12
THE INTEGRATION OF ENTERPRISE RISK AND ENTERPRISE PERFORMANCE MANAGEMENT
Among businesses, there is increasing interest in the integration of enterprise risk management (ERM) and enterprise performance management (EPM), but there is confusion and lack of consensus about what each of them is, let alone how to integrate them. Finding the best way to apply meaningful measurements adds to the problem. Probably most disturbing is recent research that shows that no matter how interested in ERM and EPM they may be, executives are not adequately funding these functions, possibly due to fears that it will reduce profits. In addition, they are not allowing risk managers—or those whose function it is to assess risk—a seat at the executive table. Risk managers do play a valuable role within an organisation, however, by focusing on risk across the enterprise and mitigating the chance of potential risks to protect the organisation’s profits.
An organisation needs both velocity with steering and control. The former comes from EPM (eg, strategy, key performance indicators [KPIs], alignment, customer profitability analysis, business intelligence, business analytics, rolling financial forecasts, etc) and the latter comes from ERM (eg, risk appetite statement, key risk indicators [KRIs], key control indicators, risk mitigation). Unrestricted EPM is dangerous without some limits. It is like driving too fast on a mountain highway with sharp turns. ERM is the accelerator and brake pedal while EPM steers to avoid a crash, hence, the steering and controlling. When EPM and ERM are combined, the organisation benefits by being better, faster, cheaper, and smarter (EPM) ... and safer (ERM).
HOW DO ERM AND EPM FIT TOGETHER?
EPM is much broader than its previously misperceived narrow definition of simply being dashboards and better financial reporting. EPM is a concept involving integrated methodologies. EPM is a part—albeit a crucial, integral part—of how an organisation realises its strategy to maximise its value to stakeholders, both in commercial and public sector organisations. This means that EPM must be encompassed by a broader overarching concept—enterprise risk-based performance management—that integrates with ERM.
Governance, risk and compliance (GRC) are important elements associated with EPM. From the EPM view described in this book, governance can be considered the stewardship of executives to behave in a responsible way, such as providing a safe work environment or formulating an effective strategy and compliance can be considered as operating under laws and regulations. Risk management, the third element of GRC, is the element most associated with enterprise performance management.
Governance and compliance awareness from government legislation, such as the Sarbanes-Oxley Act of 2002 and Basel II, is clearly on the minds of all executives. Accountability and responsibility can no longer be evaded. If executives err on compliance, they can go to jail. As a result, internal audit controls have been beefed up. (My personal opinion is today there is too much ‘C’ in GRC. Its substantial administrative effort has become a distraction for organisations to focus on organisational improvement.)
The ‘R’ in GRC has similar characteristics to EPM. The foundation for both ERM and EPM share two beliefs:
1. The less uncertainty there is about the future, the better.
2. If you cannot measure it, you cannot manage it.
IS RISK AN OPPORTUNITY OR HAZARD?
ERM is not about minimising an organisation’s risk exposure. Quite the contrary, it is all about exploiting risk for maximum competitive advantage. A risky business strategy and plan always carries high prices. For example, when investment analysts are uncertain about a company’s prospects, in part due to insufficient information, their inability to approximately predict financial results may lead to an analysis that will increase the firm’s financing capital costs and, thus, reduce its stock price. Uncertainty can include uncertainty about accuracy, completeness, compliance and timeliness in addition to just being a prediction or estimate that can be applied to a target, baseline, historical actual (or average) or benchmark.
Effective risk management practices counter these examples by being comprehensive in recognising and evaluating all potential risks. Its goal is less volatility, greater predictability, fewer surprises and, arguably, most important, the ability to quickly bounce back after a risk event occurs.
A simple view of risk is that more things can happen than will happen. If businesses can devise probabilities of possible outcomes that are different from normal expectations, then they can consider creative options for how to deal with surprises and evaluate the consequences of incorrectly predicting outcomes. In short, risk management is about dealing in advance with the consequences of being wrong about a business decision.
However, as much as risks are potential hazards, they are also opportunities that can prove beneficial. For example, a rain shower may be a disaster for the county fair but creates a boon for an umbrella salesperson. Risk and opportunity are concerned with future events that may or may not happen. The events can be identified, but the magnitude of their effect is uncertain. However, the outcome of the events can be influenced with preparation in the form of ERM.
PROBLEMS QUANTIFYING RISK AND ITS CONSEQUENCES
Because of its potential for introducing new problems, risk is usually associated with new costs. In contrast, opportunity may lead to benefits, such as new economic value creation and increased turnovers. Most organisations cannot quantify their risk exposure—the potential for being affected by risk—and have no common basis to evaluate their risk appetite, or the amount of risk they are willing to absorb to generate the expected returns, relative to that exposure. The objective with ERM is not to eliminate all risk but, rather, to match risk exposure to risk appetite.
