Enterprise risk management (ERM) and performance management (PM) are two essential processes for the management of an organization. Both are designed to support the organizations’ efforts in making decisions and meeting its goals—ERM through the identification and management of those risks that could affect business objectives, and performance management through the identification and measurement of the drivers needed to achieve results and provide value. Yet despite having mutually consistent objectives, ERM and PM process are not integrated and only recently are senior managers seeing the synergies in integrating the two processes. In a survey by The Conference Board of 97 senior executives, only 57 percent of the responding organizations have both a formal ERM program and a PM program. Of this group, only 43 percent said that integration would be “extremely” or “very” valuable.
Given that the two processes are mutually supportive and have common goals, why are they not better integrated? Part of the answer lies in both the genesis and the maturity of the two processes. Historically private sector risk was managed by buying insurance and, more recently, through diversity to help manage the ups and downs of commodity prices, currencies, interest rates and such. Early performance measurement models were also based on mainly financial measures and considered a component of the planning and control cycle.
When ERM was introduced, it challenged companies to go beyond mathematical, easy to measure risks focused on financial controls and consider crucial risks related to reputation, operations, legal, human resources and IT. Today organizations are also being asked to develop organizational performance measures that have a more holistic view based on multiple nonfinancial measures.
ERM encourages companies to perform ongoing assessment of risks at every organizational level; and to aggregate results at the corporate level. However, ERM processes are often not considered effective at the both the corporate and business unit levels. The result is that the risk associated with individual business units or organizational entities may be less visible when examined from an enterprise perspective. In the IBM CFO Study 2008 of over 1,200 CFOs and senior Finance professionals, almost two out of three (62 percent) enterprises with revenues over US$5 billion encountered material risk events in the last three years. Of those, nearly half (42 percent) admitted to not being well prepared for it. The most frequently mentioned risks were not financial but strategic risks involving decisions about markets, customers, products, merger and acquisition activity, and other top-line business decisions. (IBM; Balancing risk and performance with an integrated finance organization: The 2008 CFO Study; http://www-05.ibm.com/services/se/cio/pdf/CFO_Study.pdf)
While some of these inherent problems have been addressed by the introduction of Enterprise Risk Management (ERM) and improvements to performance measurement processes, more work needs to be done. Risk assessments are typically limited since they often do not illuminate how the risks will affect the critical success factors of specific strategic goals measures (e.g., development of a new or elimination of an existing program) which are stated in performance management frameworks. In addition, organizations are not always successful at developing and implementing adequate performance measures for strategic initiatives. Current literature suggests 70% of initiatives fail at implementing performance measurement strategies.
ERM involves the use of aggregated results to inform decision-making and business practices and to identify and manage risks specific to the achievement of objectives. However, there is often no explicit link between the results of the ongoing assessment of risk and performance management; and the impact of risk on the continued validity of performance measures tied to strategic objectives is not addressed – particularly for emerging risk.
Barriers to Integration
One issue that affects the integration of risk and the performance management processes is the fact that performance metrics are often not sophisticated enough to reflect the level of risk inherent to organization activities. Performance measurement may only be seen as a way to align individual objectives with business objectives, and used as an element in the evaluations of individual managers and as a guide for setting compensation. As a result, the individual performance measures are often based on pro forma assumptions about internal performance and external events; and do not factor the impact of risks on performance.
The integration of ERM and performance management is also hindered by the view that risk and performance address diametrically opposed concepts. Key performance indicators (KPIs) are seen to be focused on ensuring positive things occur as planned; and key risk indicators (KRIs) focused on ensuring negative things do not happen. These are perceived as opposite measures: one defining success, the other potential adverse events. In reality, a KRI can be developed from a KPI or a component of it. For example, employee turnover can be seen as an operational risk whose performance measure would be “increased employee retention”. Combining ERM with performance measurement would ensure that business goals include a probability component of its realization, in other words, a risk component.
Benefits of Integrating Risk and PM
Performance management typically involves establishing goals for activities and projects, monitoring progress with specific measures and making adjustments along the way to improve performance and more effectively and efficiently achieve strategic goals. However, the implementation of performance measures without the use of risk-adjusted metrics also presents a danger that executives will be encouraged to take excessive risks in order to boost the results of the performance metrics used to evaluate them as individuals. As the ongoing financial crisis has made clear, many financial executives pursued strategies using derivatives and structured products without sufficient regard to the corporate risks involved. They were often amply rewarded based on short-term returns that masked excessive longer-term risks.
In most cases, while both performance measurement and ERM are linked to the achievement of strategic objectives, tools such as the balanced scorecard only provide a holistic view of the performance of the organization across multiple perspectives. It does not identify and assess emerging or changing levels of risk. Likewise, ERM, with its focus on risk identification and management, is not explicitly linked to the measurement of performance.
The IBM CFO Study 2008 findings suggest that organizations need to develop a more holistic view of risk. Facing a wide range of risks requires enterprises to broaden their risk apertures and focus on those risks with the greatest potential impact and occurrence. In addition, performance measurement needs to consider ongoing and emerging risks not just historical risk. The IBM study also encourages CFOs to integrate risk into planning, budgeting, reporting, and forecasting. Factoring risk into these four main areas of performance management better positions the organization to limit surprises and capitalize on upside opportunities. Discussions with senior executives have also suggested that information from ERM would be more credible and that ERM would be a more effective management process if ERM frameworks were shown to produce credible and useful risk-adjusted performance measures.
As a result, a disconnect exists and the processes remain independent. The solution lies in a push to improve the maturity and functionality of the two processes; and to integrate the ERM and performance measurement processes at both the strategic and business unit levels.
Expanding the focus and methodological approaches of the risk and performance management processes will bring them into closer alignment. The performance management focus on measuring progress toward achieving strategic objectives and ERM’s emphasis on addressing positive and negative factors potentially affecting the accomplishment of those objectives make their combination a natural fit for success. However, the integration of ERM and performance measurement must occur early in the strategic planning process and be an ongoing activity. At a high-level, the integrated process would include steps to identify and assess risks related to corporate goals and objectives to be pursued, to implement risk mitigation strategies, to establish associated risk and performance indicators and measure current levels, and to monitor both the risk and performance indicators.
ERM seeks to identify, assess, and manage risks so that organizations can meet their objectives. Effective ERM builds risk awareness into decision making throughout the organization. Performance management, on the other hand, monitors a company, its activities, processes, and employees to see if they are on track to meet stated goals. The integration of risk assessment data and performance management will provide the analytical framework for evaluating activities and opportunities to maximize value to the public.
While key performance indicators (KPIs) can identify underperforming aspects of the organization, key risk indicators (KRIs) provide timely leading-indicator information about emerging risks. KRIs are measures of events or trigger points that might signal issues developing internally within the operations of the organization or potential risks emerging from external events, such as macroeconomic shifts that affect the public’s demand for products or services.
KRIs will provide an early signal of increasing risk exposures affecting the strategic initiative and ultimately the associated strategic goal. In some instances, they may represent key indicators of evolving risks which signal the need for actions that need to be taken. Others may be more elaborate and involve the aggregation of several individual risk indicators into a multi-dimensional score about emerging events that may lead to new risks. This can provide rich information for management to consider as they execute strategies related to strategic initiatives. However, to be effective ERM needs to provide management with more information than an annual heat map. The discussion around risks must not only be an integral part of strategic planning and mid-year performance assessment but also an ongoing focus of management.
Next week – part #2: A proposed model for integrating ERM and PM
Dave Coderre, CAATS