ARTICLES

 

Strategic risk management: A systematic review from 2001 to 2020

 

 

Jabulani Dhlamini

Edinburgh Business School, Heriot-Watt University, United Kingdom. Email: dhlamini.iabulani@gmail.com; ORCID: https://orcid.org/0000-0001-6291-6231

 

 

---

ABSTRACT

PURPOSE OF THE STUDY: The review aims to provide an understanding of strategic risk management (SRM) research in the past two decades, and to propose a framework on how the practice of SRM can be further improved
DESIGN/METHODOLOGY/APPROACH: A systematic review of the existing literature on SRM was conducted, and relevant publications were selected from a Scopus search for the period 2001 to 2020. The selected publications contained 'strategic risk management' in their title, abstract, and/or keywords. The initial search produced 141 publications; this was filtered further by refining the search criteria and, after further manual filtering, 54 publications were finally identified for this study
FINDINGS: The review established that there was a very slow but steady increase in the number of publications on the subject of SRM during the two decades, with the exception of a higher number of publications (ten) that were recorded in 2015. Most of the publications during this period were in business, management, and accounting publications, which firmly places SRM within this subject field. Keywords associated with SRM over this review period were also identified and these also highlighted other management oversight functions influenced by SRM
RECOMMENDATIONS/VALUE: The review contributes to the body of knowledge by providing (i) a review of SRM research over the past two decades; (ii) a theoretical framework that can be used to guide the identification and categorisation of risks; and (iii) a positioning of strategic risk with the other risk categories
MANAGERIAL IMPLICATIONS: The review has presented guidance on the six proposed strategic risk categories: (i) regulatory and compliance risks, (ii) competitor risks, (iii) economic risks, (iv) political risks, (v) technology risks, and (vi) partnership and/or collaboration risks. It also proposes a theoretical framework that positions the management of strategic risks as part of the greater enterprise-wide risk management (ERM) process, and highlights the need for risk appetite determination and assessment
JEL CLASSIFICATION: M0

Keywords: Enterprise-wide risk management, Operational risk, Project risk, Strategic risk, Strategic risk management

---

 

 

1. INTRODUCTION

Risk is inherent in every activity undertaken in life, whether by an individual or by an organisation. The question "What can go wrong?" is one that has puzzled many practitioners and managers in both private and public settings. The ability to answer this question is foundational to any risk management practice. Obviously, without the ability to predict the future, organisations cannot answer this question. But the key is not to be able to predict the future, but to have the insight to build the capability to address the different eventualities that the future might bring.

Through effective risk management, and by having an understanding of the risk appetite, we can determine how much risk we are willing to accept in relation to any choices or events we undertake (Anderson & Frigo, 2020). For those most uncertain eventualities for which we cannot anticipate the required capabilities, having a war chest of well-managed resources that can be deployed to acquire the necessary capabilities and to manage the risks will provide the advantage that is required to manage unforeseen/unforeseeable risks (Kaplan et al., 2020). Such was the case with the impact of the Covid-19 pandemic in 2020/2021: no one could have predicted its impact - although many futurists and scientists had predicted that such a pandemic would affect us, as had happened before with the bubonic plague ('the black death') from 1346 to 1353 and the Spanish flu from 1918 to 1920 (Zakaria, 2020).

It was suggested that one of the biggest factors leading to the destruction of value is to develop and implement a strategy without assessing the associated risks (Grove & Clouse, 2016). Strategic risk management (SRM) is important because it is a link to enabling strategy formulation and its execution (McConnell, 2015).

SRM is the process of developing insight to understand what could go wrong that would affect the achievement of a given strategy, and adopting appropriate mitigating actions (Frigo & Anderson, 2011). Strategic risk has also been defined as the risks that would affect the achievement of business objectives (Emblemsvág & Kj0lstad, 2002; McConnell, 2015). However, it was argued by Andersen and Sax (2020) that there are no commonly agreed definitions of SRM or of strategic risks, and that, in practice, definitions depend on the person's background, professional orientation, and managerial perspective. This position is also supported by McConnell (2015).

Strategic risk commonly falls into the following categories: (i) regulatory and compliance risks, (ii) competitor risks, (iii) economic risks, (iv) political risks, and (iv) technology risks (Bromiley et al., 2016). Although these categories mostly cover external factors, strategic risk can also arise from internal factors (Bromiley et al., 2016). Another risk category that can be included is partnership and/or collaboration risks. This is because most strategy implementation activities are done in partnership or with the support of other stakeholders.

The practice of risk management is commonly known as 'enterprise-wide risk management' (ERM). SRM has been described as a subset of ERM, even though the term SRM is believed to be much older than the term ERM (Bromiley et al., 2016). ERM was defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in 2004 as:

"a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives." (Frigo & Anderson, 2011:21)

The aim of this paper is to conduct a systematic review that covers the two decades from 2001 to 2020, in order to see how the field of SRM has developed in the literature. In those two decades, we saw a number of businesses being exposed to strategic risks and closing or collapsing. The exposure to strategic risks they faced was primarily related to regulatory and compliance risks such as corporate governance failure and business continuity planning shortfalls. The selection of the period 2001 to 2020 also enabled the assessment of SRM in relation to some of the major risk events that affected businesses, resulting in a number of them incurring losses or penalties, or closing or collapsing. These events include the 2008 financial crisis and the COVID-19 pandemic. Andersen and Sax (2020), in their overview of SRM, highlighted that there was a lack of sufficient research and alignment on the practice of SRM.

Some of the big entities that collapsed and/or were affected by corporate scandals that had strategic risk exposure were Enron, Volkswagen, Lehman Brothers, BP, Uber, Apple, Facebook, Valeant Pharmaceuticals, Kobe Steel, Equifax and, most recently, Steinhoff (IG South Africa, 2018). Strategic risk exposure is not limited to corporate scandals: unforeseen/unforeseeable events such as the 2008 financial crisis and the Covid-19 pandemic, experienced from early 2020, affected businesses as well, resulting in losses and/or penalties and closure or collapse (Kaplan et al., 2020).