Not to be confused with contingency planning, ERM begins with a systematic method of recognising sources of uncertainty. It then applies quantitative methods to measure and assess three factors:
1. The probability of an event occurring
2. The event’s severity of impact
3. Management’s capability and effectiveness to respond to the event
Based on these factors, ERM identifies the triggers and drivers of risk, the KRIs, and then it evaluates alternative actions and associated costs to potentially mitigate, or take advantage of, each identified risk. These should ideally be included during the strategy formulation and re-planning processes, as well as reflected through financial projection scenarios, which are commonly called what-if analyses.
Multiple scenarios based on estimated probabilities of multiple variables are the accepted approach to glean impact sensitivities and determine which risk mitigation actions to pursue or reject. Using probabilistic scenarios provides strategists with distributions of possible outcomes and their source cause. Scenario analysis combines good business judgment with fact-based business analytics. Trend analysis, regression and correlation analysis are involved, but they no longer need to be scary memories of a university statistics course. Today, analytical software is designed for even the most casual user to perform these processes.
TYPES OF RISK CATEGORIES
With potentially hundreds of risks that may be identified, the task of dealing with them may seem daunting. Consequently, ERM can be better understood by categorising various risks. For example, identified risks could be grouped as being strategic, financial, operational or hazard. Or they could be grouped as external or internal and controllable or uncontrollable. Another example is financial or nonfinancial and insurable or noninsurable.
The following are six alternative risk categorisations:
1. Price risk. The risk that an increasing product or service offering supply or an aggressive price reduction from competitors will force lower prices and, consequently, profits.
2. Market risk. The risk that customer preferences and demand might quickly change. (For banking professionals, this is the risk from trading financial instruments.)
3. Credit risk. The risks of not meeting obligations, such as customers that fail to pay for their purchases, a mortgage holder that defaults on their loan or an entity that fails to settle a legal obligation.
4. Operational risk. The risk of loss resulting from inadequate or failed internal processes, people and technology or from external events.
5. Strategic risk. The risk of poor performance resulting from poor strategy selection and its implementation.
6. Legal risk. This can be a mixture of risks. There is the financial risk that banks refer to as liquidity risk from insufficient net positive cash flow or from exhausted capital equity-raising or cash-borrowing capability. There is also risk from litigation (eg, in financial services, a lawsuit for losses due to poor financial advice) and from compliance violations with regulatory authority penalties.
Operational and strategic risks are the key risk types in which organisations can match their risk exposure to their risk appetite. They can wager both on formulating the strategy and, subsequently, on implementing the strategic objectives that comprise that strategy.
Operational risk, as previously defined, includes many possibilities, such as quality, workforce hiring and retention, supply chain, fraud, manager succession planning, catastrophic interruptions, technological innovations and competitor actions.
As earlier mentioned, operational risk management includes potential benefits from risks taken and from missed opportunities of risks not taken. Should we enter a market we are not now participating in? Should we offer an innovative product or service line offering while unsure of the size of the market or competitor reactions? How much should we rely on technology to automate a process? Will our suppliers dependably deliver materials or services at the right time or right quality? Organisations need to first measure their operational risk exposure and appetite in order to manage it.
Figure 12-1 illustrates aggregated quantitative risk measurement that guides balancing risk appetite with risk exposure.
Figure 12-1: Balancing Risk Exposure to Risk Appetite
The objective is not to eliminate all risk but, rather, to match risk exposure to risk appetite and tolerance.
Source: Copyright Gary Cokins. Used with permission.
RISK-BASED EPM FRAMEWORK
The premise behind a risk-based EPM framework is to link risk performance to business performance. Whether defined narrowly or more broadly, EPM does not currently embrace risk governance, but it should. Risk and uncertainty are too critical and influential to omit. For example, reputational risk caused by fraud (eg, Tyco International), a terrifying product-related incident (eg, Johnson & Johnson’s 1982 recall of Tylenol), or some other headline-grabbing event can substantially damage a company’s market value.
Figure 12-2 illustrates how strategy formulation and implementation—risk management plus performance management—combine to achieve the ultimate mission of any organisation, which is to maximise stakeholder value. The risk-based EPM framework’s four step sequence includes direction setting from the executive leadership (Where do we want to go?), as well as the use of a compass and navigation to answer the questions ‘How will we get there?’ and ‘How well are we doing trying to get there?’
Figure 12-2: Risk-Based Enterprise Performance Management (assessment, context, alignment, controls, monitoring)
Source: Copyright Gary Cokins. Used with permission.
