STUDENT ID: UP2051794

Critically discuss the relationship between strategic risk management (SRM) and enterprise risk
management (ERM)

Introduction

The concepts of strategic risk management (SRM) and enterprise risk management (ERM) are
topics of increasing interest of study and research among academicians and practitioners
(Bromiley, Rau & McShane 2014, Andersen & Roggi, 2012, Frigo & Anderson, 2011).
According to Bromiley et al (2014) the concept of SRM has been in use longer than ERM
although usage of the concept has changed over time (in 1985 and 1990 respectively). In their
opinion, even though both concepts have been in use for decades, there has been confusion
regarding their meanings.

This paper will begin by reviewing the conceptualizations of the terms SRM and ERM in
literature and examine the relationships between the two concepts as presented in past studies,
papers and research. Finally, it will provide models and theoretical perspectives on their
application.

According to the COSO risk management framework of 2004 (as cited in Andersen & Sax 2019,
p.8) ERM is a process, effected by an entity’s board of directors, management and other
personnel, applied in strategy setting and across the enterprise, designed to identify potential
events that may affect the entity, and manage risk to be within its risk appetite, to provide
reasonable assurance regarding the achievement of entity objectives. It can be inferred from this
definition that the purpose of ERM is to identify potential events (positive and negative) that
may affect the organization and manage them to be within an acceptable while the purpose of
SRM is to employ information derived from ERM in application of strategy in order to achieve
objectives. It also emphasizes that ERM is related to “strategy setting.” which implicitly denotes
that SRM is a part of ERM.

Andersen (2015, p.7) alludes to confusion in the use of the term SRM. He described SRM as “a
relatively poorly defined concept with different meanings to different people depending on their
background, professional anchoring, managerial context and purpose of focusing on something
referred to as strategic risks.”

1
 STUDENT ID: UP2051794

Similarly, Bromiley et al (2014) agree that SRM is not a unilaterally defined concept. They
explained that whereas this is the case, SRM is generally understood in quite different ways
across various academic fields as well as by different professional practitioners. They argue that
from a financial perspective strategic risk may mean volatility in price and returns, for regulators
it may mean a shortfall in capital and from a contingency view, it may refer to the internal and
external environmental implications such as competition, technology and political factors.

The Risk Management Society-RIMS (2021) defined SRM as a business discipline that drives
deliberation and action regarding uncertainties and untapped opportunities that affect an
organization’s strategy and strategy execution. This definition focuses on the upside of informed
risk-taking to exploit opportunities in anticipation of rewards. It adds that SRM can identify
situations in which risk can a competitive advantage of only a threat to the strategic plan. So
rather than focusing on protecting against loss by avoiding or minimizing risks, organizations
should recognize the potential value of risk taking.

COSO (as cited in Andersen 2015, p.21) defined SRM as a part of ERM that enables top
management to link strategy with risk management in highly uncertain environment. This is
consistent with the definition by the COSO framework updated in 2017 (as cited in Andersen &
Sax 2019, p.8) which described strategic risk as the part of ERM that focuses on management of
a specific category of risks known as ‘strategic risks.’ In supporting this view in their discourse
on pivoting from ERM to SRM, Moller, Utter, Walker and Wasserman (2020) focused on the
three strategic dimensions of strategic risks. These dimensions include the risk of misalignment
of the strategy, the risk to the strategy, and the risk created from an organization’s strategy. They
argued that for most organizations, ERM was effective in identifying all types of risk except
strategic risks. SRM can therefore be said to focus on this ‘special’ category of risks in tandem
with ERM.

In 2017, COSO issued an updated ERM framework that clarified the role and objectives of ERM
and the need to integrate it with the organization’s strategy-setting process. COSO (as cited in
Andersen & Sax 2019, p.8) defined ERM as the culture, capabilities, and practices, integrated
with strategy-setting and performance that organizations rely on to manage risk in creating,
preserving, and realizing value. This definition reinforces the idea that strategy-setting is
embedded in ERM as illustrated in figure 1 below: the COSO 2017 ERM framework strategy.

