While strategy-setting defines an enterprise’s overall strategic direction, differentiating capabilities and required infrastructure, the business plan lays out how the company intends to execute the strategy during an annual period or, if longer, the operating cycle. Some companies have rolling multiyear business plans (say, three years), which take on the appearance of continuous strategy updates. Given this context, the question arises as to how risk should be integrated into the annual business planning process.
In a business plan, it is critical to define the inherent soft spots, loss drivers and incongruities that could dramatically affect performance and adversely impact execution. The budgeting and forecasting processes supporting the business plan also must be effective in managing risks, such as liquidity, which can threaten the organization’s viability during the planning period. With respect to the selected planning horizon, two important risks to consider are ensuring the plan itself can be delivered according to expectations and that the company won’t run out of money as it delivers the plan.
With respect to liquidity risk, there are a number of considerations. For example, there are the normal seasonal fluctuations, the inevitable unexpected developments causing revenue declines and operating cost increases, and the issue of inadequate financing facilities or insufficient working capital and/or cash-flow management processes. Then, there are unexpected events that cause business disruption, exposing the company’s failure to match the debt maturity profile to the ultimate realization of assets that its debts are funding. Finally, we cannot forget the extraordinary circumstances that lead to unplanned capital outlays or breaches of loan covenants. The point is clear: Reliable budgeting and forecasting processes in which management and the board have complete confidence are crucial to the business planning process.
Every business plan should identify the appropriate metrics and measures to monitor. If the strategy-setting process contributes to a better understanding of the risks inherent in the strategy, that understanding provides inputs to the determination of key metrics and targets. At this point, risk management begins to intersect with performance management. In effect, traditional key performance indicators (KPIs) and key risk indicators (KRIs) should converge to create a single family of metrics to drive the business planning process.
While KPIs monitor progress toward the achievement of the strategy and are the primary means for communicating business results across the organization, KRIs provide lead and lag indicators of critical risk scenarios. The result is a more balanced mix of forward-looking indicators to complement the usual KPI metrics around customer and employee satisfaction, quality, innovation, time and costs. For example, accumulated deferred maintenance in a manufacturing plant or refinery may be a lead indicator of environment, health and safety risks.
Together, KPIs and KRIs provide direction as to what should be managed in the execution of the business plan. The metrics selected must enable the organization to track progress toward the achievement of business objectives, monitoring and mitigation of risks, and compliance with internal policies and external laws and regulations. Metrics become the foundation for integrated business planning, which in turn provides a comprehensive framework to deploy and execute corporate strategy across an organization in concert with risk mitigation planning, budgeting, forecasting, resource allocation and the reward system. In many organizations, these are separate, individual processes, often championed by different parts of the organization.
To illustrate, one company defines its risk management process using the standard six steps: identify, source, measure, evaluate, manage and monitor. Once risks are “identified,” they are “sourced” to their drivers or root causes. “Measure” means mapping the risks with regard to their impact, likelihood and other criteria. “Evaluate” means determining the desired risk profile and risk responses needed to achieve that profile. “Manage” and “monitor” both relate to executing the selected risk responses.
The company’s business planning process consists of three phases: environment assessment, plan development and plan execution. The company integrates the “identify” and “source” steps of its risk management process into the environment assessment phase of the business planning process, the “measure” and “evaluate” steps into the plan development phase, and the “manage” and “monitor” steps into the plan execution phase. In this way, managing risks becomes an integral part of running the business.
In summary, integrated business planning deploys the strategy at the level of greatest achievability and accountability, engages appropriate managers who can access the resources required to get the job done, and incorporates the risk management capabilities needed to address the critical risks inherent in the plan.
Questions for Boards
Following are some suggested questions that boards of directors may consider, based on the risks inherent in the entity’s operations:
- Does the business plan:
- Decompose the critical steps required to achieve key business objectives into performance plans supported by key metrics and targets that establish accountability for results?
- Identify the soft spots and potential loss drivers that could dramatically affect performance and adversely impact execution of the plan and delivery of expected financial results?
- Link the reward system to performance expectations through a balanced compensation structure that is fair to both the near-term interests of employees and the longer-term interests of shareholders?
- Do senior management and the board have confidence in the reliability of the organization’s budgeting and forecasting processes?
How Protiviti Can Help
As the board evaluates how to organize for risk oversight, Protiviti can assist it and executive management with identifying and assessing the enterprise’s risks and implementing strategies and tactics for managing risk. We assist companies in integrating their risk assessment process with their core business processes, including business planning.
Board Perspectives: Risk Oversight (Issue 41)