The journey to strategic risk management

Ryan C. Luttenton, Clayton J. Mitchell, Gayle Woodbury
The journey to strategic risk management

In our previous article about strategic risk management, Crowe risk management specialists introduced three fictional risk management leaders – Edward, Jeanine, and Pierre – and described their unique circumstances along with their dreams for a better approach to financial services risk management.

Crowe specialists can help your teams transition to a business-empowered risk management approach. 

The journey to strategic risk management

In this infographic, the same Crowe specialists take Edward, Jeanine, and Pierre further along their journey to a business-enabled risk management approach and a seat at the organization’s strategic table.

Download the infographic

The journey to strategic risk management
Get infographic transcript

Choose your adventurer

Some risk leaders have longer journeys than others, but the goal for each is the same.


Edward has a huge risk management to-do list and never enough time. He struggles to find talent to fill key roles. All his time is spent on solving urgent problems. Edward needs to find his footing so he can begin thinking strategically.


Jeanine inherited a risk management program that’s over-engineered and too complicated. The overgrowth of roles and processes obscure a strategic through-line. More than anything, she needs a breath of fresh air and an opportunity to simplify.


Pierre’s risk teams are highly competent, but they handle too much. His organization sees little coordination between first- and second-line teams, which means strategy and communication suffer. Now, Pierre needs to bring business and risk teams together in collaboration.

Desert of Scarce Resources

  • Assess
    • Collaborates with the first line to identify important risks related to products and services and develop shared language
    • Integrates risk management into products, services, and processes instead of operating within a rigid line-of-business structure

Maze of Complexity

  • Align
    • Works with leadership to implement a proactive, right-sized risk management approach that’s aligned to risk appetite
    • Communicates with stakeholders to identify and remove unnecessary tasks that don’t affect risk exposure

Forest of Unclear Communication

  • Reorient
    • Adjusts tone from “the second line does it all” to emphasize first-line responsibility; smooths transition via change management
    • Identifies which risk management activities might be handled by business teams so risk teams can shift to advisory and governance
    • Shifts to a first-line perspective and talks about risk management using business-oriented language
  • Harmonize
    • Moves many risk management activities into the first line so that the second line can focus on governance and risk oversight
    • Aligns business and risk management teams through standard hierarchies and taxonomies for risk and controls
    • Refines taxonomies and risk assessments for consistency across risk areas and throughout the organization

Road to Strategy

  • Document
    • Captures and communicates information in terms that are meaningful to the first line
    • Blends business data with governance data so the organization can evaluate risk management costs versus opportunity costs
  • Assess
    • Identifies concentrations of risk to allocate governance resources and address hot spots
    • Moves toward assessing risk based on change instead of fixed intervals
  • Report
    • Implements technology that allows business and risk teams to monitor and react to data in real time
    • Integrates tools and technologies to push and pull data efficiently and without manual manipulation
  • Respond
    • Responds quickly and with sharp focus when risk threshold or appetite is breached
    • Manages issues in accordance with a robust issues management program
    • Applies deep understanding of the business and risk landscape to advise business teams on growth strategies


With risk management tasks shifted to the business while your risk teams provide guidance in business-oriented terms, you can serve as a strategic resource for your organization and help drive innovation, growth, and business value.

Every great risk management journey begins with a vision for the right result.

Every great risk management journey begins with a vision for the right result

As you embark on your strategic risk management quest, have you considered the foundational elements that a successful risk management framework includes? The right strategic risk management framework accounts for and addresses:

  • Risk appetite. Risk management should align to the overall level and types of risk the board and management are willing to assume to achieve strategic objectives and advance the business plan. The organization’s risk appetite needs to remain consistent with applicable capital, liquidity, and regulatory requirements.
  • Governance and oversight. At the highest level, oversight should come from the organization’s board of directors. Oversight should create and maintain clear lines of risk management accountability and a structured escalation process for key risk information.
  • Organization and structure. Risk organization and structure should create checks and balances in an adaptive risk management framework. Effective lines of defense should carry the expertise and organizational standing to deliver critical insight and sustain credible challenges.
  • Data and aggregation. Safe and sound governance and risk management activities depend on robust, secure, and reliable risk measurement and reporting capabilities. These capabilities include cross-organizational, comprehensive risk reporting and a data governance program for the systems and processes that capture and aggregate risk data.
  • Risk processes. In an effective framework, strategy needs to translate to processes. The primary goal for programs and processes should be to make sure that adequate controls and risk considerations become fully incorporated into day-to-day business activities throughout the organization.
  • Risk culture. Culture follows the tone from the top, so the board and executive management need to establish and communicate the organization’s risk management values and expectations. Employees at all levels should feel empowered to speak up and talk openly about risk considerations.

Knowing these elements of a successful framework can help you avoid detours and stay on a path toward a more holistic risk management approach and a more confident, risk-informed business line.

Crowe specialists can help risk management teams claim a seat at the table. 

We’ve guided a range of banks and financial services companies on the journey to realize a strategic, highly efficient strategic risk management framework based on shared language and responsibility between the first and second lines.

Contact us and let’s start the journey together, today.

Crowe banking risk management and enterprise risk management specialists have the deep skillsets, resources, knowledge, and perspectives to help your organization build a fundamentally different and more holistic approach to risk management.

Ryan Luttenton
Ryan C. Luttenton
Partner, Financial Services Consulting
Clayton J. Mitchell
Clayton J. Mitchell
Managing Principal, Fintech
Gayle Woodbury
Gayle Woodbury
Principal, Integrated Risk Management Leader

The names, businesses, situations, events, and incidents are the creations of the author's imagination and are being presented for demonstration purposes only. Any resemblance to actual companies, persons, living or dead, or actual events is purely coincidental.