2
 STUDENT ID: UP2051794

3
 STUDENT ID: UP2051794

Figure 1: COSO 2017 ERM Framework Strategy

STRATEGY, BUSINESS
OBJECTIVES & PERFORMANCE
 Probability of strategy not
MISSION, VISION aligning. ENHANCED
& CORE VALUES  Implications from the strategy PERFORMANCE
chosen.
 Risk to strategy and performance.

Source: Andersen and Frigo (2020)

From the above ERM framework (figure1), the role of ERM is to enhance organizational
performance (create and protect value). According to Anderson and Frigo (2020), ERM
accomplishes this by helping the board and management make better informed decisions that
enable them to effectively manage those risks that could impair their ability to achieve strategies
and business objectives. It can be concluded therefore that SRM and ERM are concomitant and
related.

Frigo and Anderson (2011) defined SRM as a process for identifying, assessing and managing
risk anywhere in the strategy with the ultimate goal of protecting and creating value. The
definition of ERM by COSO (as cited in Andersen 2015, p.21) and the definition of SRM by
Frigo and Anderson (2011) seem to coalesce around the idea that both processes have the same
goal of creating and protecting value.

It can be observed from these arguments that a similarity between ERM and SRM is that they are
both multi-disciplinary in nature. There are varied definitions that are observed based on the
functional context of application that have been formed by multitude of academic and
professional pronouncements. They can adopt different theoretical rationales depending on the
context. However, the big question is whether they are related, whether one is a subset of another
or whether they are independent silos handling different risks.

The relationship between SRM and ERM is a major subject of debate in both in academia and
professional practice as evidenced by several studies that have dwelt on this topic. For example,
there have been attempts to differentiate the two terms using varying approaches. Andersen and

4
 STUDENT ID: UP2051794

Sax (2019) provides and interesting perspective on why it is often difficult to clearly distinguish
between SRM and ERM. They argue that the proponents of ERM tend to argue that ERM also
considers strategic risks while proponents of SRM argue that ERM is still quite unfledged in its
ability to manage strategic risks.

In examining these diverse approaches, several questions arise. First is whether SRM is a
different category of risk management or a sub-set of ERM. Second is whether SRM focuses on
the management of strategic risks only or whether it refers to activities to mitigate future events
that are likely to affect the organization. Finally is whether any type of risk has a potential of
being categorized as a strategic risk or whether only certain types of risks can be categorized as
strategic depending on whether they have an impact on organizations’ objectives.

To analyze the first question on whether SRM is part of ERM, it is important to examine whether
organizations have linked their strategic planning processes with risk management to gain an
insight on industrial perceptions. A significant section of research has proposed that SRM and
ERM should be integrated (Moeller,2007: Andersen, 2012; Beasley, Branson & Pagach, 2015;
Beasley and Frigo, 2009). Beasley and Frigo (2010) postulate that if risk management is not
connected to strategic planning, blind spots in the execution of a strategy can be overlooked.
Andersen and Sax (2019) report that from their study, ERM users have expressed frustration on
how to exploit the upside potential of risk and how risk management is involved in the formation
and implementation of strategy. They assert that it is the reason why Strategic planning and ERM
have remained disintegrated in most organizations managed in separate silos.

Moller, Utter, Walkjer and Wasserman (2020) support this view by observing that some
organizations view SRM simply as applying risk-focused methodologies with a lens on singling
out strategic risks within its overall ERM practices.. At times, organizations and risk
professionals simply consider SRM an extension and evolution of ERM (ibid).

ERM has been found to be an antecedent for SRM by COSO (as cited by Moller et al, 2020)
which observes that whereas the purpose of ERM is not to determine the objectives and strategy,
it provides support for strategy setting by first setting the risk appetites as a criterion for selecting
alternative strategies supporting organizational decisions. ERM can determine the basis of
evaluating how strategy may affect the firm with respect to achieving goals.

