The intensity of competition, an ever-changing regulatory landscape, the threat of so-called “black swan” events and an increasing velocity to impact from the unexpected have created a volatile and more complex business environment. It has never been more important to integrate risk management with strategy-setting and performance management. Whether a company is rapidly growing, focused on establishing a sustainable competitive advantage, or both, it must consider how an integrated approach and discipline to deploy strategy coupled with managing the associated risks will improve the probability of achieving strategic objectives. Risk management cannot become a differentiating skill unless it is integrated with strategic management and performance management. This issue of The Bulletin will discuss this integration, why it is important, and how it is achieved.
Start with an effective governance process
In the context of developing strategy and managing risk, we define “governance” as the establishment and maintenance of a flexible corporate structure that manages the balance between the entity’s value creation objectives and performance goals with the policies, processes and controls it puts in place to preserve enterprise value. This point of view regarding the achievement of balance is not a mere exercise in theory. It is about positioning risk management to be effective in enabling the organization to attain “first mover” status when the company arrives at a crossroads where a strategic inflection point exists and the business’s market position could be harmed significantly if the imminent opportunity is not recognized by the right people and acted upon.
To Integrate Risk Management with the Business Model
- Start with an Effective Governance Process – Implement a flexible structure to balance the creation of enterprise value with the need to preserve enterprise value. Position risk management to be effective in enabling the organization to attain “first mover” status when the company arrives at a point in time where its market position could be damaged if the imminent opportunity is not recognized by the right people and acted upon.
- Integrate Risk with Strategy-Setting – Implement a robust “think-out-of-the-box” process for identifying strategic and emerging risks, and sustaining the risk appetite dialogue between management and the board. Understand the assumptions underlying the strategy, consider relevant scenarios that could invalidate those assumptions, and ensure key external environment factors that could impact the viability of the strategy are monitored over time.
- Integrate Risk Management with Performance Management – Combine strategic aspirations, differentiating capabilities and infrastructure needed to deliver those capabilities, as articulated by the strategy, with an understanding of the risks inherent in the strategy to provide input to the determination of key metrics and targets. Note that it is at this point where risk management begins to intersect with performance management.
- Use Integrated Metrics and Targets to Manage the Business – Use integrated metrics and targets to provide a bridge from a longer-term strategic view of risk to a more focused budgetary view of risk for use in the business-planning process. Monitor progress toward achieving the strategy so that corrective actions can be taken midcourse.
Such inflection points can arise as a result of any number of factors, including: technological advancements, a major product launch, a decision to enter untapped markets or pursuit of a major acquisition in a different line of business. On occasion, they also may arise when decisions must be made with respect to executing critical compliance-oriented activities for which failure can result in great harm to the company.
The global financial crisis provides an object lesson in the importance of risk management from a strategic perspective. Those financial institutions that emphasized a business model of loan volume and speed of lending in the subprime market – irrespective of the concentration and liquidity risks that strategy created – have paid the price, with shareholders and taxpayers picking up the tab. One of the assumptions underlying this strategy was stability of the housing market.
According to a 2008 Senior Supervisors Group report,1 the firms that were able to determine, as early as 2006, that the housing market was deteriorating rapidly had up to a year to evaluate their risk exposure and implement cost-effective steps to reduce it. The report also noted that, skeptical of rating agency assessments, these institutions refocused their own in-house expertise to assess credit quality and market values. Some even tested their overall assessments by selling a small percentage of assets in selected markets to obtain reliable pricing data. These and other actions gave the firms a clearer sense of the market. Meanwhile, their peers remained exposed to the subprime market. The result was an excessive concentration of deteriorating and nonperforming assets far beyond these firms’ capacity to manage, creating formidable liquidity issues and/or depleting capital adequacy.
The message is that many firms in the industry had reached an inflection point. Some recognized it and acted accordingly. Some did not. Those that did, and moved to reduce their exposure when it was practical to do so, were able to protect enterprise value. Not surprisingly, some financial institutions did not engage in subprime lending at all. They are glad they didn’t. The distinction between the organizations that failed and those that survived and thrived was either effective risk management or steadfast adherence to time-tested underwriting standards.
The bottom line is clear: Firms that undertook steps to protect their balance sheets or honored prudent constraints imposed by long-standing internal policies and processes placed themselves in a stronger competitive position relative to their peers.
Effective governance should encourage managers to raise their hands and stop the process at the crucial moment before a critical mistake is made, particularly when there is significant disagreement among multiple constituencies over competing metrics, such as budget and on-time delivery versus safety. Tension in addressing a balanced set of performance metrics or in focusing on making the numbers over the short term versus managing for the longer term is inevitable. However, when the stakes are extremely high, there will be times when escalation may be in order and matters need to be discussed in the pits and not on the track. On a day-to-day basis, these situations will be infrequent. The sad irony is, unless employees are insulated appropriately in terms of their careers and compensation, these discussions won’t arise until it is too late.
