Business Strategy, Risk Management, Checking Boxes, and Adding Value

By Eric Bonnell, SVP - Risk Management, Atlantic Union Bank

What drives our business decisions?So many questions. So many assumptions. So many interdependencies. So many perspectives to consider. What truly drives our strategy and focus?

Are we strategically risk-tolerant, like someone with a high threshold of pain, or risk ignorant, like Ralph Kramden and his get-rich-quick schemes? Perhaps that is driven by FOMO (fear of missing out). Perhaps it’s a need to do anything we can to succeed against all odds.

Perhaps, the opposite might be true? Are we risk-averse, like a miser protecting gold? Perhaps it’s driven by fear of losing control. Perhaps it’s a need to slow down change to a point where we feel safe.

How do we plan business strategy? How do we remain resilient? What contingencies plans should be prioritized? What are we planning for and to what level? What is the return on our time investment to plan and is it enough?

How does risk play into all of this? Is our risk management driven by appeasing our regulators or do we actively drive business strategy with an Integrated Risk mindset?

Using Risk Management to Drive Strategy

Businesses exist to make money. No matter the design or pricing of the product, the commitment to customer service and quality, the connection with teammates, the level of social consciousness, the scrutiny of the regulator, the investment capital or liquidity, or the strategic plan, profit drives the business.

The above list includes only some key risk considerations.Profit dictates the level of commitment and the priority that the organization chooses when addressing risk within its initiatives. In turn, sound risk management protects profit, whether by avoiding risk or providing insurance of some sort against the impact of a potential risk event.

Don’t Just “Check the Box”

Favorable risk practices, by the regulatory book, are meant to demonstrate a level of comfort that the organization. In general, this is the case; however, it can lead to a “check the box” mentality if the focus is on completing risk assessments and building dashboards instead of leveraging risk knowledge to provide better decisioning.

While formal risk assessments are important and provide a wide net of risk understanding, they might not reveal specifics that need to be addressed. To help with this, Operational Risk Management should closely partner with Quality Control teams, Regulatory Compliance, and Audit to identify the true areas of concern that can lead to negative impact.

The Risk Manager will help articulate these concerns in terms of risk, which in turn translates into investment in people, processes, and technology to address the issues. Proactive transparent conversations with the business lines and management on these issues will lead to early warning, better budgeting, and less resource churn.

So Many Different Perspectives to Consider

Enterprise Risk strives to enable a rational strategy by informing the business on the impact of actions against these types of risk:

  • Capital, Liquidity, and Market Risk
  • Credit Risk and Model Risk
  • Operational Risk and Technical Risk
  • Legal and Regulatory Risk
  • Reputational Risk

Each of these has an effect or influence to varying degrees on the others. Having a meaningful and rational way to understand Integrated Risk for an organization leads to a better understanding of the cost of doing business in the manner that is commensurate with the amount of risk that the organization is willing to tolerate. Thisdrives better decisioning, better financial decisions, and likely supports the generation of more profit.

How Should Risk Management Actually Add Value?

Enterprise Risk Management must primarily provide a lens into the Integrated Risk landscape form all perspectives at the bank. Integrating the organizational risk knowledge from different perspectives and at different levels is a daunting task without:

  • a committed organizational-wide risk culture, driven by an organization that is effectively sized, spanning the organization, to support transparent relationship management with the lines of business
  • a clear risk management framework and the discipline behind it to drive the collection, assessment, maintenance and reporting of risks form different perspectives
  • a place at the table when it comes to developing and aligning strategy at all levels of the organization

The risk of not operating an effective Enterprise Risk Program is that the business areas, which are experts in their specific disciplines, might develop a myopic view of resulting impacts to their line of business and the enterprise. Partnering with the business using comprehensive and sound risk practices sheds light on the blind spots to the organization that are best considered when making strategic decisions.

Using an Integrated Risk Management (IRM) Tool to Pull It All Together

Well implemented Governance, Risk, and Controls (GRC) applications support to effective Integrated Risk Management. Being able to aggregate both quantitative and qualitative data into a meaningful understanding of the organizational risk landscape is of great value to effective organizational strategic planning.

The challenge of GRC implementation is to design and implement a clean and deliberate system, including a comprehensive risk framework, mature risk management processes, and sufficient data and technology. The gathered risk information will then be intelligible across different risk disciplines,producing a clear, meaningful, and comprehensive risk priority roadmap to inform and drive sound organizational strategy.

Having the ability to drive risk knowledge down to the level of management that can act upon will be a huge benefit. Accountability becomes transparent and, after the initial shock of the new process is overcome, the organization can take advantage of this gateway to corporate knowledge.


Enterprise Risk should strive to provide the best information to the organizational strategic process through a comprehensive program, designed to capture risk information at all levels of the organization. Adhering to a standard risk management framework enables a meaningful aggregation across different risk disciplines, whether quantitative or qualitative in nature, to canvass the full organizational risk landscape. This enables the business to make rational holistic decisions to support the organization.


Previous article
Next article

Hot Topics

Related Articles