5
 STUDENT ID: UP2051794

In stressing the relatedness of SRM and ERM, Anderson and Frigo (2020, p.4) highlighted that
“ERM helps organizations identify, assess and manage the risks to their strategies. It is a
practical way to create and protect value and should be an integral part of the strategy selection
process. It can be concluded that ERM is not a separate, stand-alone function but is embedded in
the fabric of how the organization sets and monitors its strategies and helps enhance the overall
performance of the organization.”

Anderson and Frigo (2020, p.4) provided a clear explanation of the relationship between
strategy, risk, performance and value creation. They argued that “the governing body should
appreciate that the organization’s core purpose, its risks and opportunities, strategy, business
model, performance, and sustainable development are all inseparable elements of the value
creation process.”

This encapsulates the idea that ERM helps organizations identify, assess and manage the risks to
their strategies. It is a practical way to create and protect value and should be an integral part of
the process of choosing strategy. Understanding the role of ERM is key to avoiding a common
mistake many organizations make; considering ERM to be a separate function.

In conjunction, Louisot (2014) argues that the emergence of the term strategic risk management
as a new discipline is unnecessary and that ERM was always intended to capture the strategic
emphasis now highlighted by SRM but many failed attempts at ERM missed this opportunity. It
adds that SRM is a rebranding of ERM that is often useful to initiatives that have failed to get the
traction necessary for long term acceptance and success. This observation suggests that had ERM
been implemented successfully and as intended there would be no need to implement SRM as a
separate concept. This is an interesting observation that discredits the need for implementing
SRM separately from ERM.

Contrastingly, whereas the view by Louisot (2014) does not support the need for emergence of
SRM as a new discipline, it states that the recently developed concept of strategic management
can add value to ERM provided it is interpreted as including the disciplines of influencing,
development, and implementation of organizational strategy.

6
 STUDENT ID: UP2051794

In analyzing the two divergent viewpoints by Louisot (2014) we can conclude that SRM draws
attention to strategic management and provides opportunity for its development and
implementation. Strategy runs the organization, ERM manages risks to the strategy.

Several authors have taken the view that ERM is the management of all risks including strategic
risks. Frigo and Anderson (2011) stated that strategic risks are the most consequential to the
organization’s ability to execute its strategies and achieve its business objectives. They add that
SRM then, is focused at the most significant risks to value- an area deserving of the time and
attention of the executive and management.

Strategic risk assessment has been identified as a step in implementing ERM in an organization.
Anderson and Frigo (2020) outline eight steps including conducting an initial assessment of key
strategies and related risks. The paper proposes the use of two models (the Return Driven
Strategy Model and the Strategic Risk Management Model). The former is used to identify the
major strategic initiatives of the organization while the latter is used to identify risks related to
those key strategies. This underscores the importance of SRM in ERM and underpins the
symbiotic nature of the relationship between risks and strategies.

According to Anderson and Frigo (2020) both models are used sequentially, first to select key
strategies of the organizations, and secondly to identify and manage critical risks. The activities
of the organization are broken down into units. This is important to categories discrete strategies
so that related risks can be derived. It also facilitates the prioritization of risks.

For example, Anderson and Frigo (2020) presented an example of an audit committee of a firm
that did not have sufficient time in its agenda to review some “invisible risks” (black swans).
These are risks that have low likelihood of occurrence but have a potential of high impacts for
the organization if they materialize. By using these two models, the committee was able to fit
these invisible risks in their agenda which proved valuable in facilitating discussion to new areas
of risks. The return driven strategy model is as illustrated in figure 2 below.

7
 STUDENT ID: UP2051794

Figure2: Return Driven Strategy Model

Source: Anderson and Frigo (2020)

The Return Driven Strategy describes the pattern of strategic activities of high-performance
companies regardless of industry or geographical location. The framework is a summary of
eleven tenets against a backdrop of a delta symbol, the symbol for change. These represent
eleven important activities that lead to wealth creation. The first tenet is a commitment to wealth
creation while the others are the means for reaching the highest tenet.

8
 STUDENT ID: UP2051794

Figure 3: Strategic Risk Management Model

Source: Anderson and Frigo (2020)

The Strategic Risk Assessment Process and related models also provide an approach to identify
and work with a manageable number of critical risks that are most significant in regard to the key
strategies of the organization from the Return Driven Strategy model. This process provides a
way to prioritize those risks.