The failure to manage strategic risk effectively is likely the major cause of most of the challenges these entities faced, leading to their collapse or their incurring huge legal fees and penalties. The collapse of a business, or the need to settle penalties and the associated legal fees, rob the entities' stakeholders of the benefits or returns they might otherwise have received in the form of on-going business with other value chain partners, profits, dividends, or income for employees. To ensure that there is sufficient accountability for managing risk, risk control should be the overall responsibility of the Chief Executive or the Executive Director (Grove & Clouse, 2016) with oversight from the board of directors as well (McConnell, 2015).

Given the many challenges that organisations have faced as a result of strategic risk exposure, it would be good to understand why SRM is not widely and/or effectively practised to assist organisations to address these strategic risk exposures. This study seeks to understand how SRM research has progressed over the two decades in question by looking at the existing literature on the subject, and also to determine how the practice of SRM can be improved further. As highlighted in the COSO definition of ERM, it is also important to understand the role of the board of directors and management in the oversight of the SRM process and in promoting its practice.

This review contributes to the body of knowledge by (i) presenting a review of SRM research over the two decades identified earlier, and (ii) providing a theoretical framework that can be used to guide the categorisation and identification of risks as well as (iii) the positioning of strategic risk with the other risk categories.

 

2. RESEARCH AGENDA

To position the subject of SRM in the wider context of risk management and ERM, related key terms are defined in the next sections.

2.1 Enterprise-wide risk management

ERM was defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in 2004 as:

"a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives." (Frigo & Anderson, 2011:21)

This definition of ERM is the same as that in the updated COSO ERM framework published in 2017 (Prewett & Terry, 2018). The above definition is one of the most comprehensive, as it positions risk management within the formulation and execution of strategy. The overall intent of ERM is to ensure that organisations can identify, assess, and manage risks. The ultimate goal of any effective ERM process is to enable the integration of the risk management practice so that multiple and cross-enterprise risks, as well as interdependent risks, can be identified. It is important to manage all risks effectively to ensure that the net impact of any risk exposure

does not affect the survival of the organisation (Roberts et al., 2003). Failure to identify risks and to manage them effectively is itself a risk (Roberts et al., 2003).

At a high level, managing risk involves (i) identifying the risk, (ii) assessing and analysing the risk, and (iii) managing the risk (Frigo & Anderson, 2011). The process of assessing and managing a risk involves determining the risk appetite of the organisation from either an impact or an opportunity perspective. In establishing the risk appetite, an organisation would have to determine how much risk it is willing to accept or absorb; and, to an extent, this process also involves one of the foundational practices of managing risk: transferring it, which is done primarily by purchasing insurance cover.

Risk appetite has been defined by the International Organization for Standardization (ISO) as the risk that an organisation is willing to pursue or retain, whereas COSO defines risk appetite as the amount of risk an organisation is willing to accept in pursuit of value (Aven, 2013). It enables the organisation effectively to know what risk it is willing and able to accept, that it can withstand given its existing capabilities and resources. This is a good risk safeguard because it enables the organisational management structures to have a guideline that informs them what they can accept in the form of risk losses and the level of risk to take when pursuing the available opportunities.

Having made the decision to undertake an event or to be exposed to an event, one of the first considerations in making a risk management response should be the determination whether the risk is transferable or insurable, and whether the associated insurance cost is acceptable. If the cost of the insurance cover is acceptable, then the risk should be transferred to the contracted insurance service provider. In the event that part of the risk - or the full risk exposure - is not insurable/transferable, the organisation has to actively manage the risk internally through available mitigation measures and using any available resources to absorb the risk.

Over the years, COSO has updated the framework and has incorporated the impact of risks on strategy. However, it can be argued that this was always been the case since the 2004 definition, which states the following: "applied in strategy setting" and "provide reasonable assurance regarding the achievement of entity objectives". Thus it can be posited that ERM incorporates the identification and management of strategic risks.

2.2 Strategic risk management

SRM is a multi-disciplinary practice that has progressed beyond just insurance and financial management to an overall managerial discipline/practice (Andersen & Sax, 2020). SRM is the process of developing insight to understand what could go wrong that would affect the achievement of the set strategy, and adopting appropriate mitigation actions (Frigo & Anderson, 2011; McConnell, 2015).

It is argued that the role of the board of directors as it relates to strategy, is to direct, guide, approve, review and monitor strategy (McConnell, 2015). The formulation and implementation of strategy should be the responsibility of management since it is a process that is extremely detailed and requires a significant amount of time and resources which independent board of directors would not have (McConnell, 2015).

Frigo and Anderson (2011:22) defined strategic risk management as:

"a process for identifying, assessing, and managing risks and uncertainties, affected by internal and external events or scenarios, that could inhibit an organization's ability to achieve its strategy and strategic objectives with the ultimate goal of creating and protecting shareholder and stakeholder value."

A framework for SRM was also proposed by Frigo and Anderson (2009), as shown in Figure 1. The framework presented in Figure 1 clearly shows the requirement that all stakeholders involved in the SRM process understand the strategy of the organisation and the business environment. If the stakeholders involved in the SRM process are not familiar with the organisation's strategy, they will not be able to effectively identify the risk events that could give rise to strategic risks. A detailed understanding of the business environment is also necessary, as this would provide insight into the elements that could impact the implementation of the strategy and thus give rise to strategic risks (Du Toit, 2016). The strategic risk profile highlighted in activities 3 and 4 in Figure 1 depicts the risk analysis result or risk classification of identified risks using multiple measurements and graphical presentations, such as (i) probability and impact metrics and/or (ii) heat maps, and (iii) listings of the identified risks with a colour-coded heat scale for each risk to depict the severity of the assessed inherent risk level before the proposed/planned mitigation actions. This is usually compared with the residual risk, which is the estimated risk level after the impact of the proposed/planned mitigation actions (ISO, 2009).

