We are proud to be named a West Coast Regional Leader for 2024

Building your risk management strategy framework

4 critical questions you should consider


Authored by RSM US LLP

Board members, C-suite executives and other organizational leaders have a responsibility to develop a vivid picture of the future and define a strategy to get there. Stress-testing that high-level strategy should be part of your risk management process. Everything a business or other organization does comes with some amount of risk, and understanding that risk on multiple levels is part of the responsibility.

Although companies haven’t traditionally stress-tested risk management strategy, that is changing — especially after the experiences of a global pandemic, multiple disastrous weather events and continuing shortages in vital supply chains during the past two years.

As your organization begins to evaluate its strategy and risk management framework, ask these four questions to discover and address vulnerabilities that could escalate into unacceptable levels of risk.

Risk management strategy question No. 1: 

Have the strategic plan and its underlying assumptions been stress-tested with respect to severe market, customer, supply chain and technology events?

Strategic planning often begins with collecting large volumes of data to use in modeling potential future scenarios, and then analyzing a second wave of data for determining which scenario is best.

As enterprise risk management frameworks catch up to the new reality of proactively planning for so many disruptive outside forces, one emerging practice is stress-testing strategic plans. By incorporating black swan events into the planning process, leadership is able to estimate the possible impact to operations and also identify mitigating strategies to limit overall risk exposure to the business.

Business conditions can shift quickly and impact key areas such as availability of raw materials or an unexpected upward swing of demand — sometimes within months. Having the flexibility to pivot overall strategy if needed is a big competitive differentiator now, and it will be even more important in the future.

Risk management strategy question No. 2:

What short- and long-term changes to our risk management framework may be needed for our strategy to be successful?

Regularly reviewing and updating your risk management framework is essential to identifying and monitoring new or critical risks. When considering changes to your framework, evaluate these potential risk areas.

  • Remote workforce technology risks. The work environment is being stretched through access points that are now potentially vulnerable. Is your organization doing everything for home computers that it was doing for workplace computers? Do employees need to use different applications to ensure security and reliability?
  • Data risks. The amount of data used in organization systems is continuously growing. While there’s a potential for creating high value from data, it comes with risk. As the amount and potential of data rises — including upstream and downstream data from vendors and third parties — are your organization’s skillsets and governance policies keeping up?
  • Talent risks. An organization is only as strong as its people. Does your organization need to evolve its recruiting strategy or its compensation model to maintain a leadership pipeline? What key roles could be co-sourced or outsourced?
  • Cloud risks. Organizations are using more and more cloud technology and services for digital transformation. Have all of the potential risks of moving to the cloud been identified and addressed?

Risk management strategy question No. 3:

How are you monitoring evolving and emerging risks and assessing their impact on your risk management framework?

Organizations should revisit their risk framework routinely to ensure that top risks are aligned with current market conditions. You can leverage governance, risk management and compliance (GRC) software, automation and analytics to help your organization monitor its risk framework in real-time and assess whether modifications are needed in your strategic plan or related activities.

For example, how could shortages of a particular skill set, growing cybercrime threats, or climate changes affect the overall risk framework and company strategy? Failure to monitor current business conditions and their impact to your risk framework, operations and strategy could have significant consequences to the growth and viability of your operations.

Risk management strategy question No. 4:

How is the organization building resiliency and considering lessons learned for any future crises?

One lens to use when updating your risk management framework is lessons learned from recent events. For example, many companies are reviewing and changing their supplier relationships and supply chain management because of the COVID-19 pandemic. When lean inventory practices and exclusively sourcing by low-cost led to a lack of materials and parts — and lost business when manufacturers couldn’t fulfill product demand — companies realized supply chain resiliency was a top risk that needed to be addressed.

Another common area to review is cybersecurity. According to first quarter 2021 RSM Middle Market Business Index data, 28% of middle market executives said that their company experienced a data breach in the last year — the highest level since RSM began tracking data in 2015 and a sharp rise from 18% just last year.

In 2020, 33% of respondents reported a ransomware attack and 51% suffered a social engineering attack. If your risk management strategy doesn’t include a strong resiliency component for cybersecurity and other lessons learned, consider how to close that gap.

Update your risk management strategy

By asking these four questions, you can begin to identify and assess the vulnerabilities that could develop into major risks to your business. While results from these assessments can be overwhelming, your organization does not have to address vulnerabilities alone. You can leverage the experience of a trusted advisor to ensure your organization remains healthy and aware of evolving, emerging risks to your business.

Take control of your organization with these seven tips for strengthening controls.


Let's Talk!

Call us at +1 213.873.1700, email us at or fill out the form below and we'll contact you to discuss your specific situation.

  • Topic Name:
  • Should be Empty:

This article was written by Emily Leick, Josh McKinley and originally appeared on 2021-06-16.
2021 RSM US LLP. All rights reserved.

RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each is separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit us for more information regarding RSM US LLP and RSM International. The RSM logo is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.

​Vasquez & Company LLP is a proud member of the RSM US Alliance, a premier affiliation of independent accounting and consulting firms in the United States. RSM US Alliance provides our firm with access to resources of RSM US LLP, the leading provider of audit, tax and consulting services focused on the middle market. RSM US LLP is a licensed CPA firm and the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.

Our membership in RSM US Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise and technical resources.

For more information on how ​Vasquez & Company LLP can assist you, please call +1 213.873.1700.

Subscribe to receive important updates from our Insights and Resources.

  • Should be Empty: