This is the second part of my earlier post on reputation risk. It is an enlarged version of the portion on strategic risk from my speaking notes used for a talk on reputation and strategic risk to the members of the Board of Directors of a bank based outside India. Needless to say, this is an introductory piece, as strategy, its risks, and their management, together constitute a huge subject in itself.
Omar Sharif immortalised on celluloid the lead roles of Dr Zhivago, Chengis Khan, and Che Guevara, and that of Sherif Ali in Lawrence of Arabia. Lesser known is that in his prime he was one of the top 50 bridge players in the world. He was also a bridge columnist, and author of many bestselling books on Bridge (Play Bridge with Omar Sharif, Play More Bridge with Omar Sharif, etc.). Omar Sharif wrote:
“Many people think of me primarily as an actor rather than as a card player. In fact, I discovered cards more years ago than I care to mention, and I played Bridge at an international level in the 1960s. Acting may be my business, but Bridge is my passion. However, it is fair to say that if I limited my card-playing to Bridge, I’d be a much richer man than I am today!”
Omar Sharif had the pleasure of making his choices as he wished. But, it is different for banks which deal in ‘Other People’s Money.’(I use that phrase deliberately as it is the title of many books on a similar theme, including a classic on frauds by Donald Cressey. For banks, adopting the right strategy is not a matter of leisurely choice but a critical fiduciary responsibility to ensure survival.
Definition of Strategic Risk
As the old proverb goes, the road to hell is paved with good intentions. The same goes for strategies that go wrong. One implements strategies with good intentions based on right or wrong assumptions. Strategic risks threaten to disrupt the assumptions at the core of an institution’s strategy or business plan. It is the risk from changes that threaten to overturn the initial set of strategic assumptions and conditions.
G Sreekumar (that is me) defines strategic risk to be the risk of loss from personnel, finance, and business decisions taken based on certain assumptions, and the foregone income that would have additionally accrued from the “road not taken”. I admit it is a bit convoluted, but this is the first draft of an attempted definition. (The Road not Taken is the title of a poem by Robert Frost).
We will see in greater detail later below what constitutes strategic risk.
A few examples
Among my favourite recent examples is the collapse of Thomas Cook Airlines (see here). Though with a history of pioneering holiday packages going back to the 19th century, the company sat back and watched as enterprising and creative disruptors rewrote the rules of the business. It was in some ways reminiscent of how Kodak missed out on digital photography. Or imagine Encyclopaedia Britannica brought out once in a decade or so competing with a continuously updating and enlarging Wikipedia. The company went into liquidation in 2019 after being in business for 178 years.
There were many reasons for Thomas Cook’s failure. As the internet revolution gripped holiday booking, Thomas Cook persisted with 560 high street outlets. By 2019, only one in seven went to such brick-and-mortar offices. They were mostly above 65, not used to the internet, from lower socio-economic groups, and with less money to spend. Moreover, it could not compete with low-cost airlines. Brexit, Britain’s exit from the European Union, added to uncertainty in pound value and postponed travel plans. The company had not recovered from its disastrous merger with MyTravel in 2007, much like the mergers that Kingfisher Airlines and Air India went through. As early as 2011, debts had ballooned to GBP 2 billion. The brief lesson from Thomas Cook was the Darwinian adage applicable to management, “Adapt or Die”. In other words, change your strategy with moving times, or get trodden over in course of time.
The airline industry’s woes continue. As I write this, today’s Financial Times editorial (10 June 2022) is on flight cancellations. It ends thus:
“…the industry was well aware of the problems it faced, and how long they might take to resolve. It therefore had no business selling tickets it could not honour. Flight cancellations today are a result of earlier overselling. Airlines need to take action now to alleviate passenger misery this summer, when planned strike action in the UK and Europe could make things worse. Cutting flights weeks before travel, when passengers can try to make alternative arrangements, is the least bad option. Cutting them after passengers arrive at the airport is inexcusable. The industry must not make promises it cannot keep.”“Airlines have made promises they are unable to deliver”, Editorial on Financial Times, Asian Edition, 10 June 2022, Page 16.