It is suggested by Calandro (2015) that, for an organisation to be able to address the risks that potentially threaten its survival, the scope of the SRM process should cover:

(i) Exposure concentrations - this looks at the aggregated positions of transactions, events, or activities in funding sources, customer segments, product lines, regions/geographical areas, and industries/sectors. If these are not actively identified, by the time they are discovered it might be too late to address the associated risk effectively.

(ii) Periphery monitoring - this is the process of assessing information on activities or events that are not directly linked to the main business activities of the organisation and that appear not to have an impact, but that, when concentrated, could severely impact the organisation. Thus the weak signals associated with these activities should be closely monitored.

(iii) Ambiguous threat analysis - this involves the identification and analysis of potential risk events that the organisation might not clearly understand, either because it does not have sufficient information, or because the risks appear weak and unrelated.

(iv) Risk mitigation - these are the options that the organisation can adopt to address the risk so that it does not impact the business significantly. These activities include defining the organisation's risk appetite and then the risk response options, such as risk reduction, risk transfer, risk retention, and risk avoidance.

(v) Risk tracking - this process involves assigning responsibilities to organisational structures and staff to monitor, reassess, and analyse all identified risks regularly, and to determine whether the proposed mitigation action is still appropriate to address the risk adequately.

(vi) Managing the integrity of the business model - given the identified risk exposure, it might be worthwhile to change the business model to avoid certain risks or to position the organisation better to withstand the threat posed by the risks.

However, McConnell (2015) posits that SRM involves addressing two types of risks (i) strategic positioning risks - looks at whether the organisation's strategic direction is still the right one and (ii) strategic execution risks - which looks at the relevance of the strategic plan and assessing if they are still on track to achieve set objectives.

SRM is a practice that enhances governance (Grove & Clouse, 2016), and is a link between risk management and strategic planning (Andersen & Sax, 2020). As part of the strategic planning process, it would be beneficial to undertake a strategic risk assessment to determine the strategic risks that could impact the planned strategy, and so establish the mitigation actions to bring any associated risk within the strategic risk appetite of the organisation.

2.3 Risk categories

There are four primary risk categories: (i) strategic risks, (ii) operational risks, (iii) project risks, and (iv) unforeseen/unforeseeable risks (Roberts et al., 2003). This distinction is made at the level of risk and/or type of risk, and depends on the characteristics of the risk. The management level can also be a consideration, depending on who is supposed to have responsibility for and oversight of the different risk categories.

2.3.1 Strategic risk

Strategic risk was defined as the risks that would affect the achievement of business objectives (Emblemsvág & Kj0lstad, 2002; McConnell, 2015). Emblemsvág and Kj0lstad (2002:847) offer a definition of strategic risk as a formula:

"Strategic risk = possibility x impact on business objectives"

Whereas, McConnell (2015:6) defines strategic risk as:

"Those threats and opportunities that materially affect the ability of an organisation to survive"

Despite the propositioned definitions of strategic risk, there is no commonly agreed definition of strategic risk (McConnell, 2015). It is however argued that strategic risk commonly falls into the following categories: (i) regulatory and compliance risks, (ii) competitor risks, (iii) economic risks, (iv) political risks, and (v) technology risks (Bromiley et al., 2016). These categories are elaborated below:

(i) Regulatory and compliance risks are those events that would result because of nonconformance to defined regulatory rules or standards or to self-managed codes of conduct and the associated compliance requirements (Boella et al., 2013). Increased globalisation has obviously increased the number of rules that organisations have to address, and has made the process of compliance a lot more complicated.

(ii) Competitor risks are the events or actions taken by the organisation's competitors that would significantly impact its ability to achieve its goals and objectives. The associated risks also include the lack of effective risk mitigation action by the organisation (Fahey, 2007).

(iii) Economic risks are exposure events that arise from the wider macroeconomic conditions and societal aspects that go beyond competitors and include events related to the overall state of the country's monetary policy, fiscal policy, foreign currency exchange rate, demography, inflation, unemployment level/rate, interest rates/ cost of capital, and related government regulations (Miller, 1998).

(iv) Political risk was defined as an event with uncertainty associated with changes to public policies, geopolitics/foreign policy, social activism, terrorism, cyberthreats, and changes in public administration practitioners/professionals and their subsequent influence on public and foreign policy; this also includes the cost and/or benefits associated with public and foreign policy changes to the extent that they affect businesses/ organisations (Rice & Zegart, 2018). Rice and Zegart (2018) added that it is important for an organisation to determine its political risk appetite, and that political risks cannot be easily predicted: so organisations need to build and prepare capabilities to respond to possible eventualities.

(v) Technology risk is the impact of uncertain events associated with the adoption/use of timely and appropriate technology (Ernawati & Nugroho, 2012) and the ability of the organisation to address the threats posed by cybersecurity as a result of the ever-increasing use of technology in the fourth industrial revolution. These technology solutions include advancements such as artificial intelligence (machine learning and robotics), drone technology, virtual reality (VR), augmented reality (AR), the internet of things (loT), chatbots (virtual/intelligent assistants), 3D printing (including bioprinting), blockchain technology (distributed ledger), and cloud computing solutions (laaS, PaaS, SaaS) (Schwab, 2017).

Although these categories mostly cover external factors, strategic risk can also arise from internal factors (Bromiley et al., 2016). Thus another strategic risk category that could be included is 'partnership and/or collaboration risks'; this is because most strategy implementation activities are done in partnership with, or with the support of, other stakeholders.

Bromiley et al. (2016) argue that strategic risks are those events that the organisation's management determines to be strategic; thus, if a risk is not deemed to be strategic by the management, it is not strategic, and could then be classified as being an operational or project risk. This raises the question: how do organisations differentiate between strategic and non-strategic risks? This challenge could be addressed by using the definition of Emblemsvág and Kj0lstad (2002), which states that if a risk does not affect the achievement of set business objectives or strategy, it is not deemed to be strategic.

