Exhibit 1: Structure of a heat map

Transcription

1 Integrating risk and performance management processes Werner Bruggeman Geert Scheipers Valerie Decoene 1. Introduction Years ago, Kaplan & Norton interviewed managers about their time consumption and they found out that 85% of senior managers spent less than one hour per month on discussing about strategy. Most managers even spent less time on managing risks. Traditionally, companies management systems were focused on shareholder value, revenue growth, productivity, cost control and quality (Kaplan, 2009). Few companies explicitly incorporated risk into their management system. All of these changed due to the eruption of the financial crisis in Companies started wondering about the risks they were subject to. Risk management is not new; in 1988 the Basel I norm was introduced for banks and this norm was renewed in 2007 by the Basel II norm hence institutionalizing risk management for banks. Companies in other industries could rely on ERM (Enterprise Risk Management) and COSO (Committee of Sponsoring Organizations of the Treadway Commission) standards to organize their risk management; ERM is the process applied to strategy setting and across the organization to identify potential risk events, manage the risks within the organization s risk appetite and provide reasonable assurance regarding the achievement of the organization s objectives (COSO, 2004). Many companies established their own risk department and risk professionals had their own organizations. Despite all these precautions to handle risks more appropriately, a lot of companies were affected by the emanations of the financial crisis because of their exposure to risks. Main reason for this failure was the companies failure to explicitly account for risks when formulating their strategies, and their failure to monitor and manage the risks they had assumed (Kaplan, 2009, p 2). 2. Linking Risks to strategy To tackle these problems Kaplan and Norton decided to further expand their strategy execution framework and incorporate risk management into it. Risk management needs to be incorporated in the company s corporate DNA because it permeates every area and aspect of business and it has to be anticipative. By using the BSC-based strategy and performance management process, companies would be able to alleviate some of the excessive risk taking that they pursue for short-term financial gain and they could adopt a holistic view of risks. 1 Delaware Performance Management - Belgium The Netherlands France United States Asia Pacific

2 Kaplan (2009) classified risks into three categories based on their degree of predictability, controllability, management and magnitude of their consequences to the enterprise: 1. The lowest level level 3 comprises routine operational and compliance risks. These are risks arising from errors in routine, standardized and predictable processes that expose the company to a substantial loss. Companies try to minimize the level 3 defects and strive for zero deficiency by training its staff and the establishment of standard operating procedures and internal controls. We can say that level 3 risks are known and avoidable; hence management strives to achieve full compliance and zero defects. 2. The second level of risks is about strategy risks being risks inherent in the company s strategy; possible strategy risks are financial risk; customer, brand, and reputation risk; supply chain risk; innovation risk; environmental risk; human resources risk; and information technology risk; called the known unknowns. Such a whole list of possible risks could imply a complex risk management process, specific to each type of risk. However, the strategy map gives an overview of the companies strategic objectives and the interrelationships between them and can serve as a natural framework for identifying, mitigating and systematically managing the risks to a company s strategic objectives in an integrated and comprehensive manner (Kaplan, 2009, p 3). Hence, risk management can be incorporated into a company s strategy map: a strategy map identifies the Key Success Factors (KSFs) to realize the company s strategy. Those KSFs are made operationally by Key Performance Indicators (KPIs) and strategic initiatives are formulated to close the gap between current and desired performance. This part of the strategy map represents a positive idea: how are we moving forward to achieve an outstanding performance? Starting from the same strategy map, managers can think about events that could prevent an objective from being achieved. These events are called risks and are made operationally by Key Risk Indicators (KRIs). Actions can be formulated to keep these KRIs on track and hence identify, avoid and overcome the barriers that the strategy may encounter. Risk thus represents the negative idea but both risk and strategy are sides of the same coin and should be managed in an integrated way. 3. The third level of risks is called the unknown unknowns, black swans (Nassim Nicholas Taleb, 2007) or global enterprise risks. These risks are unpredictable, unprecedented occurrences that create existential risk. Companies should gain an insight in which unlikely event(s) could lead to their downturn. They can do this by organizing active discussions of unlikely events and their consequences these meetings are called tail-risk meetings since the likelihood of these events is in the tail of the probability distribution or by scenario planning; managers gain an insight in the correlated consequences of future events and are forced to think about their strategy in another way. These discussions or scenario planning can be incorporated in the sixth stage of the strategy execution system as defined by Kaplan and Norton: Test and Adapt the Strategy. Organizations have to test the robustness of their strategy. 2 Delaware Performance Management - Belgium The Netherlands France United States Asia Pacific

3 The strategic risk management process consists of 5 building blocks: 1. Strategy formulation and risk identification: Each company should articulate a clear and sound strategy. This strategy should be made visible by using a strategy map according to the BSC-principles (Kaplan & Norton, 1996). The strategy map gives an overview of the company s critical success factors to realize its strategy and the relationships among them. The KSFs represent hence a positive idea referring to the company s desired future. However, the strategy map provides also a framework to think about the negative side of the strategy story. It can help to identify the possible barriers to the realization of the strategy: risks. A risk is the possibility that an event will occur and adversely affect the achievement of the company objectives (COSO, 2004). Each KSF identified to realize the strategy can be linked with a risk; an event representing a barrier to the realization of the strategy. 2. Strategic and operational risks: A company should identify its key risk areas. Risks can occur at the strategic and operational level; strategic risks are about the events endangering the realization of the company s strategy and operational risks are about the possible negative effects arising from operational malfunctions. 3. Risk assessment: development of the heat map and the key risk indicators. A heat map is constructed by estimating two parameters: the likelihood of an event and the magnitude of the event s consequences. Each event gets a color code according to its position on the matrix (see exhibit 1 Exhibit 1: Structure of a heat map The heat map hence can be used to prioritize; risk events with a high score should get priority for the limited budget available for mitigating and preventing risks (Kaplan, 2009). For each risk a KRI can be identified and according to that, strategic initiatives are proposed. So the strategy map and BSC provide a framework for capturing both strategic initiatives concerning the realization of the strategy and the overcoming of possible barriers to its realization. 3 Delaware Performance Management - Belgium The Netherlands France United States Asia Pacific

4 4. Identification of control activities: When all risks and KRIs are identified, strategic initiatives can be formulated to keep the risks under control. The risk existing before taking corrective action is called the inherent risk; risk after executing a control activity is called residual risk. Concerning taking corrective actions to control risks, 4 possible strategies can be followed: (1) acceptance: the company accepts that it runs certain risks; (2) avoidance: the company avoids certain risks by shutting down some activities; (3) sharing: the company will share some of its risks with third parties by for example sourcing an activity out; and (4) reduction: the company will control the risks by applying appropriate control procedures for processes, employees, etc 5. Risk governance: Risk committee and risk management process: For a company to be resistant against crises and build out a robust strategy, risk management should be integrated in the strategy management process. Applying the Strategy Focused Organization model of Kaplan and Norton (Kaplan and Norton, 2001) Risk management should be developed along five dimensions (see exhibit 2): top management must be committed to manage risks effectively, company risks should be identified in operational terms, risk management strategies should be cascades vertically and horizontally in the organization, risk management should be everybody s job and risk management should be governed as a continual process. Exhibit 2: The five principles of Strategic Risk Management In organizing Risk Management as a continuous process companies may assign the risk management responsibility to the Office of Risk Management (ORM). Kaplan and Mikes (2011) prescribe that specific types of risk are best managed by specific staff functions, carrying out critical risk management processes (see exhibit 3) but 4 Delaware Performance Management - Belgium The Netherlands France United States Asia Pacific

5 the responsibility of the Office of Risk Management may be to coordinate and oversee the risk-management activities across the enterprise. Exhibit 3: Critical risk management processes according to type of risk 3. Strategic Risk Management at De Lijn, Belgium De Lijn is a public carrier, providing urban transport by bus and tram, founded in 1990 when the Belgian federal government transferred the responsibility for urban transport to the three Belgian regions. De Lijn found that they lacked insight in the risks that could withhold them from realizing their strategy. De Lijn already had an internal audit department but according to the rules of the Institute of Internal Auditors (IIA) the internal auditor should evaluate the risk management system but should not install it himself; this should be the task of the strategic management officer. In line with earlier work of Kaplan (2009) De Lijn decided to integrate its risk management process into its strategy process under the coaching of Delaware Performance Management. During an earlier phase of their strategy and visioning process, De Lijn already had developed a clear vision, mission and strategy. The strategy was made visible by use of a strategy map and cascaded down to the different entities (= Flemish provinces) and functional domains of De Lijn, assuring alignment of the corporate and lower level strategy maps. In a next phase the objective was to link the risk management process to those strategy maps. In the next months of the project, De Lijn implemented the 5 building blocks of the integrated risk management system: (1) Risks were identified using the preexisting strategy maps and for each KSF a KRI was established; (2) De Lijn categorized its possible risks into 2 categories being strategic and operational risks; (3) De Lijn assessed each risk s possible impact and likelihood in a heat map; (4) De Lijn identified control activities for the most prioritized risks; and (5) De Lijn appointed the responsibility of risk management to its Office of Strategy Management (OSM). 5 Delaware Performance Management - Belgium The Netherlands France United States Asia Pacific

