Strategic Risk Management?


I’ve been deleting the word strategic from a lot of documents lately.

And it’s assisting immensely.

You see I’ve got this idea that the more times a person uses the word strategic, the more likely it is that the person is puffing or bluffing.

In the risk and assurance space using the word strategic usually does little to aid understanding. In most cases it’s just misleading.

Take the term ‘strategic risk management’ (SRM) which is cropping up everywhere these days.

Somehow SRM has ended up in the accountabilities template for NSW Government agencies. Apparently they’re now supposed to be responsible for strategic risk management as opposed to good old fashioned risk management. Now this would be fine if anyone knows what SRM is. I know what risk management is, I even know what enterprise risk management is, but strategic risk management? Is it the management of strategic risks perhaps? Or something other than tactical risk management?

The Risk Management Society in New York had a go recently at defining SRM. They’ve got a discussion document out on it in fact. The discussion document is useful. It says that SRM is an evolving discipline – in other words, they don’t know what it is either.

And then take the term ‘strategic audit plan’ which I still see regularly.

These documents are usually a standard audit universe spread over three years. They tend to ignore external conditions or do other things that strategic documents are supposed to do. But because their focus is on more than this financial year, the documents must be strategic. The reality is that it’s often anything but.

So when I see the term strategic appear in a charter, article, brochure or job title I get wary.

So the simple solution, delete the word strategic. I do. It adds amazing clarity.

Better still add the letters ‘un’ to the front – ‘unstrategic’, or delete and put ‘tactical, and add ‘with a time horizon of slightly longer than 12 months but not longer than my current tenure or bonus time frame’ in front of it.

I think you’ll find this clarifies many things immensely.


This opinion piece was one of the cover stories in Issue 86 of Risk Magazine, July 2011. Todd Davies has been championing a better understanding on strategic risk for many years and taught the IIA’s first courses on this topic.

He contends that strategic risk is a class of risk in it’s own right and needs a dedicated identification process involving external viewpoints. 

For more on Strategic Risk Management, click here.