The primary role of risk management in the strategic planning process is to identify and analyze the uncertainties that could affect the achievement of an organization's objectives. According to ISO 31000, risk is the "effect of uncertainty on objectives." This uncertainty can manifest as potential threats (negative effects) or opportunities (positive effects). By systematically identifying these factors during strategic planning, an organization can set more realistic objectives, develop robust strategies to manage threats, and create plans to capitalize on opportunities, thereby creating and protecting value. This integration ensures that the strategy is not developed in a vacuum but is informed by a clear understanding of the internal and external risk landscape.

A. Challenging decisions is a function of governance that risk management supports, but its core role in planning is to provide information for making decisions, not just to challenge them after the fact.

B. Developing risk treatment plans is a subsequent step in the risk management process (risk treatment) that occurs after risks have been identified, analyzed, and evaluated in relation to the strategy.

C. Drafting the decisions is the responsibility of senior management and the board. Risk management's role is to provide critical input and analysis to inform those decisions, not to draft them.

1. ISO 31000:2018, Risk management — Guidelines.

Clause 4, Principles: States that risk management "Creates and protects value" and should be an "integral part of all organizational processes," including "strategy and planning."

Clause 5.4.1, Integrating risk management into organizational processes: Emphasizes that risk management should be part of decision-making, including the setting of strategy and objectives.

Clause 6.4.2, Risk identification: This clause specifies the process of "finding, recognizing and describing risks." The purpose is to generate a comprehensive list of risks based on those events that might "create, enhance, prevent, degrade, accelerate or delay the achievement of objectives." This directly corresponds to identifying threats and opportunities.

2. Purdy, G. (2010). ISO 31000:2009—Setting a New Standard for Risk Management. Risk Analysis: An International Journal, 30(6), 881-886.

Page 884, Section 4. Principles of Risk Management: The article explains that a key principle of ISO 31000 is its integration into organizational processes. It states, "Risk management is not a stand-alone activity... It is part of the responsibilities of management and an integral part of all organizational processes, including strategic planning..." This integration is achieved by providing the information needed to understand potential threats and opportunities related to strategic choices. (https://doi.org/10.1111/j.1539-6924.2010.01442.x)

3. Lalonde, C., & Boiral, O. (2012). Managing risks through ISO 31000: A critical analysis. Risk Management, 14(4), 272-300.

Page 280: The authors discuss how ISO 31000 positions risk management as a tool for decision-making and achieving objectives. They note that the standard's process begins with establishing the context, which includes defining strategic objectives, and then moves to risk assessment (identification, analysis, evaluation), which inherently involves considering events that could help or hinder those objectives (opportunities and threats). (https://doi.org/10.1057/rm.2012.9)