From banking, I like to quote the example of Wells Fargo, the American bank, with a history going back to 1852, about a decade after Thomas Cook was established. The six-horse stagecoach was its ubiquitous image for a long time. Along with the long went the motto, “Together we’ll go far.” In an era before railroads and flight, the ability to securely transport cash fast between two places must have given a competitive advantage. Its logo underwent two changes, now just the name with a red background.
The bank’s strategy was to squeeze underpaid low-level workers into selling eight products to each customer whether they wanted it or not. As the CEO said, eight rhymed with ‘great’. The hapless employee went about creating such accounts using various dubious practices and without informing the customer who mostly came to know only when unpaid instalments lowered their credit scores. That too when they took the trouble of finding out their scores.
An acerbic Senator Elizabeth Warren asked a stumped, clueless, and nonplussed John Stumpf, the CEO of the bank, to resign, in this stinging condemnation. She also added as follows:
“Okay, so you haven’t resigned, you haven’t returned a single nickel of your personal earnings, you haven’t fired a single senior executive,” … “Instead, evidently, your definition of ‘accountable’ is to push the blame to your low-level employees who don’t have the money for a fancy P.R. firm to defend themselves.”
Indian public sector banks
Back in India, following the first Narasimham Committee recommendations, and the rollout of the Basel I norms, the regulator introduced competition in the early 1990s by giving out new bank licences. These new banks started out on a clean slate, commencing operations on IT platforms and with core banking solutions and other new technology-based innovations. Faced with this challenge of a regulator-induced creative disruption, public sector banks initially opted to wait and watch.
By the time they realized what was happening, they not only lost the first-mover advantage but also significant, and ever-increasing, market share. The biggest market players like the State Bank of India have had to resort to mergers of their subsidiaries to maintain previously unchallenged positions. How these banks came to be subsidiaries and their unquestioned mergers are sordid chapters in the history of banking which I will revisit in a future post.
Importance of Strategic Risk
According to an HBR study, strategic risk is the most damaging of all risks. This study says that strategic risk contributes to 86% of the decline in market capitalisation. Compared to this, operational risk accounts for only 9%, legal and compliance risk 3% and financial misreporting risk 2%.
We are also going through (and have been increasing since the 1970s) a period of change and uncertainty including the following:
- The growing competition among banks, non-banks, and fintech
- Low growth and low global interest rate threaten profitability
- Exploring new avenues for growth
- Ever-increasing and complex technological capabilities throw up new possibilities and challenges
- Financial innovation creating previously unimagined structured products
- Globalisation and the attendant lowering of cross-border barriers
- Mergers and acquisitions lead to new and unknown entities as counterparties with uncertain cultural and technological integration
- Regulatory pressures in the form of increasing stringency in capital requirements and periodical stress testing
Some of these are old and continuing, and some are new. One could increase the list, but the above gives an idea of why continuous strategizing and re-strategizing are critical. Practices in strategic risk management have been deficient due to misalignment of risk appetite with strategy and inadequacy of systems to test and challenge strategic choices.
In the context of fintech, regulators are increasingly resorting to regulatory sandboxes to try out and approve technology-aided financial innovation. Regulators themselves are taking the help of technology and reducing regulatory costs and sharpening supervisory oversight with the use of RegTech and SupTech. The former refers to the innovative use of technology to support regulatory reporting and compliance. The latter refers to the use of such technologies by the supervisors themselves.
Regulators have also responded by reiterating the role of good board governance in strategy making ably assisted by a set of board committees.
Board role in strategic risk
The Basel Committee on Banking Supervision and banking regulators across the world periodically reiterate the role of the board of directors in framing strategy. The role of the board in strategic risk management involves the following:
- Be aware that traditional approaches to regulation and compliance may no longer be sufficient and can even have disastrous results just as multibillion-dollar penalties imposed on a few large banks show.
- Look ahead at future uncertainty. I like to compare this with a videogame where one is anticipating the direction and speed of the falling grenades, or whatever, and accordingly shift and strafe by adjusting the lever to dodge the incoming attacks.