2.3.2 Operational risk

Operational risks such as human mistakes, fraud, theft, process failures, system errors, and external hazards have been the cause of some of the major financial failures experienced in recent decades (Pieket Weeserik & Spruit, 2018). An organisational operating model is an enabling function that governs the delivery of the required resources, such as people, processes, technology, and infrastructure, to operationalise the business model to achieve the strategy (Moosa, 2007; Caglar et al., 2013; Pieket Weeserik & Spruit, 2018). Thus, operational risks are events that impact the delivery and effective functioning of the operating model elements listed above in respect of people, processes, technology, and infrastructure. These elements are foundational to enabling the day-to-day functioning of any organisation.

lt was proposed that operational risk is diverse, and that there is no universally agreed definition of operational risk, however, in the financial services sector, operational risk was defined as any risk exposure that is not classified as either market or credit risk (Moosa, 2007). lt was stated that the objectives of operational risk management are (i) to avoid significant losses, (ii) to enable a broader understanding of operational risk issues, (iii) to enable organisations to identify risks more effectively, (iv) to enable operational performance measurement, (v) to change behavior to reduce operational risk, (vii) to make risk information available so that the services offered by the organisation account for any associated operational risk, and (vii) to ensure that sufficient due diligence is conducted when there are mergers and acquisitions (Moosa, 2007).

The use of business performance measurement technology platforms and/or tools is argued to be the most effective way to improve operational risk management, since this would highlight areas of concern about the operating model timeously (Pieket Weeserik & Spruit, 2018).

2.3.3 Project risk

A project is a temporary initiative that has a defined beginning and an end date or point (Cagliano et al., 2015; Project Management Institute, 2021). There are four elements to be considered in defining a project: (i) the objectives of the project, (ii) the time period in which the project should be carried out and completed, (ii) the key deliverables or outcomes of the project, and (iv) the required resources, budget, or cost of the project (Project Management Institute, 2021). Thus, a project risk is an event that can affect or impact any of the four project elements listed above. However, Mentis (2015) argues that it is not project risks but project uncertainties that cause project slippage, and that these uncertainties relate to budget overspend or lack of sufficient budget, non-conformance to the agreed schedule (planned delivery timelines), and deliverables not being fit for purpose. Project slippage was defined as the failure to estimate properly the time and cost of completing a task (Mentis, 2015; Kliem & Ludin, 2019). It was posited that project slippage is primarily the result of (i) a lack of sufficient project oversight, (ii) the absence of a project plan that provides insight into the objectives, budget, and schedule, (iii) ineffective project management, (iv) inadequate threat management (a focus on the identification and management of associated project risks, (v) a lack of adequate stakeholder management, and (vi) the failure to monitor the project plan and adapt it to changes in the environment (Mentis, 2015).

2.3.4 Unforeseen / unforeseeable risks

Unforeseen risks are those that could have been identified, had sufficient information been available and sufficient analysis conducted; whereas unforeseeable risks are those that cannot be identified because no amount of information or analysis would have made that identification possible (Roberts et al., 2003). Considering these definitions, it could be argued that Covid-19 was an unforeseen novel risk. Novel risks have been defined as events that could not have been identified, despite the available information or level of risk analysis (Kaplan et al., 2020). Covid-19 is seen as a novel risk, even though scientists had been studying this subject area and had been predicting that a pandemic exposure was possible and was likely to happen; however, there was a high level of uncertainty about when it might occur (Kaplan et al., 2020). The term that has been used most recently about this risk category is 'black swan events', however, if the risk event is predictable, it is not deemed a 'black swan', but should be classified as a 'predictable surprise' (Calandro, 2015).

Falling into this category of unforeseen/unforeseeable risk are interdependent risks - those that result from cascades of other risks. These are dangerous because they are mostly impossible to identify before they happen (Roberts et al., 2003; Kaplan et al., 2020). For those most uncertain eventualities when one cannot anticipate the required capabilities, having a war chest of well-managed resources that can be deployed to acquire the necessary capabilities would provide the required advantage to manage the unforeseen/unforeseeable risks (Kaplan et al., 2020). A similar assertion was made by Rice and Zegart (2018) as it relates to managing political risks.

Scenario planning is another capability that has been highlighted as helping to determine what would be required to address different risk eventualities and this is most applicable in addressing unforeseen/unforeseeable risks (Cardoso & Emes, 2014; Hoffmann, 2017; Schwarze & Taylor, 2017) as well as political risks (Rice & Zegart, 2018). Scenario planning is a process that involves determining different or alternative future states that an organisation could face in considering different assumptions about the future and then determining the capabilities and resources it would need to address the challenges of different future scenarios (Cardoso & Emes, 2014; Hoffmann, 2017; Schwarze & Taylor, 2017). It is important to note that scenario planning does not predict the future: this would be a very difficult feat to achieve, however, it does seek to enable the organisation to conceptualise alternative future states, based on the knowledge and assumptions available to it (Schwarze & Taylor, 2017). This would then enable the organisation to identify the various events/challenges associated with each of the various scenarios more effectively, and respond accordingly.

 

3. METHODOLOGY

A systematic review of the existing literature on SRM was conducted from an exploratory perspective to identify academic articles and other publications that provide the most relevant content and research on SRM. This review followed an integrative or critical review approach with the aim of assessing, critiquing, and synthesising the literature on SRM in order to understand the practice of SRM in the two decades in question (Snyder, 2019). The systematic review approach is illustrated in Figure 2.

The review approach that was followed enabled the selection of literature that contained 'strategic risk management' in its title, abstract, and/or keywords. The initial search produced 141 publications; this was filtered further by limiting the search to the subject area of 'business, management, and accounting'; this resulted in 63 publications. Four books from the 63 publications were then filtered out. Thus a total of 59 publications (40 articles, 11 book chapters, five conference papers, and three editorials) were selected from the Scopus search for the period 2001 to 2020. The review approach then used a manual filtering that involved appraising and synthesising all 59 publications (Centobelli et al., 2020). An initial manual review of the 59 publications was conducted, based on a thematic and content analysis of each of the publications that looked at the relevance and depth of content on the study subject. Following this review, a further five publications were filtered out because they did not have any material linkage to the study subject except for limited references to the subject of risk or strategic risk management. This left 54 publications (Figure 2, Table 1, and Appendix 1) for further analysis. Descriptive statistics were used to address the research objectives of this study (Centobelli et al., 2020).

