See earlier, decide faster: Integrating Risk Management and Strategic Planning

Businesses are operating in a tumultuous world full of risk and uncertainty.

“The biggest risk is not taking any risk. In a world that is changing really quickly, the only strategy that is guaranteed to fail is not taking risks.” – Mark Zuckerberg

The World Economic Forum highlights how today's challenges are fuelled by the frequency and complexity of threats across risk categories, from geopolitics to economic volatility, and from climate change to population health. Furthermore, the World Risk Report 2024 explains how crises and risks are becoming increasingly complex and interconnected. Extreme weather events, conflicts, and pandemics overlap and amplify each other with powerful impacts.

Sound business strategies enabled by robust inside out risk management have never been more critical. It's not just preparing for specific risks but also developing the capability to adapt when the seas turn dangerous. Traditional risk management often focuses on financial risks. However, modern approaches must be much more comprehensive, considering operational, strategic, and digital risks. According to Statista, digital investment in 2024 was expected to reach $2,791billion, and with this backdrop effective risk management becomes the rudder that keeps strategy on course. Furthermore, strengthening risk governance and improving risk data aggregation and reporting are crucial for high-performance decision-making.

The core ingredients of integrated risk management and strategic planning.

Market trends reflect a vital shift from reactive inside out risk management to a more integrated and proactive approach, ensuring that risk considerations are deeply embedded in the strategic planning process.

So, how exactly should risk management and strategic planning be integrated? To answer this question, as described in the book Outside In, Inside Out, it's important to understand the components of the strategy and risk framework to help unpack the integrated nature of seeing ahead. These include environmental scan, risk management, strategic and long-term planning, annual planning, stewardship, and forecasting. The enablers supporting these components include tools and technology, communication and change management, capacity and human capability.

• Environmental scan – An environmental scan forms the foundational stage in this model, where the organization look above and below the surface to gather comprehensive data about its external and internal situational context. In an interview with former CIA Director General David Petraeus for Chief Executive Magazine, he explains how, "Situational awareness is everything; military leaders who achieve that can feel a situation changing and understand what needs to be done." Environmental scans typically include monitoring industry performance, assessing regulation compliance, and evaluating customer and stakeholder feedback.

   

• Risk management – The process of risk management should be comprehensive, addressing several elements, including risk identification, analysis, evaluation, and treatment. According to the 2025 EY Global Risk Transformation Study, organizations who have adopted a strategic approach to risk management are half as likely to be surprised by external shocks and a third better at swiftly identifying incidents and mounting a rapid response. So, it goes without saying that risk management itself is central to ensuring effective handling of uncertainties and challenges.

   

• Strategic and long-term planning – At its most basic level, strategy is a clear set of plans, actions, and goals that outline how a business will compete in or create a particular market, or markets, with its products or services. Long-term planning is proactive, seeking to position the organization favourably by identifying opportunities and threats over an extended horizon. The strategic plan outlines initiatives that guide the organization's focus over a multi-year period. It is informed by the environmental scan and risk management processes.

  
  

• Annual planning – The yearly planning process takes the high-level strategic plan and translates it into actionable near-term plans for the year ahead. This is where tactical decisions are made regarding how the strategic objectives will be met over a year. Annual planning ensures that the strategic vision is translated into day-to-day operations and that resources are allocated effectively to meet short-term goals.

  
  

• Stewardship – Involves monitoring the organization's performance against the current year's plans and targets. It emphasizes accountability and ensures that resources are being used effectively. In this process, the organization tracks performance metrics and responds to any deviations from the plan. If the environment changes, stewardship also involves adjusting the organization's course of action, ensuring it remains on track to meet its strategic objectives.

   

• Forecasting – According to Investopedia, forecasting is a technique that uses historical data to make informed decisions about future events or conditions. The framework provides insight into future risks, challenges, and opportunities by capturing potential deviations from the planned action. Forecasting ensures that the organization remains proactive and responsive to environmental changes.

Foundational enablers supporting the entire framework include tools and technology, communication and change management, and people capacity and capability. These elements are critical for successfully executing all the core components of the framework outlined above.

Ten benefits of integrating risk management with strategic planning.

