Integrating Risk Management with Performance Management * Margaret Woods Aston Business School

Transcription

1 Integrating Risk Management with Performance Management * Margaret Woods Aston Business School Why Risk Management Matters Sometimes it is the things you don t see that really matter. Source: Enron Corporation advertisement (2000). Certainly the investors in Enron found this to be true. What they could not see was the existence of fraud, questionable accounting practices and weak internal controls which ultimately resulted in the corporation s bankruptcy, and triggered major governance reforms in the USA and around the globe. Enron is an extreme example which illustrates the core truth that risk management matters. Post Enron, governance reforms around the world have served to raise the profile of risk management, and emphasise the need for a corporate wide approach to internal control that is overseen by the Board of Directors. In the US, this is most clearly demonstrated by the emergence of Enterprise Risk Management (ERM), which is defined as: a process, effected by an entity s board of directors, management and other personnel, applied in strategy setting across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. (COSO, 2004, p.2) CIMA s Official Terminology defines risk management as the process of understanding and managing the risks that the organisation is inevitably subject to in attempting to achieve its corporate objectives. Both of these definitions establish common basic principles- that risk management is designed to ensure the achievement of corporate objectives. In practical terms, however, the introduction of an enterprise wide holistic risk management system poses a big challenge to all but the smallest of organisations. The financial crisis has clearly shown that enterprise wide risk management remains a dream rather than a reality for even the world s largest and once highly respected companies. Risk management has traditionally been practiced in a fragmented way, and focused on operational rather than strategic issues. Consequently, strategic risks have been managed * This article was originally published by the Chartered Institute of Management Accountants in 2007 in Excellence in Leadership Vol.2 pp Copyright rests with the author. 1

2 reactively rather than proactively. In contrast, a shift towards an ERM style of approach requires a willingness to move away from this silo based style of management in favour of a portfolio based system of risk management. This means that directors and senior management need to recognise that inter-linked operational activities within a company create exposure to a portfolio of inter-linked risks. Managers need to be encouraged to identify, measure and monitor the upside and downside risks that their decisions may create for the WHOLE of the organisation: the inter-relationship between what goes on in one division or business unit and the organisation s aggregate risk exposure must be clearly understood. The need is for joined up thinking. Senior managers also need to recognise that embedding a culture of risk management which takes an organisation wide perspective on issues can be made difficult by the apparent distance between company strategy and day to day operations. The challenges for risk management are very similar to those of performance management: how can the issue be made relevant to individual employees? How can individual involvement be demonstrated to be relevant to overall company performance? Parallels in risk management and performance management There are strong parallels to be drawn between performance management and risk management because they are both: Designed to ensure the achievement of corporate objectives. Organisation wide in their scope Designed to recognise organisational inter-dependencies The operational responsibility of line management Formalising the links between performance and risk management can begin by reference to the strategic planning process which links strategy and performance across all levels of the organisation. In developing its strategic plan, an organisation begins by defining its strategic focus, and then elaborating on how it will deliver its commitments under the plan and how it will measure success. The detail of the plan breaks this down into significant corporate annual targets and associated action plans which outline how all the various business activities contribute to the achievement of the strategies. If the organization uses a performance management system such as the Balanced Scorecard, individual scorecards can be developed for every level of the organization. The scorecards cascade down from corporate level, through divisional and business units down to the individual line managers. At each level the scorecards will be underpinned by plans showing the linkage between strategic objectives and targeted outcomes for that level. The scorecards may be complemented by strategy diagrams or maps which set out the plans 2

3 and actions that will deliver the performance measured by the scorecards as well as the relevant performance targets. The use of scorecards which cascade down through the corporate hierarchy ensures ownership of targets and also directly links them to the strategic plan. This can be taken down to the level of the individual manager by specifying and agreeing the targets in their personal performance and development appraisal meetings. Recording the allocation of targets to individual managers in the performance database also provides an audit pathway for each performance indicator. Figure 1 illustrates this type of control system, which encompasses performance planning, delivery, and monitoring. Figure 1: Cascading Down of Performance Measures and Monitoring Planning Delivery Monitoring Corporate Plan and Scorecard Divisional Plans and Scorecards Business Unit plans and scorecards Portfolio Strategy Maps & Performance Indicators Comparison of performance against targets Team and individual targets 3