The content analysis of the publications, the insights gained from the research agenda, and the occurrence of keywords informed the development of the theoretical enterprise-wide risk management framework illustrated in Figure 6.

According to Table 1, 64.8 percent of the documents used in this review were journal articles.

 

4. FINDINGS AND DISCUSSION

To assess the maturity of SRM publications, based on a Scopus search for the period 2001 to 2020, it was shown that there were fewer publications on SRM (12,891) than on related subject areas - for example, strategy (2,462,453), strategic planning (80,253), strategic management (96,928), and scenario planning (46,351) - over the review period. There were also far fewer publications on SRM (12,891) than those listed on the broader subject of risk management (543,079). This assessment is based on a simple Scopus search of the listed topics without any filtering of the various articles and journals.

The analysis presents the following outputs: frequencies, papers over time, papers and citations across journals, papers by subject area, and keywords. As shown in Figure 3, the highest number of papers were published in 2015, with a total count of 10 papers. The second-highest number of publications were in 2011, with a total of five publications. Four publications were recorded in each of the years 2006, 2014, 2018, and 2020.

The year 2015 had the highest number of publications; seven of these were book chapters, two were journal articles, and one was an editorial. The seven book chapters and the editorial were all published in The Routledge companion to strategic risk management.

The author who had the highest number of publications over this period was T.J. Andersen, who contributed to four articles; thus, there was a diversity of contributors on the knowledge subject of SRM in this period. Thus there was no single expert on the subject matter.

The average number of papers published in the second decade (2011 to 2020) increased from 1.5 per year in the first decade (2001 to 2010) to three per year. This means that the number of published papers doubled in the second decade.

The paper that was cited most often - with 40 citations - was published in 2006; the paper with the second-highest number of citations (32) was published in 2013. The former paper looked at corporate governance that enabled the management of strategic risk, and the latter focused on enabling competitive advantage through risk management.

As illustrated in Figure 4, the business, management, and accounting subject area had 52 of the publications, followed by the economics, econometrics, and finance area with 18 publications. Given the high number of SRM publications in these two subject groupings, it could be argued that this places SRM in the realm of business, management, and economics.

A keyword analysis was conducted to identify the most frequently occurring keywords. Table 2 shows all of the keywords that occurred more than once in the 54 publications identified for this review. The keywords informed the development of a theoretical framework on ERM, this was based on the strength, linkage, and meaning of the keywords as they relate to enabling ERM and to the positioning of SRM in the ERM process.

The results in Table 2 show that the most frequently occurring keywords were risk management (16 times) and strategic risk management (10 times). Note the other keywords that do not contain the word 'risk', such as 'corporate governance', 'corporate strategy', 'strategy', 'controls', 'economic exposure', 'internal audit quality', 'management', and 'strategic management': this shows how the function of SRM is important in the management and oversight of the organisation. This also highlights the other management oversight functions that are influenced by, or that are supposed to take into account, the impact of SRM - for example, defining the organisation's strategy and the associated management, which would include corporate governance, controls, internal audit quality, and assessing and managing the economic exposure of the organisation.

As one of the keywords, 'strategy' is about how an organisation will achieve its long-term goals and objectives (Collis & Rukstad, 2008), whereas 'corporate strategy' is a sub-element of strategy that defines the portfolio of businesses that the organisation will pursue (Feldman, 2020). To further highlight the importance of SRM on strategy - to achieving the organisation's vision or set objectives; Rumelt (2022) posits that strategy is an ongoing process of identifying critical challenges faced by the organisation and deciding what actions to take. It is stated that these challenges are the 'crux' - being the most important challenges that are addressable, having a good chance of being solved by coherent action. The practice of SRM can help in identifying these critical challenges (the crux) that the organisation should focus on.

'Management' is the process of planning, controlling, and coordinating tasks or activities; thus 'strategic management' can be viewed as the process of management with a long-term view or perspective (Nickols, 2016). 'Corporate governance' is the combination of rules, policies, and processes that are in place to direct and control an organisation (Pargendler, 2016; Scherer & Voegtlin, 2020). Thus corporate governance could be seen as the umbrella term that encompasses all of the other occurring keywords, such as risk management, strategy, strategic management, knowledge management, controls, and internal audit quality.

'Internal audit quality' was stated to involve an appropriately extensive and regular assurance review of internal controls, performance measurements, and compliance with relevant regulations and self-imposed codes of conduct (Boella et al., 2013). 'Economic exposure' is the potential impact on the organisation of macroeconomic factors such as inflation, taxes, foreign exchange rate, interest rates, demographic changes, unemployment, and other government regulations (Miller, 1998).

In the keyword cloud (Figure 5), risk management, strategic risk management, enterprise risk management, enterprise strategic risk management, international risk management, risk management capabilities, risk management culture, risk management practices, and risk management process were all merged under 'risk management'. This was done to reduce the number of keywords so that the keyword cloud was not cluttered. The keywords in Figure 5 show that the larger the word, the more often it occurs.

4.1 Theoretical framework

The insights from the research agenda and the analysis of the 54 publications on SRM enabled the elaboration of a theoretical framework for ERM (see Figure 6) that positions SRM as part of the wider ERM of the organisation, and also maps the key themes derived from this research study. The framework shows the interaction of the ERM function with the four risk categories, and that the risk management process has to involve a wider grouping of organisational stakeholders, such as the board of directors, senior management, functional heads, project managers, and the respective divisions and/or departments.

Strategic risk has been listed as one of the four risk categories and, as defined in the research agenda review, involves risks that could affect the organisation in achieving its objectives and strategy. Thus the management of strategic risks is part of the overall ERM process -although, in its management, it can follow a specific management process as shown in the framework proposed by Frigo and Anderson (2009) in Figure 1.