- Integrate strategy with risk management, especially ERM or Enterprise Risk Management, so that it does not come across as an avoidable additional process. This embedded approach to strategic risk management is critical and done with the alacrity and awareness that survival could depend on it.
- Periodically examine vulnerabilities in business models and strategies, capital and liquidity positions, governance structures, and risk management controls.
- Test the defences against challenges posed by different scenarios
- Boards should be prepared for increasing attention to organizational culture and conduct.
What is Strategic Risk
If risk involves deviations from expected outcomes, strategic risk is not inherently undesirable as there can also be upsides. Managing strategic risk is thus not just about prevention of an undesirable outcome, but about anticipating such outcomes and understanding their nature and impact.
Strategic risk preparedness aids leaders to know how to respond to different situations: whether by tweaking strategy, increasing investment, upgrading internal capabilities, taking over a start-up that could add value or else be a future challenge, or changing direction completely. In other words, it shows what pays and what does not in the long term.
Types of strategic risk
Mok and Saha (2017) distinguish between three types of strategic risk.
Strategic positioning risk
This relates to the direction of strategy. The questions to be asked are whether objectives are achievable? Is the strategy well-positioned to create value? For instance, not going in for computerisation and adopting a wait-and-watch approach is a choice. But, as the example of public sector banks has shown, this could result in the erosion of sand from beneath the feet.
Strategic execution risk
Does the bank have the right talent, capabilities, and infrastructure to execute the strategy? The right people, technology, and ability to hedge against the risks? As the case of the merger of three Japanese banks into Mizuho, early this century showed, merging the IT platforms went wrong and resulted in double payments, private pins being made public, and a host of other IT issues.
Strategic consequence risk
This is the risk of unintended consequences of strategy. Will adopting a certain strategy lead to new risks which were not foreseen? For instance, computerising certain operations could lead to fraud and other types of operational risk which were not foreseen and for which a bank is not prepared. Introducing bonuses for directors and employees could make them behave in a manner that puts the bank at greater risk where they share in the upside while the downside is exclusively that of customers, shareholders, or even the taxpayer.
Managing strategic risk
The processes in place for strategy management and risk management, through ERM (Enterprise Risk Management) and otherwise, are similar. Better integrating the stakeholders and others responsible for these will make for better strategic risk management and enable it to take smarter risks.
There should be processes in place that independently reviews strategies for strategic risks
Those in charge of risk should be well versed with risk management tools and technologies to identify strategic and emerging risks.
Banks should have arrangements in place to understand how change and uncertainty under different scenarios will affect key businesses and their products, outcomes or performance measures.
Banks’ Chief Risk Officer could also share responsibility for helping business units take smarter and informed risks. Alternatively, this function could also be with a separate Chief Strategy Officer.
Processes and tools
Strategic risk processes and tools can be applied at the bank level or at the tactical level and business unit level. (From here onwards, my narrative derives largely from Mok and Saha, 2017)
1. Strategic risk review process
This is the first step. In Strategic Positioning Review (SPR), we examine whether the bank/institution is in the right direction. Strategic Execution Review (SER) involves ensuring that we have the right talent and capabilities to execute the chosen strategy. In Strategic Consequences Review (SCR), we speculate whether there could be unintended consequences or new risks as a result of the chosen strategic path.
2. Trend analysis
Mok and Saha (2017) use a four-quadrant matrix mapping ‘momentum’ and ‘speed of displacement’ on x- and y-axes to distinguish between true disruptors and other pretenders (see diagram below). When both are low, it is a flash in the pan. Both need to be high for true disruption. The framework is useful for bankers to analyse the challenges they face.
While analysing the trends, the ability to distinguish noise from signals is critical. Usually, lack of information is not the problem. For instance, with regard to fintech, there is a lot of information out there, but what are the signals? What will be the magnitude and effect of these trends? Of these, which ones should one give credence to? And which among those are we to act upon?
Is there an opportunity to ride the wave and reap benefits from it? Then, the option could be to partner, acquire, or form an alliance with a start-up instead of having to reinvent the wheel all by oneself.