Integrating inside-out risk management with strategic planning offers numerous benefits that help organizations navigate shark infested waters, while achieving long-term strategic objectives. At it’s highest level by aligning risk management practices with strategic initiatives, companies can identify, evaluate, and mitigate risks in the context of their goals and operational realities. Outlined below are some more specific benefits we’ve experienced from enhanced integration, including:

1. Informed decision-making - Leaders have access to a more comprehensive understanding of potential risks and opportunities in the market. This allows these key decision-makers to make more informed choices, balancing risk and reward effectively. Understanding how various risks can impact the organization helps prioritize where to play and how to win.

    

2. Alignment of risk and strategy - The alignment between the organization's risk profile and strategic objectives is enhanced. This alignment ensures that the company is pursuing profitable or growth-oriented initiatives and considering how risks could derail these initiatives. It's a double-edged sword, whereby both need to be considered together.

    

3. Proactive risk management - Rather than reacting to risks after they materialize, risk integration enables a proactive identification and mitigation approach. By embedding risk management into strategic planning, organizations can foresee potential challenges and plan to address them as part of risk-informed strategic choices. For example,  Mars Inc. due to a faulty product implemented a rapid proactive risk mitigation strategy, quickly recalling millions of chocolate bars across 55 countries, with impacts of the recall barely felt.

    

4. Better resource allocation - Strategic planning involves prioritizing projects, initiatives, and investments to ensure business resources are allocated to the highest ROI investments. Integrating risk understanding helps organizations allocate resources more effectively by considering the risk-reward profile of each option. Initiatives that offer high returns and significant risks can be balanced against lower-risk, lower-return projects.

    

5. Enhanced organizational resilience – Resilience is the strategic organizational capability to mitigate and adapt to disruptive and destructive threats, reshape environments, and overcome foreseen and unforeseen risks. Integrating risk with strategic planning enhances an organization's ability to withstand and recover from disruptions.

   
   

6. Improved risk culture - When risk management becomes part of strategic discussions, it fosters a risk-aware culture across the organization. Employees and leaders at all levels understand the importance of considering risks in everything they do.

    

7. Improved risk visibility, transparency and relevance - Integrating ERM with strategic planning enhances the visibility of risks across the organization. Unlike traditional bottom-up approaches which have a difficult time getting to strategic high impact risks, embedding risk management within strategic discussions ensures risks are evaluated in context, increasing their relance and clarity.

   
   

8. Facilitates dynamic strategy adaptation - The strategy must often evolve to meet new challenges and opportunities in a rapidly changing business environment. Integrating ERM allows organizations to adapt their strategy dynamically in response to emerging risks. Businesses can make real-time adjustments by continuously monitoring risk factors that could impact strategic initiatives, ensuring their strategies remain relevant and achievable.

   
   

9. Balanced risk appetite – Organizations that do not integrate enterprise risk management with strategic planning often find formalizing their risk appetite challenging. Integrating the two helps define and maintain an appropriate risk appetite by allowing it to be framed in terms that are meaningful to senior leaders. For example, at Nationwide Insurance in the UK, risk management enabled senior management to identify, measure, and limit to acceptable levels, the net exposures faced by the firm. This cushioned the downside outcomes and protected credit rating, maintaining its access to capital.

   
   

10. Enhanced performance monitoring - By embedding risk management within strategic planning, organizations can set key performance indicators aligned with risk management and strategic goals. This integration improves performance monitoring, ensuring that risks are factored into assessments of how well the organization achieves its objectives.

Act now and integrate risk and strategy to propel your business forward.

Integrating inside-out risk management with strategic planning is like plotting a clear course through unpredictable waters. It enables a holistic approach to growth and long-term sustainability, ensuring risks are managed to support strategic objectives. It also sharpens decision-making, fosters a proactive risk culture, and strengthens resilience. Organizations that integrate these disciplines are better equipped to steer through uncertainty, avoid hidden dangers, and seize opportunities on the horizon.

The future is full of risks and opportunities; charting your strategy is the compass that keeps you on course.

By Bill Kessels – EY Canada Managing Partner Risk Management & Dr. Lance Mortlock – Author of Outside In, Inside Out, EY Canada Managing Partner Industrials & Energy