These two models are in line with the ERM principles by COSO (as cited in Anderson & Frigo
2020, p.15) which proposes first identifying strategies and then risks related to the strategies
chosen.

Having established the existential importance of embedding SRM in ERM based on the 2017
ERM framework by COSO and the results driven strategy, Bromiley et al (2014) drew attention
to the Resource Based theory with a focus on how SRM and ERM may protect and create value.

9
 STUDENT ID: UP2051794

Bromiley et al (2014) states that the RBV proposes that only rare, valuable and hard to imitate
and substitute resources or capabilities can give firms persistent competitive advantage. In their
opinion, SRM and ERM, if implemented as an area of excellence, may protect and create value
by allowing organizations to improve performance by reducing the negative impact of
unanticipated events.

This approach implies that the effective implementation of ERM and SRM provides a
competitive advantage to firms in terms of performance and creating value. It can also be
inferred that if more and more firms adopt SRM, it will eventually cease to be an area of
competitive advantage since it will no longer be a special resource.

However, Bromiley et al (2014) countered this line of argument by explaining that even publicly
available resources can create value for organizations based on empirical evidence from various
fields. It asserts that in a typical sector, majority of organizations exhibit normal returns with a
few exhibiting super-normal returns. The presence of rare resources in these organizations enable
them to earn super-normal returns.

Bromiley et al (2014) argued that firms’ ability to evaluate the positive results of implementing
SRM and ERM is questionable. They proposed that to assess the risk impacts of ERM and SRM,
there is need to assess the riskiness of outcomes with and without SRM and ERM (control and
dependent variables). They explain that this difficulty is compounded by the fact that such
assessments may require long periods of time (perhaps decades) to study.

For example, they speculate that the best measure of effectiveness may be for firms to measure
risk outcomes between two periods of financial crises which historically have occurred
approximately once every ten years.

Another important question that needs to be answered is whether any type of risk has a potential
of being categorized as a strategic risk or whether only certain types of risks can be categorized
as strategic depending on whether they have an impact on organizations’ objectives. Andersen
(2015) takes a contrastive view of the relationship between SRM and ERM. He argues that any
type of risk management can be considered strategic if it has implications for strategic outcomes.
He postulates that strategic risk management is a conceptual expansion of risk management
indicating that risk management somehow has become strategic. Using the term may simply

10
 STUDENT ID: UP2051794

indicate that the derived concept is considered important with the aim of giving it a more
imposing flair.

Andersen (2015) stated that the concept of SRM relates to the task of identifying different types
of risk events that might affect the organization’s ability to carry out its purpose and prepare it to
deal better with those risks. To clarify this point, Andersen (2015) attempts to differentiate
between SRM as an activity and the category of risks known as ‘strategic risks and illustrates this
using the following framework.

Figure 4:

Source: Andersen (2015)

From the illustration above, SRM involves more than just managing the category of risks
traditionally classified as strategic. The interpretation of SRM focuses on the organizations
ability to deal with events that are strategic to the organization whatever their origins. The
illustration also implies that strategic risks are caused by exogenous (factors in the external
environment).

11
 STUDENT ID: UP2051794

Andersen (2015, p.21) clarifies that not all risks can be classified as strategic risks and states that
“if every risk is strategic, then nothing is.” He argues that the distinction between strategic and
other risks is that strategic risks deal with strategic issues. Secondly, strategic risks generally
imply risks large enough that the firm should care about the risk per se whereas for operational
risks the focus should be on expected values.

Bromiley et al (2014) examined the relationship between SRM and ERM by answering the
question on whether only certain types of risk can be termed strategic. They concluded that
“SRM is a subset of ERM and that strategic risk is more usefully defined as applying to risks that
have strategic importance rather than a specific kind of risk” (Bromiley et al, 2014, p.2). This
conclusion requires insight on what constitutes a “strategic risk” in the context of the ERM
framework illustrated in figure 1 which implies that all strategies have embedded risks.