Or are the challenges just a flash in the pan? In which case, it would be wise to ignore it rather than avoid unnecessary investments in try to challenge it.
3. Scenario planning
Under scenario planning or analysis, one assesses the risks and opportunities in the bank’s business environment. Rather than ignore the writing on the wall, it is important to read such writing and think about such uncertainties. The ability to see critical changes, interpret them, and adopt new strategies to continue creating value, is key to strategic leadership. This is particularly important for banks where the uncertainties are more and their impact much harder.
Typical questions that could be asked would be the following:
– What would be the role and impact of fintech three, five and ten years from now? What should we do to meet those challenges?
– How long will the low-interest-rate environment last? If a reversal takes place earlier than expected, what changes do we need to make to our policies?
– How will the economy fare in the remaining quarters of the financial year? How will it impact the key sectors we are invested in? Will a continuing slow down increase our NPAs? What course correction do we need to take?
– Will the licensing of more universal banks affect our growth? If they poach from our executives are we ready to bring in fresh expertise? To what extent will they impact our business growth? Do we need to change our strategies to protect our business share?
4. Assumptions testing
All strategy based on certain assumptions which vary according to the business unit and the jurisdictions they operate in.
Banks should learn to continuously challenge these assumptions. For this, the assumptions need to be made open and documented. Often, the assumptions are implicit and taken for granted so much so that they remain unknown. For instance, one may assume that all General Managers will continue in service till they retire. Or, it could be assumed that 90% of fixed deposits will be automatically renewed. Assumptions need to be recognised and documented at the bank level and functional level. Unless this is done, and thresholds are put in place, it will be difficult to monitor and challenge them.
5. Understanding patterns of disruption
As part of strategic risk management, banks need to understand the nature of the threat and respond accordingly. The threat could be of different patterns. Hagel III and others (2015) identified nine different types of disruptors.
One, for instance, relates to expanding the market and giving customers a range of products and suppliers, as in Netflix vs. traditional blockbusters. The case of Uber and Airbnb disrupting traditional taxis and hotels is that of businesses requiring high capital which can be substituted by underutilised assets available nearby.
Yet another source of disruption is by distributing product development by mobilising many to create one. This was how Wikipedia displaced Encarta and Encyclopaedia Britannica. Markets with a lot of information, enabled by technology, and customer collaborative activism, enable such disruption.
Disruptions which shorten the value chain (Kodak vs digital, IKEA vs. traditional furniture), align price with usage and use real-time analytics, and converge products to bring synergy (1+1 > 2) make traditional models in the financial sector that use significant assets obsolete and vulnerable.
These changes or disruptions make us rethink assumptions about what customers want, value, and in what form. Please see the Deloitte reports linked above and related reports on each of the disruptions for more detail.
While it is important to be forewarned, the incumbents have three options, according to Hagel III and others: contain the disruptor or exit, be the disruption, or undermine the disruptor.
6. War gaming
Gaming strategies, much like war games, can improve and finetune decision-making under uncertainty by continuous testing, rehearsing and refining. These exercises will involve speculation on what data is required and can be discarded, employee reaction, competitor response, and impact on market share. Such brainstorming strategies will also help think outside the box.
7. Understanding the impact of change and uncertainty
Deliberate on what would be the qualitative and quantitative impact of the changes on revenue, assets, business share, value creation, and competitive advantage. To what extent did prior changes to strategy, competition, and other factors contribute to this.
Mok and Saha, 2017, Strategic risk management in banking, Inside magazine.
Andersen and Schrøder, Strategic Risk Management Practice: How to Deal Effectively with Major Corporate Exposures, Cambridge University Press, 2010.
McPhee, Jr., Mastering Strategic Risk: A Framework for Leading and Transforming Organizations, Wiley, 2014.
Andersen, Garvey, and Roggi, Managing Risk and Opportunity The Governance of Strategic Risk-Taking, Oxford University Press, 2014.
John Hagel III and others, Patterns of disruption: Anticipating disruptive strategies in a world of unicorns, black swans, and exponentials, Deloitte. Available here.