4.1.1 Risk appetite

Given the linkage between strategy and risk management in achieving the organisation's goals and objectives, an aspect of risk management that needs to be considered - over and above the prescribed risk response options shown in Figure 6 - is the determination of the organisation's risk appetite. The risk appetite will act as a guide for the organisation's ERM process and organisational management structures on what types of risk the organisation is willing to accept, from both a loss and an opportunity perspective (Francis, 2019; Anderson & Frigo, 2020). The process of determining the risk appetite is important and strategic, as it will inform the strategy formulation and implementation processes. lt could be considered as the first layer of risk response/management before adopting the other risk response options listed in Figure 6 or section 4.1.2. If the risk appetite is not defined and communicated to the organisational management structures, there is a risk that the organisation could pursue opportunities with event outcomes that exceed its ability to address any associated risks - if the pursued opportunities do not turn out as successfully as predicted. Thus it is important to have the risk appetite defined so that it can guide management and the organisation on the activities or opportunities it needs to pursue. When applied to the SRM framework of Frigo and Anderson (2009) presented in Figure 1, risk appetite can be determined as part of activity 1 in the process of understanding the strategy and in activity 5 when developing the SRM action plan.

Risk appetite is important in informing the strategic decision-making process of organisations (Francis, 2019; Anderson & Frigo, 2020). The determination of the risk appetite will inform how the organisation will respond to the risk event by adopting one or more risk responses, such as (i) risk reduction, (ii) risk transfer, (iii) risk avoidance, (iv) risk retention (Francis, 2019; Andersen & Sax, 2020), (v) seeking additional information on the risk event (Hoffmann, 2017), and (vi) scenario planning (Cardoso & Emes, 2014; Hoffmann, 2017; Schwarze & Taylor, 2017).

4.1.2 Risk response strategies

The main risk response strategies (Hillson, 2001; Francis, 2019; Andersen & Sax, 2020), as well as seeking additional information on the risk event and scenario planning as additional response strategies, are defined as follows:

(i) Risk reduction

This is a process that involves implementing mitigation measures that will result in the possibility of the occurrence of the risk and/or the impact of the risk being reduced to an acceptable level, depending on the risk category in which it is assessed - that is, the classification of the risk as one of the four risk categories (strategic risk, operational risk, project risk, or unforeseen/unforeseeable risk).

(ii) Risk transfer

The transfer of risk can be done in one of two ways, but it will always likely involve a contracting arrangement. The two ways are: (i) to purchase insurance when the risk is insurable and the organisation opts to pay a premium to a specialist entity that handles insurance cover so that it carries the risk associated with the insured event; or (ii) when the risk is contractually agreed with a third party that they carry the risks associated with the risk event. An example of this is when goods are in transit: the risk of ownership could be transferred only on delivery of the goods. Thus, the risk during transit would lie with the supplier, or it could be transferred on purchase/collection, leaving the risk with the purchaser from the date of purchase.

(iii) Risk avoidance

An organisation can opt not to proceed with an initiative, transaction, or activity because the associated risk is too high or because it does not have the ability to deal with the eventuality. In this case, this appropriate response would be classified as risk avoidance.

(iv) Risk retention

There will always be a level of risk retention, irrespective of the risk response that is adopted, whether risk transfer or risk reduction. Because risk is inherent in everything we do, it is almost impossible to reduce or transfer it completely. Even when purchasing insurance, the insurance entities will always require the insured to have an insurable interest; and this is effected through a level of risk that the insured retains (in most jurisdictions this is called 'excess' - the portion of the insured risk retained by the insured). It is also likely not prudent to reduce all risk to nil, as this process would most likely result in the cost associated with the risk management process exceeding the benefit of participating in the transaction, initiative, or activity.

(v) Seeking additional information

As part of the risk management process, irrespective of the risk response chosen from one of the main risk responses defined above, one of the primary risk mitigation activities is the process of seeking information about the event. However, in some instances there might be a requirement to seek additional information to understand better the possible risks associated with an event, initiative, transaction, and/or activity. The more the organisation is informed about the possible risk, the better positioned it will be to respond appropriately to the risk (Hoffmann, 2017) by adopting one of the other four main risk responses.

(vi) Scenario planning

This is an activity that would enable the organisation to conceptualise different or alternative future states that it could face, considering different assumptions about the future, and then determining the capabilities and resources it would need to survive and/or address the challenges it would face in the different scenarios (Cardoso & Emes, 2014; Hoffmann, 2017; Schwarze & Taylor, 2017). This would enable the organisation to identify the various events/challenges as they materialise for each of the scenarios and to respond accordingly.

Enhancing an organisations oversight on its ERM and especially its risk appetite is important. Organisations could establish strategic risk management committees (SRMC) at board level and other management levels, that will be tasked with the responsibility to review and monitor the processes of strategy formulation, implementation and associated strategic risk management.

 

5. CONCLUSION

The total number of publications in the SRM subject area steadily increased during the period from 2001 to 2020. The highest number of publications was recorded in 2015 when a specific book was published on the subject. Publications in the decade from 2011 to 2020 exceeded the number of those produced in the earlier decade (2001 to 2010) by an average of three publications per year.

Six strategic risk categories have been proposed: (i) regulatory and compliance risks, (ii) competitor risks, (iii) economic risks, (iv) political risks, (v) technology risks (Bromiley et al., 2016), and (vi) partnership and/or collaboration risks. Utilising these categories to identify the associated risks that can affect the development and implementation of strategy will enable SRM. The ultimate responsibility for ensuring that the practice of SRM is being conducted should reside with the Chief Executive or Executive Director. This is over and above the other oversight of the practice of SRM that should be provided by the board of directors.

To further improve the coordination of efforts on SRM oversight and therefore improve the practice, organisations could establish strategic risk management committees (SRMC) at board level and other management levels, that will be tasked with the responsibility to review and monitor the processes of strategy formulation, implementation and associated strategic risk management.