6 1. Strategy formulation and risk identification: De Lijn already disposed of a clear and sound vision and strategy which was translated into a strategy map. The strategy map provided De Lijn with an insight into its Key Success Factors (KSFs) and their interrelationships. This map was at the same time the framework to identify possible risks that could withdraw De Lijn from realizing its strategy. For each KSF two parameters could be defined: from a positive standpoint each KSF could be characterized by a Key Performance Indicator (KPI) but from a negative standpoint each KSF could be linked to a risk, being an event withholding the company from realizing its strategy. Each risk could be characterized by a Key Risk Indicator (KRI). Example: the ultimate goal of the company was to make sure that its customers arrive safely on their destination. To realize this goal, the company has to deliver an excellent and reliable service. Excellent and reliable service was considered as an important KSF to realize the strategy. This KSF was linked with a KPI: the % of satisfied customers measured by the customer survey. However, on time delivery could be disturbed by certain risks such as a crash of the IT-systems. The appropriate KRI to track this risk was then the frequency with which the IT-systems are updated. 2. Strategic and operational risks: De Lijn made a distinction between risks threatening the realization of the strategy being strategic risks and possible negative effects arising from operational malfunctions being operational risks (see exhibit 4). Example: important strategic objectives in the strategy map were related to improving travelling comfort and experience, reliability of travelling times and service. The strategic risk related to these objectives was discontinuity of the services. A related operational risk was a major mistake by an employee. This risk was linked to the schedule monitoring process. Exhibit 4: Identifying strategic and operational risks 6 Delaware Performance Management - Belgium The Netherlands France United States Asia Pacific

7 3. Risk assessment: Managers of De Lijn estimated the likelihood and possible impact of each identified risk to position them in a heat map matrix. The heat map gave managers a support for prioritizing the different risks. Special attention was given to the risks in the red zone (i.e. high probability and high impact). These were monitored more carefully than risks in the green zone (i.e. low probability and low impact). 4. Identification of control activities: For the highly prioritized risks, De Lijn set out control activities to handle and control those risks carefully. These control activities gave De Lijn the opportunity to estimate the impact of the strategic initiatives to the inherent risk and hence calculate the residual risk. Example 1: De Lijn s employees are affiliated with a labor union. The strong unionized atmosphere makes it complex to control the organization, could impede the implementation of strategic changes and increased the chance for strikes. To minimize this risk the management decided on two important risk mitigating initiatives. They implemented a program of ameliorating the relationship with the unions and decided to let them participate in the strategy process. Example 2: The Lijn s high visibility in the media caused a risk that people could create a negative image about the organization. In order to minimize this risk De Lijn formulated some important new strategic initiatives (e.g. the implementation of a stakeholder management program and the organization of a unified external communication platform). 5. Risk governance. De Lijn decided to implement risk management as a continuous process. De Lijn secured this continuity by integrating its risk management system into its strategy management process and assigned risk management as being one of the responsibilities of the Officer of Strategy Management (OSM). The OSM became responsible for coordinating, coaching and monitoring of the company wide risk management processes. The OSM s role and responsibilities were clearly differentiated from the responsibilities of the internal auditor, who had to stay independent. The OSM reported to the General Manager while the internal auditor had to report to the board. The roles assigned to the OSM were roles that typically cannot be undertaken by the internal auditor (see exhibit 1). The internal auditor s role is to evaluate the risk management system and not to install it. Exhibit 1: Roles of the internal auditor 7 Delaware Performance Management - Belgium The Netherlands France United States Asia Pacific

8 Key learnings This case highlights the added value of integrating the strategy and risk management process. Risks can be identified and controlled by using the corporate strategy map as framework since strategy and risk management are two sides of the same coin; strategy management is about the bright future; where are we going to?;and risk management is about identifying, avoiding and overcoming the hurdles that the strategy may encounter along the way. Enterprise Risk Management is too much organized as a stand-alone process. ERM only focuses on the risks and has no attention for the company strategy. Strategy Focused Organizations use a more holistic approach: both strategy and risks are managed in relationship with each other. Furthermore, the case made clear that KPIs and KRIs should be identified separately. Strategy and risks are something completely different and hence should be measured differently. However KPIs, KRIs and strategic initiatives and risk mitigating initiatives should be linked to the corporate strategy map. Furthermore, the case illustrates how the risk management function can be integrated into the Office of Strategy Management. Besides its roles in developing, aligning and communicating the strategy and monitoring strategy the OSM function may also be responsible for coordinating, coaching and implementing the Enterprise Risk Management and make it an integrated part of the company s strategy and performance management process. Literature: Kaplan R.S., Risk Management and the Strategy Execution System, Balanced Scorecard Report, November-December Kaplan R.S. and A. Mikes, Managing the Multiple Dimensions of Risk: part I, Balanced Scorecard Report, July-August 2011, vol. 13, N 4. Mikes A. and Kaplan R.S., Managing the Multiple Dimensions of Risk Part II, Balanced Scorecard Report, September-October 2011, Vol. 13, N 5. About Delaware Performance Management Delaware Performance Management has a long experience in coaching companies in developing and implementing new strategies and driving organizational change. During their coaching projects We follow an integrated methodology and use the latest developments in the area of strategy and performance management. Delaware Performance Management is one of the founding partners of the Strategy Management Collaboratives (SMC), the applied research and consulting network in association with the Harvard Business School Professor Robert Kaplan and David Norton. In this knowledge network Delaware Performance Management serves as the Center of Excellence of Organizational Performance Management. 8 Delaware Performance Management - Belgium The Netherlands France United States Asia Pacific