A proposed integrative model
Dave Coderre, CAATS, www.caats.ca
During the strategic planning process senior managers propose goals and objectives for the coming year. ERM should evaluate objectives to ensure that risks have been considered and the chosen objectives are consistent with the entity’s mission. The risks should be analyzed and prioritized and mitigated by an appropriate response that considers the entity’s risk tolerance and risk appetite. The risk appetite will vary depending on the organizational activity e.g. air traffic safety and a job creation program will have very different levels of risk tolerance and allowable variance from target levels. This may lead to a revision of the objectives. Once the objectives have been selected, strategic initiatives are established and key performance indicators (KPIs) developed and baseline performance measures calculated for each strategic initiative to translate the organization’s overall mission and strategy into specific measurable operational and performance metrics. The objective of performance management is to provide metrics that organizations can use to measure progress toward achieving their corporate goals; not simply to assess what has been achieved, but also to assist executives when they plan corporate strategy and to help track execution. At this time, key risk indicators (KRIs) should also be established and baseline measures calculated. In addition, controls, policies, procedures, etc. should be established to assess the implementation and effectiveness of the risk responses. Finally, risk information should be captured and communicated across the entity, and the enterprise risk management process used to monitor and assess the risk on a continual basis to ensure that management attentions continues to focus on the right areas.
While ERM typically provides an enterprise view of risk, the risks are identified at the operational level (bottom up) and thus can continue to be associated with specific strategic initiatives. Maintaining this view on an ongoing basis allows the organization to understand the relationship between risks to the achievement of strategic objectives, and to the associated performance measures. In addition, it means that sub-activity performance measures can be updated based on changing risks levels – providing managers with reasons to track not only performance but also to identify and assess risk on a regular basis. The integration should exist both at the high-level strategic planning and at the strategic initiative level. Thus ERM identifies and manages risks to the achievement of the strategic initiatives and performance measurement tracks progress towards the achievement of these strategic initiatives.
Example – management has an objective to improve health care (see diagram). Three critical strategic initiatives to accomplishing those objectives have been identified; and several potential risks have been identified that may have an impact on one or more of the key strategic initiatives. Mapping key risks to core strategic initiatives puts management in a position to begin identifying the most critical metrics that can serve as leading key risk indicators to help them oversee the execution of core strategic initiatives. Identifying and mapping KRIs to critical risks and core strategies reduces the likelihood that management becomes distracted by other information that may be less relevant to the achievement of these objectives. The next step is to develop and map key performance indicators (KRIs) to each of the strategic initiatives. Once this may been done, baseline measures should be calculated for the KRIs and KPIs and ongoing monitoring of the indicators performed.
During the strategic planning process risks are initially assessed for their impacts on organizational goals and objectives, but as management examines strategic alternatives, their impact on the total risk profile should also be evaluated. For new strategic goals, performance measures and risk responses, accountabilities and monitoring systems should be established. Thus ERM would feed the strategic planning process and the establishment of performance measures; and there would also be a feedback loop from these processes to the ERM process.
Identifying KPIs and KRIs is only the first step. Risk indicators should be continually assessed after decisions have been made, in addition to the ongoing monitoring of performance. While performance measurement focuses on actual performance, the ongoing assessment of risk can highlight emerging risks that may impact future performance. Since KRIs are typically derived from specific events or root causes, they can identify internal or external factors that can prevent achievement of strategic objectives. For example, budget reduction programs, health crises such as H1N1, or the political environment’s effect on major acquisitions are all events that might influence the accomplishment of the organization’s objectives.
The ongoing examination of the KRIs is necessary for management to be able to assess and revise their strategies to mitigate new or emerging risks and, at the same time, adjust KPIs accordingly.
The integrated approach should not be static and the development of data-driven indicators of risk is critical to its success. Integrated scorecards should be used in ongoing management of the organization. A well-designed and integrated ERM and performance measurement system provides information that allows management to understand whether key strategic objectives are being met and to identify opportunities to adjust strategies and tactics to take advantage of shifts in the environment that might be exploited for the benefit of the organization and its stakeholders. Management selects initial strategies at a point in time. As time goes by, the range of uncertainty begins to increase, threatening the successful execution of those strategies. This should trigger a review of the strategies and the associated risk indicators and performance measures.
The benefits of combining ERM and performance management are significant and affect every business unit. ERM is forward-looking and can help organizations anticipate internal and external risks and understand the risk and reward trade-offs of their business decisions. The use of KRIs to anticipate emerging risks and shifts in risks over time can decrease losses, identify opportunities for strategic exploitation, and potentially reduce the cost of capital by mitigating perceptions of risk borne by capital providers. In the public sector KRIs can identify emerging risks and help reduce service disruptions and enhancing public sector value by potentially avoiding certain decisions that unexpectedly create risks associated with these processes.
Another advantage of linking ERM and performance measurement to strategic planning and review is that managers can be held accountable for both the risk mitigation activities and performance measures associated with a strategic initiative. This will encourage ownership of both the ERM and performance measurement processes. ERM will become more than an annual ‘heat map’ generation activity; and performance measurement will become more than an HR performance evaluation tool.
In addition, the use of KRIs can lead to fewer episodes of crisis management, where normal tasks must be set aside for full-time devotion to a developing issue. This allows for a more stable and smoothly functioning organization. By providing executives with a better understanding of the risks inherent in their strategic plans and better tools to identify performance drivers, public and private sector organizations will become more flexible and nimble in responding to changes in the external environment.