Integrate risk with strategy-setting
Strategy-setting articulates the organization’s strategic aspirations around its vision, mission and values, and communicates clear and concise objectives to set the appropriate direction for the enterprise. Strategy-setting describes the enterprise’s source of competitive advantage, as expressed through its differentiating capabilities and the infrastructure needed to execute those capabilities successfully. Therefore, it focuses on how the entity will create value for its shareholders, customers, employees and other stakeholders over a stated time horizon.
Many organizations do not integrate risk management planning with strategy development. That is a mistake. It is critical to define the soft spots, loss drivers and incongruities that are inherent in the enterprise’s strategic objectives and could dramatically affect performance and adversely impact execution. These are the risks that really matter. Once the pertinent risks are identified, the amount of risk an enterprise is willing to accept in pursuit of the strategy – its risk appetite – is defined.
Corporate strategy is governed by the willingness of an organization to accept risk in the pursuit of value creation, as well as its capacity to bear that risk. There are risks inherent in every successful organization’s business model for executing its strategy. This is a good thing. A winning business model exploits to a significant extent the areas in which the company excels relative to its competitors, including the risks to undertake in executing the strategy. There are conscious decisions to be made here. For example, what is the desirable relationship between the capacity to bear risk and the appetite for taking risk, and does the strategy reflect that relationship? Are the risks inherent in the strategy consistent with the entity’s appetite for risk? Are management and the board on the same page as to the risks they wish to avoid in executing the strategy? Does it make sense to take all of the risks an organization is capable of undertaking without reserving capital and resources for contingencies and investment opportunities? Are there certain aspects of the strategy that may be unrealistic and result in undertaking unacceptable risks?
The point is this: From a strategy-setting standpoint, it is useful to have a notion of when the organization’s capacity for bearing risk should be encroached upon. For this reason, a disciplined approach around protecting enterprise value should be integrated with the aspirational objectives established through strategy-setting. This approach should entail a robust “thinkout-of-the-box” process for identifying and prioritizing the risks inherent in the strategy, identifying emerging risks, sourcing the risks, and establishing and sustaining the risk appetite dialogue between management and the board.
Together, the two activities of strategy-setting and risk assessment facilitate the articulation of the critical assumptions underlying the strategy. These assumptions often relate to such things as the global and domestic economy, competitor behavior, the regulatory environment, physical phenomena (e.g., weather), customer behavior, supplier performance and availability of effective channels. Once these underlying assumptions are understood, management must consider relevant risk scenarios that could invalidate the assumptions and thereby impact the viability of one or more components of the strategy.
To illustrate, earlier we noted that financial institutions adopting a “volume and speed” business model in subprime lending assumed a stable housing market, suggesting housing prices were a critical driver of their success. If a risk assessment had been performed at the time their strategy was formulated, it is likely questions would have arisen to challenge whether it was realistic for management to expect this assumption to hold up over the time horizon addressed by the strategy. A relevant risk scenario might have been as follows, assuming a strategic time horizon of three years:
A significant, widespread deterioration in the housing market occurs in the United States over the next three years, leading to a severe recession. The likelihood of this scenario developing would have been evaluated based on historical trends, current economic outlook and other factors.
If an institution had paid heed to such a scenario, it likely would have asked tough questions around what would happen if the housing market took a severe hit. For example, do we need a limit structure in place to set boundaries on our loan and counterparty concentration in this segment to keep our exposure at an acceptable level? Do we need to take a look at our loan underwriting and documentation standards? Do we need to look at how we are compensating people who make lending decisions to ensure we are incenting sound behavior? Do we need an exit plan? These and other questions, and the discussions they stimulate, might have led to a more robust strategy to protect enterprise value for those institutions with the will and discipline to act according to a predetermined plan for managing risk.
Integrate risk management with performance management
The strategic aspirations, differentiating capabilities and infrastructure needed to deliver those capabilities, as articulated by the strategy, are combined with an understanding of the risks inherent in the strategy to provide input for the determination of key metrics and targets.
It is at this point where risk management begins to intersect with performance management.
We define “performance management” as the process by which performance goals are selected for the organization, its processes and its personnel; progress toward achievement of the established goals is measured and monitored; and management intervenes periodically in light of available information to improve performance against established goals.
The metrics selected must enable the organization to track progress toward the achievement of strategic objectives, monitoring and mitigation of risks, and compliance with internal policies and external laws and regulations. Traditional key performance indicators (KPIs) and key risk indicators (KRIs) should converge to create a single basket of metrics. KPIs are measures of performance developed to monitor progress toward the achievement of the strategy and the ultimate creation of stakeholder value. They are the primary means for communicating business results across an organization. KRIs provide lead and lag indicators of critical risk scenarios, resulting in a more balanced mix of forward-looking indicators to complement the usual metrics around customer satisfaction, quality, innovation, time and financial performance. For example, accumulated deferred maintenance in a manufacturing plant or refinery may be a lead indicator of environment, health and safety risk.