From the reviewed pieces of literature, it is evident that SRM is an antecedent and an important
part of ERM. Both ERM and SRM have the potential to affect organizational performance and
create and protect value. Strategy is what drives the organization, ERM manages the risks from
the strategies. SRM includes more than just managing the category of risks known as strategic
risks.

This paper has examined the definitions of SRM and ERM. It has examined the relationship
between SRM and ERM within the body of literature and presented theoretical perspectives and
models relevant to the discipline.

12
 STUDENT ID: UP2051794

References

Andersen, T. J. (Ed.). (2015). The Routledge Companion to Strategic Risk Management. Taylor
and Francis. https://www.perlego.com/book/1556307/

Andersen, T. J., Garvey, M., & Roggi, O. (2014). Managing Risk and Opportunity: The
Governance of Strategic Risk Taking. Oxford University
Press. http://libsearch.cbs.dk/primo_library/libweb/action/dlDisplay.do?
docId=CBS01000670348&vid=CBS&afterPDS=true

Andersen, T. J. & Roggi, O. (2012). Strategic Risk Management and Corporate Value Creation.
Paper presented at Strategic Management Society 32nd Annual International
Conference.SMS2012.https://researchapi.cbs.dk/ws/portalfiles/portal/58853215/
Torben_Andersen.pdf

Andersen, T. J. & Sax, J. (2019). Strategic Risk Management: A Research Overview. Routledge.
New York, NY 10017

Anderson, R. & Frigo, M. (2020). Creating and protecting value: understanding and
implementing enterprise risk management. Committee of Sponsoring Organizations
of the Treadway Commission.https://www.coso.org/Documents/COSO-ERM-
Creating-and-Protecting-Value.pdf

Beasley M. & Frigo M. (2010). ERM and Its Role in Strategic Planning and Strategy Execution.
https://doi.org/10.1002/9781118267080.ch3

Beasley, M., Branson, B. & Pagach, D. (2015). An analysis of the maturity and strategic impact
of investments in ERM.
https://www.sciencedirect.com/science/article/pii/S0278425415000101

Bromiley, P., Rau, D. & McShane, M. (2014). Can Strategic management Contribute to
Enterprise Risk Management? A strategic Management Perspective. 1-2.
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2512477

Frigo, M &, Anderson, R. (2011). Strategic risk management: A foundation for improving
enterprise risk management and governance. The Journal of Corporate Accounting
& Finance. 81-88. https://onlinelibrary.wiley.com/doi/epdf/10.1002/jcaf.20677

13
 STUDENT ID: UP2051794

Frigo, M. (2009). Strategic Risk Management: the new core competency. Management
Synergies. https://studylib.net/doc/8311899/strategic-risk-management--the-new-
core-competency

Louisot, J. & Ketcham, C. H. (2014). ERM - Enterprise Risk Management: Issues and Cases.
Wiley. https://www.perlego.com/book/995004/

Moeller, R.R. (2007). COSO Enterprise Risk Management: Understanding the New Integrated
ERM Framework. John Wiley & Sons.
https://www.scirp.org/pdf/ME_2014041815105627.pdf

Moller, J., Utter, J., Walker, P., & Wasserman, J. (2020). Pivoting from ERM to SRM. Risk and
Insurance Management Society.
https://www.rims.org/about-us/newsroom/news/rims-report-pivoting-from-erm-to-
srm

Risk and Insurance Management Society (2011). Why Strategic Risk Management? 1-2.
https://www.rims.org/docs/default-source/default-document-library/faq-on-srm-
and-erm-final-april-20 011.pdf?sfvrsn=c58085ec_4#:~:text=By%20incorporating
%20a%20disciplined%20strategic,reframe%20risks%20as%20potential
%20opportunities

Risk and Insurance Management Society (2021). About Strategic & Enterprise Risk
Management (SERM). https://www.rims.org/resources/strategic-enterprise-risk-
center/about-serm

Tonello, M. (2012). Strategic Risk Management: A Primer for Directors.

14