with good quantitative risk methods might use them in strategies designed to ameliorate market volatility. Or it could use its capabilities in managing supply chain risk to develop strategies to reduce logistical costs or rationalize its supply functions. Relatively mature risk management processes constitute competitive advantage.
Companies with relatively immature risk processes are at a competitive disadvantage. Their processes are weak to begin with, and they are unaware of the external opportunities or threats that might be used to create value through risk management. Their disadvantage in value creation is evident. You might even say their competitive disadvantage represents an opportunity for a better-positioned competitor, which could employ its more mature risk processes strategically to create value at the expense of the weaker competitor.