The determination and assessment of the organisation's risk appetite is important in the overall ERM process, as shown in the proposed theoretical enterprise-wide risk management framework (Figure 6). If the risk appetite is not determined well as it relates to the strategic risks, it could have a wider implication and impact on the management of the other risk category levels such as operational risk, project risk, and unforeseen/unforeseeable risk.

The theoretical framework (Figure 6) adds to the body of knowledge on ERM and SRM by providing a guide that can be used in the identification and categorisation of risks; and positions strategic risk with the other risk categories.

5.1 Limitations of the research

The main limitation that this review faced was using Scopus as the sole database for sourcing the articles for the systematic review. Broadening the range of databases might have enabled the identification and selection of a much wider set of articles for consideration.

5.2 Areas for further research

Further research in this focus area is needed, especially in (i) providing a common, widely accepted definition of SRM; (ii) finding out why SRM is not more widely researched, despite the linkage of its practice with enabling the achievement of set strategies; (iii) exploring ways to improve the process of identifying and analysing unforeseen/unforeseeable risks; and (iv) conducting an empirical study to test the practicality of the proposed theoretical enterprise-wide risk management framework (Figure 6) and to use the insights gained from the empirical study to develop the proposed framework further.

 

REFERENCES

Andersen, T.J. 2011. Strategic risk management practice: how to deal effectively with major corporate exposures. Strategic Direction. [https://doi.org/10.1108/sd.2011.05627gae.001].         [ Links ]

Andersen, T.J. & Sax, J. 2020. Strategic risk management: a research overview. Abingdon/New York: Routledge. [https://doi.org/10.4324/9780429456381].         [ Links ]

Anderson, R.J. & Frigo, M.L. 2020. Creating and protecting value. Coso.org. [Internet: https://www.iia.nl/SiteFiles/Publicaties/COSO-ERM-Creating-and-Protecting-Value.pdf: downloaded on 2021-12-13].         [ Links ]

Aven, T. 2013. On the meaning and use of the risk appetite concept. Risk Analysis, 33(3):462-468. [https://doi.org/10.1111/j.1539-6924.2012.01887.x].         [ Links ]

Boella, G., Janssen, M., Hulstijn, J., Humphreys, L. & Van Der Torre, L. 2013. Managing legal interpretation in regulatory compliance. In Proceedings of the Fourteenth International Conference on Artificial Intelligence and Law (pp. 23-32). [https://doi.org/10.1145/2514601.2514605].         [ Links ]

Bromiley, P., Rau, D. & McShane, M.K. 2016. Can strategic risk management contribute to enterprise risk management? Strategic management perspective. Finance Faculty Publications, (3):140-156. [https://doi.org/10.2139/ssrn.2512477].         [ Links ]

Caglar, D., Kapoor, N. & Ripsam, T. 2013. The new functional agenda: How corporate functions can add value in a new strategic era. Strategy, 1-16. [Internet: https://www.strategyand.pwc.com/gx/en/insights/2002-2013/functional-agenda/strategyand-the-new-functional-agenda.pdf; downloaded on 2021-07-10]        [ Links ]

Cagliano, A.C., Grimaldi, S. & Rafele, C. 2015. Choosing project risk management techniques: a theoretical framework. Journal of Risk Research, 18(2):232-248. [https://doi.org/10.1080/13669877.2014.896398].         [ Links ]

Calandro, J. 2015. A leader's guide to strategic risk management. Strategy & Leadership, 43(1):26-35. [https://doi.org/10.1108/SL-11-2014-0082].         [ Links ]

Cardoso, J.F. & Emes, M.R. 2014. The use and value of scenario planning. Modern Management Science & Engineering, 2(1):19-42. [Internet: https://core.ac.uk/download/pdf/268084779.pdf: downloaded on 202112-27].         [ Links ]

Centobelli, P., Cerchione, R., Chiaroni, D., Del Vecchio, P. & Urbinati, A. 2020. Designing business models in circular economy: a systematic literature review and research agenda. Business Strategy and the Environment, 29(4):1734-1749. [https://doi.org/10.1002/bse.2466].         [ Links ]

Collis, D. J. & Rukstad, M. G. 2008. Can you say what your strategy is? Harvard business review, 86(4):82-90. [Internet: https://www.panelquest.com/wp-content/uploads/2016/11/HBR-Can-you-say-what-strategy-is.pdf: downloaded on 2021-07-19].         [ Links ]

Du Toit, A.S. 2016. Using environmental scanning to collect strategic information: a South African survey. International Journal of Information Management, 36(1):16-24. [https://doi.org/10.1016/Liiinfomgt.2015.08.005].         [ Links ]

Emblemsvàg, J. & Kjolstad, L.E. 2002. Strategic risk analysis: a field version. Management Decision, 40(9):842-852. [https://doi.org/10.1108/00251740210441063].         [ Links ]

Ernawati, T. & Nugroho, D.R. 2012. IT risk management framework based on ISO 31000: 2009. In 2012 International Conference on System Engineering and Technology (ICSET). IEEE:1-8. [https://doi.org/10.1109/ICSEngT.2012.6339352].         [ Links ]

Fahey, L. 2007. Connecting strategy and competitive intelligence: refocusing intelligence to produce critical strategy inputs. Strategy & Leadership, 35(1):4-12. [https://doi.org/10.1108/10878570710717236].         [ Links ]

Feldman, E.R. 2020. Corporate strategy: past, present, and future. Strategic Management Review, 1(1):179-206. [https://doi.org/10.1561/111.00000002].         [ Links ]

Francis, G. 2019. Enterprise risk management (ERM): key risks, responses and applications. 2019 Enterprise Risk Management Symposium, May 2-3, 2019, Orlando, FL. [Internet: https://www.soa.org/globalassets/assets/files/resources/essays-monographs/2019-erm-symposium/mono-2019-erm-francis.pdf; downloaded on 2021-07-18].         [ Links ]