The process is one of first identifying the key drivers of success in executing the strategy and then selecting the metrics that reflect those drivers. However, the value drivers and the related performance tolerances (KPIs) have risks associated with their achievement. For high-priority risks, risk tolerances consistent with the overall risk appetite may be appropriate to establish parameters for risk-taking behavior and for the level of acceptable risk. While risk appetite sets the overall boundaries for an organization, risk tolerances are defined to facilitate monitoring of the effectiveness of the enterprise’s responses to its key risks. To that end, risk tolerances are evaluated with the same unit of measure used to monitor the achievement of objectives. Risk tolerances may be used to provide loss limit structures for specific products, trading activities and designated operating units. In addition, they may define the acceptable level of variation from specified performance targets for a wide range of activities germane to the business model – customer service levels, customer satisfaction targets, operating processes, strategic supplier performance levels and the operation of key controls. Taken together, the organization’s risk tolerances provide assurance to management and the board of directors that the organization remains on target with the strategy and within its risk appetite.
At this point, we can now begin to understand how risks, and the enterprise’s responses to them, can impact the execution of the strategy. The endgame is clear: We seek to increase the confidence of executive management and the board in the successful execution of the strategy. The highest level of confidence comes from integrating risk management with performance management.
Use integrated metrics and targets to manage the business
Integrated business plans establish the road map for achieving performance expectations, as envisioned by the strategy, and driving the related tactics and actions, including risk responses, required to implement the road map. They engage the appropriate managers with the resources to deploy the strategy at the level of greatest achievability and accountability.
Performance monitoring and evaluation can be defined as the consistent and continuous reporting and feedback of performance results against targets. Performance monitoring using established KPIs and KRIs gives the organization the ability to measure the rate of progress it is making toward its strategic objectives and the mitigation of its critical risks. Because plans are not perfect and the execution of those plans often runs into barriers or goes off track, effective monitoring and evaluation is a critical process. When plans (including risk responses) are not effective, either in how they are articulated or how they are executed, performance usually falls short of established targets. At this point, a realign and achieve process is needed to ensure that proactive corrective action is taken, including budgetary adjustments, redirection of resources, remediation of controls, process improvements, cessation of certain activities, change management, crisis management and other tactics. The sooner out-of-tolerance results can be identified, the sooner the necessary corrective action can be taken.
An enterprise performance management infrastructure is needed to enable effective and timely business planning, initiative tracking and performance measurement. While there are many technology alternatives available to deliver this infrastructure, what management needs are performance scorecards and dashboard reporting that provide the information relevant to proactive performance management at appropriate levels in the organization. More important, it is vital to ensure “one version of the truth” through a single originating source for specific data elements that are converted into relevant information required for developing the key metrics.
Balancing aggressive value creation strategies with appropriate protection measures can and does make a difference over the long term. Recognizing that discussions of opportunities and risks and how they are managed are virtually inseparable from each other, the governance process addresses multiple moving parts and brings them together to manage this important balance. It provides oversight for (a) the formulation of strategy, (b) positioning the enterprise to execute the strategy, (c) balancing the organization’s aspirational goals with its appetite for risk, and (d) providing the mechanism to monitor progress toward achieving the strategy by providing appropriate guidelines, policies, boundaries and parameters for operating the business model while managing the inherent risks. Risk should not be an afterthought to strategy, and risk management should not be an appendage to performance management. A concerted effort to integrate risk management with strategy-setting and the management and monitoring of enterprise performance will go a long way toward helping companies strike the appropriate balance between creating and protecting enterprise value.
Want to know more?
Protiviti has published the Performance/Risk Integration Management Model – PRIM2: The Convergence of Enterprise Performance Management and Risk Management white paper. Whether a company is rapidly growing, focused on establishing sustainable competitive advantage, or both, it must consider how an integrated approach and discipline to deploy strategy while also managing the associated risks will improve its probability of achieving strategic objectives. In this white paper, Protiviti discusses an enterprisewide program that places risk, risk management and performance management in a broader strategic context by:
- Creating real-time transparency into the operations of the enterprise to measure current performance and predict future trends in order to establish and maintain alignment of strategy, risk management capabilities and performance management processes in a changing business environment
- Proactively identifying, sourcing and mitigating the risks inherent in the strategy
- Communicating and deploying strategy effectively in a consistent manner across the enterprise
- Ensuring the seamless integration of strategic plans, risk management and performance management in the execution of the strategy
The white paper elaborates on the points discussed in this issue of The Bulletin. It is available at protiviti.com.
1Observations on Risk Management Practices during the Recent Market Turbulence, Senior Supervisors Group, March 6, 2008.
The Bulletin (Volume 4 Issue 1)