4 The principle of cascading down responsibility for performance as shown in Figure 1 can also be applied to risk management. The underlying aim is to ensure that at all levels of an organisation, staff are: aware of the risks that may affect performance in the areas over which they have responsibility take responsibility for management of those risks performance and risk monitoring work in parallel to ensure achievement of corporate objectives The strategic maps that define how performance targets will be achieved can be complemented by risk maps that identify the key threats to successful delivery at each level of the organization. At the same time, responsibility for management of those risks can be specified by identifying owners of risks, and including details of such ownership in the performance management system. In other words, risk management and performance management can become fully integrated systems. Integrating Risk and Performance Management A key step towards integrating risk and performance management is the creation of a formal procedure for risk identification, assessment and allocation of responsibility. The identification and assessment of risks is vital and it is now common practice for most organizations to maintain a key risk register. The key risks are those which pose a major threat to survival and these must be managed at a very senior level. In their annual reports many large companies now state that responsibility for their management and monitoring rests with the Board of Directors. For example, the 2005 Annual Report of Hammerson plc, a FTSE 100 listed real estate company states: The risk management procedures involve the analysis, evaluation and management of the key risks to the group, including those relating to joint venture arrangements and plans for the continuance of the Company s business in the event of unforeseen interruption. The Board has allocated responsibility for the management of each key risk to Executive Directors and senior executives within the group who report on these risks to the Board. Any recommendations arising from such reports and reviews are implemented under the supervision of the Board. The statement reveals that each key risk is owned by an Executive Director. An identifiable person is thus answerable if the risk becomes effective. If responsibility for management of key risks is in the hands of the board, this leaves open the question of the systems used to manage all other risks i.e. the business level risks that may encompass compliance, financial or operational dimensions. The precise terminology 4

5 varies from company to company, but these are risks which do not pose a major threat to survival but may nonetheless impact upon corporate performance, and may be caused by factors either internal or external to the business. Examples might include property maintenance, regular untimely deliveries of essential components, a shift in consumer taste away from specific products, or a need to recall faulty goods. All of these issues may damage company performance in both financial and non financial terms, but can be overseen by operational managers rather than at Board level. In the view of the Head of International Audit as Tesco plc, accountability for managing risk lies clearly with line managers. If this is the case, then identifiable lines of responsibility and reporting must be established, and risk and performance management inter-linked. Every individual manager should be asked to take each performance target for which they are responsible, and produce a list of the risks that may cause performance to fall below target. In this way the risks become embedded in the performance scorecard and in so doing the practice of risk management matches up to its definition as the process of understanding and managing the risks that the organisation is inevitably subject to in attempting to achieve its corporate objectives. The risks can be ranked by using a matrix system to assess both their likelihood and consequences. This ranking helps to focus attention on potential problems and also facilitate the identification if risks that may need to be managed at a more senior level within the organization. The risk matrices for each manager can also be directly linked to individual appraisal and remuneration plans. The net result is a performance scorecard and risk scorecard that run in parallel and perform strategically important and complementary roles. Management control systems are used to monitor actual against expected results in terms of both performance and risk, and the outcome of these reviews helps to inform future business planning and internal audit planning by highlighting areas where controls may be failing. Figure 2 illustrates how this type of integrated system might work in practice. 5

6 Figure 2: Integrating Performance and Risk Management Performance Corporate plan and scorecard Risk Corporate key risk matrix Monitoring Divisional Plans and scorecards Divisional Risk Matrices Performance Indicators an + Business Unit plans and scorecards Business Unit risk matrices Risk ownership + Team and individual targets Team and Individual risk matrices Comparison of risk and performance against targets 6

7 Conclusion The system outlined above ensures that risk management is cascaded down through an organization so that individual business units and line managers take responsibility for identifying their own risks and are also held accountable for their management. In so doing it provides a governance structure that integrates performance and risk management to facilitate achievement of the priorities laid down in the strategic plan. Reference Committee of Sponsoring Organisations of the Treadway Commission (COSO) (2004), Enterprise Risk Management, AICPA,New York, NY. 7