The four-step sequence is as follows:
Step 1: Strategy Formulation and Risk Assessment. In Step 1, the executives review and assess the key value drivers of their market and environment, a process that includes identifying KRIs, which is essential to understanding the root causes of risk. Identifying KRIs is a predictive process. The organisation can react before a future event occurs by continuously monitoring variances between expected and re-forecasted KRIs. The risk assessment grid described in Figure 11-4 is used in this step.
Step 2: Strategy and Value Prioritisation. A key component of EPM is formulated in step 2: the organisation’s vision, mission and strategy map. Here the executives determine markets, products and customers to target. The vision, mission and strategy map is how the executive team both communicates to and also involves its managers and staff. The organisation then collectively identifies the vital few and manageable projects and selects the core processes at which to excel. Its actions are prioritised. This is also where research and development plus innovation projects are incubated.
Step 3: Investment Evaluation. A plan is one thing, but budgeting for how much to spend in order to accomplish the plan is another. The amount of investment is determined in step 3, and making that determination involves strategy implementation. Today’s capital markets understand that customer value and shareholder value are not equivalent, nor are they positively correlated, but, rather, they have trade-offs with an optimum balance that companies strive to attain. This is why the annual budget and the inevitable rolling spending forecasts, typically disconnected from the executive team’s strategy, must be linked to the strategy.
Step 4: Performance Optimisation. In step 4, all the execution components of the EPM portfolio of methodologies kick into gear. These include, but are not limited to, customer relation management, enterprise resource planning, supply chain management, activity-based cost management and Six Sigma and lean management initiatives. Because the organisation will have already identified its mission-critical projects and select core processes in step 3, balanced scorecard and dashboards, with their predefined KPIs, become the feedback mechanisms to steer the organisation in step 4. The balanced scorecard includes target versus actual KPI variance dashboard measures with drill-down analysis and colour-coded alert signals. The clockwise internal steps illustrated in Figure 12-2—Improve, Adjust, Re-Monitor—are how employees collaborate to continuously re-align their work efforts, priorities and resources to attain the strategic objectives defined in step 2.
The four steps are a continuous cycle in which risk is dynamically re-assessed and strategy subsequently adjusted.
RISK MANAGERS: FRIEND OR FOE OF PROFIT GROWTH?
Are risk managers supportive of long-term profit growth, or do they present obstacles that might stifle it? This topic unfortunately has recently taken a dark edge. A recent report of The Economist Intelligence Unit sponsored by The ACE Group, a global insurance company, and KPMG is titled, ‘Fall guys: Risk management in the front line.’ In the report, a risk manager claims he was fired for telling his company’s board of directors that the organisation was taking on too much risk. Did management want to ignore a cautionary red flag to pursue higher profits? This involves whether strategy planners view risk managers as profit optimisers or detractors.
The Economist report was a result of extensive surveys and interviews, and the impact of the recent global financial sector meltdown was clearly on the minds of the respondents. The report highlighted that risk management and governance policies and structures require increased authority, visibility and independence. However, planned increases in investment and spending are modest or nonexistent, which is not a good sign. The reality is that the natural tension and conflict between the risk functions and the business’ aspirations for higher profit growth remains present. The report’s key findings are as follows:
• Strategic risk management is in a relatively embryonic stage. Executives view the identification of new and emerging risks as a key objective of risk management, but roughly two-thirds of them believe their organisation is weak at anticipating and measuring future risks.
• Few organisations involve risk functions in key business decisions. Few companies expect risk functions to play a part in strategic decision making in the near future.
• Risk management should shift its emphasis from preventative activities to proactive and supporting ones. Risk managers should expand beyond police-like controls and monitoring to also include identifying opportunities in order to achieve business objectives.
INVULNERABLE TODAY BUT AIMLESS TOMORROW
I continue to be intrigued by the fact that almost half of the roughly 25 companies that passed the rigorous tests to be listed in the once famous book by Tom Peters and Robert Waterman, In Search of Excellence, either no longer exist today, are in bankruptcy, or have poorly performed. What happened in the 25 years since the book was published? My theory is that once an organisation becomes quite successful, it becomes adverse to risk taking. Taking risks, albeit calculated risks, is essential for organisations to change and be innovative.
Classic managerial methods of past decades, such as total quality management, are now giving way to a trend of management by data. I would caution that extensively analysing historical data is not sufficient without complementing descriptive data with predictive information. The absence of reliable foresight explains why companies seem invulnerable one minute and aimless the next. An important competence that will be key to an organisation’s performance is a combination of forecasting and risk management.