Frigo, M.L. & Anderson, R.J. 2009. Strategic risk assessment. Strategic Finance, 25-33. [Internet: http://www.markfrigo.com/7Strategic_Risk_Assessment_-_Strategic_Finance-Dec_2009_without_Cover_-_Frigo___Anderson.pdf; downloaded on 2021-05-26].         [ Links ]

Frigo, M.L. & Anderson, R.J. 2011. What is strategic risk management? Strategic Finance, 92(10):21-22. [Internet: http://www.markfrigo.com/what_is_strategic_risk_management_-_strategic_finance_-_april_2011.pdf; downloaded on 2021-05-26].         [ Links ]"

Grove, H. & Clouse, M. 2016. Strategic risk management for enhanced corporate governance. Corporate Ownership & Control, 13(4-1):173-182. [https://doi.org/10.22495/cocv_13i4c1p3].         [ Links ]

Hillson, D. 2001. Effective strategies for exploiting opportunities. In Proceedings of the 32nd Annual Project Management Institute Seminars & Symposium (PMI2001), Nashville USA, 5-7 November 2001. [Internet: https://www.pmi.org/learning/library/effective-strategies-exploiting-opportunities-7947; downloaded on 2021-07-18].         [ Links ]

Hoffmann, C.H. 2017. Strengths and weaknesses of scenario planning as a risk management tool. In Hoffmann, C.H. Assessing risk assessment. Wiesbaden: Springer Gabler, pp.213-218. [https://doi.org/10.1007/978-3-658-20032-913].         [ Links ]

IG South Africa 2018. Top 10 biggest corporate scandals and how they affected share prices, IG South Africa. [Internet: https://www.ig.com/za/news-and-trade-ideas/top-10-biggest-corporate-scandals-and-how-they-affected-share-pr-181101 ; downloaded on 2021-07-18].         [ Links ]

ISO. 2009. Risk management: principles and guidelines. International Organization for Standardization, 15-21. [Internet: http://parsetraining.com/wp-content/uploads/2018/11/BSISO-31000-2009.pdf; downloaded on 2021-07-19].         [ Links ]

Kaplan, R.S., Leonard, H.B.D. & Mikes, A. 2020. The risks you can't foresee: what to do when there's no playbook. Harvard Business Review, 98(6):40-46. [Internet: https://hbr.org/2020/11/the-risks-you-cant-foresee; downloaded on 2021-10-27].         [ Links ]

Kliem, R.L. & Ludin, I.S. 2019. Reducing project risk. Abingdon: Routledge. [https://doi.org/10.4324/9781315245089].         [ Links ]

McConnell, P.J. 2015. Strategic Risk Management: a trail of two strategies. Macquarie University Faculty of Business & Economics Research Paper, (38):2-29. [https://doi.org/10.2139/ssrn.3327988].         [ Links ]

Mentis, M. 2015. Managing project risks and uncertainties. Forest Ecosystems, 2(1):1-14. [https://doi.org/10.1186/s40663-014-0026-z].         [ Links ]

Miller, K.D. 1998. Economic exposure and integrated risk management. Strategic Management Journal, 19(5):497-514. [https://doi.org/10.1002/(SICI)1097-0266(199805)19:5<497::AID-SMJ958>3.0.CO;2-M].         [ Links ]

Moosa, I.A. 2007. Operational risk: a survey. Financial Markets, Institutions & Instruments, 16(4):167-200. [https://doi.org/10.1111/j.1468-0416.2007.00123.x].         [ Links ]

Nickols, F. 2016. Strategy, strategic management, strategic planning and strategic thinking. Management Journal, 1(1):4-7. [Internet: https://nickols.us/~nickols1/strategy_etc.pdf; downloaded on 2021-07-19].         [ Links ]

Pargendler, M. 2016. The corporate governance obsession. Journal of Corporation Law, 42(2):359-402. [https://doi.org/10.2139/ssrn.2491088].         [ Links ]

Pieket Weeserik, B. & Spruit, M. 2018. Improving operational risk management using business performance management technologies. Sustainability, 10(3):640-660. [https://doi.org/10.3390/su10030640].         [ Links ]

Prewett, K. & Terry, A. 2018. COSO's updated enterprise risk management framework: a quest for depth and clarity. Journal of Corporate Accounting & Finance, 29(3):16-23. [https://doi.org/10.1002/jcaf.22346].         [ Links ]

Project Management Institute. 2021. A guide to the project management body of knowledge: PMBOK guide. 7th ed. Project Management Institute.         [ Links ]

Rice, C. & Zegart, A. 2018. Managing 21st-century political risk: today's threats are more complicated, but the remedies don't have to be. Harvard Business Review, 130-138. [Internet: https://hbr.org/2018/05/managing-21st-century-political-risk; downloaded on 2021-10-27].         [ Links ]

Roberts, A., Wallace, W. & McClure, N. 2003. Strategic risk management. Harlow: Pearson Education.         [ Links ]

Rumelt, R.P. 2022. The crux: how leaders become strategists. New York: Public Affairs.         [ Links ]

Scherer, A.G. & Voegtlin, C. 2020. Corporate governance for responsible innovation: approaches to corporate governance and their implications for sustainable development. Academy of Management Perspectives, 34(2),182-208. [https://doi.org/10.5465/amp.2017.0175].         [ Links ]

Schwab, K. 2017. The fourth industrial revolution. Sunbury-on-Thames: Currency.         [ Links ]

Schwarze, M.L. & Taylor, L.J. 2017. Managing uncertainty: harnessing the power of scenario planning. The New England Journal of Medicine, 377(3):206-208. [https://doi.org/10.1056/NEJMp1704149].         [ Links ]

Snyder, H. 2019. Literature review as a research methodology: an overview and guidelines. Journal of Business Research, 104,333-339. [https://doi.org/10.1016/Libusres.2019.07.039].         [ Links ]

Zakaria, F. 2020. Ten lessons for a post-pandemic world. London: Penguin.         [ Links ]

 

 

Appendix 1 - Click to enlarge