Integrating Risk Management with Performance Management * Margaret Woods Aston Business School



Similar documents
Enterprise Risk Management

IFAD Policy on Enterprise Risk Management

Enterprise Risk Management

THE ROLE OF FINANCE AND ACCOUNTING IN ENTERPRISE RISK MANAGEMENT

A Risk Management Standard

Enterprise Risk Management

P3M3 Portfolio Management Self-Assessment

The Role of the Board in Enterprise Risk Management

ENTERPRISE RISK MANAGEMENT POLICY

Clarius Group Risk Management Policy and Framework

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

University of St. Gallen Law School Law and Economics Research Paper Series. Working Paper No June 2007

Risk Management How to manage your brand & build business resilience to improve your bottom line

A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

The Upside of Risk: Enterprise Risk Management and Public Real Estate Companies

Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire. P3M3 Project Management Self-Assessment

APPENDIX 50. Enterprise risk management - Risk management overview

Risk Management Policy. Corporate Governance Risk Management Policy

Hand IN Hand: Balanced Scorecards

Enterprise risk management: A pragmatic, four-phase implementation plan

IRM CERTIFICATE AND DIPLOMA OUTLINE SYLLABUS

Introduction to Enterprise Risk Management at UVM DRAFT

Best Value toolkit: Performance management

Guidance on Supervisory Interaction with Financial Institutions on Risk Culture. A Framework for Assessing Risk Culture

Guidance on Risk Management, Internal Control and Related Financial and Business Reporting

OWN RISK AND SOLVENCY ASSESSMENT AND ENTERPRISE RISK MANAGEMENT

COBIT 5 for Risk. CS 3-7: Monday, July 6 4:00-5:00. Presented by: Nelson Gibbs CIA, CRMA, CISA, CISM, CGEIT, CRISC, CISSP ngibbs@pacbell.

Guiding Principles for Implementing Enterprise Risk Management (ERM)

Risk Assessment & Enterprise Risk Management

Confident in our Future, Risk Management Policy Statement and Strategy

How To Write A Risk Management Policy For The University Of Kerry

A Risk-Based Audit Strategy November 2006 Internal Audit Department

Enterprise-Wide Risk Assessment

COMPARATIVE STUDY BETWEEN TRADITIONAL AND ENTERPRISE RISK MANAGEMENT A THEORETICAL APPROACH

UNITED NATIONS OFFICE FOR PROJECT SERVICES. ORGANIZATIONAL DIRECTIVE No. 33. UNOPS Strategic Risk Management Planning Framework

Business Continuity Management Framework

Enterprise Risk Management (ERM) & Compliance

Corporate Governance is Stretched to Breaking Point

International Diploma in Risk Management Syllabus

University Audit and Compliance. Internal Controls Enterprise-Wide Risk Assessment

Topic Gateway Series. Operational risk. Operational Risk. Topic Gateway series No. 51

Business Continuity (Policy & Procedure)

Risk Management Framework

BUSINESS FOCUSED PROJECT MANAGEMENT

Audit Committee. Directors Report. Gary Hughes Chairman, Audit Committee. Gary Hughes Chairman, Audit Committee

Enhancing IT Governance, Risk and Compliance Management (IT GRC)

treasury risk management

Good practice for annual reports

Dealing with Predictable Irrationality. Actuarial Ideas to Strengthen Global Financial Risk Management. At a macro or systemic level:

INTERNATIONAL ASSOCIATION OF INSURANCE SUPERVISORS

Enterprise Risk Management Framework Strengthening our commitment to risk management

Integration of Risk Management and Internal Audit. Chartered Institute of Management Accountants, New Zealand

The Future Use of Electronic Health Records for reshaped health statistics: opportunities and challenges in the Australian context

Effective risk management

How To Manage Risk With Sas

RISK MANAGEMENT POLICY (Revised October 2015)

IIA POSITION PAPER: THE ROLE OF INTERNAL AUDITING IN ENTERPRISE-WIDE RISK MANAGEMENT

Saldanha Bay Municipality. Risk Management Strategy. Inclusive of, framework, procedures and methodology

WFP ENTERPRISE RISK MANAGEMENT POLICY

Tying It All Together: Practical ERM Integration. Richard Scanlon Vice President Enterprise Risk Management CIGNA Corporation

How To Understand The Role Of An Internal Audit

WHAT IS GRC AND WHERE IS IT HEADING? A BRIEFING PAPER.

Matthew E. Breecher Breecher & Company PC November 12, 2008

CAPABILITY MATURITY MODEL & ASSESSMENT

Risk Management Policy and Framework

Operational Risk Management in a Debt Management Office

White Paper Governance, Risk Management and Compliance: Sustainability and Integration supported by Technology

RISK MANAGEMENT FRAMEWORK. 2 RESPONSIBLE PERSON: Sarah Price, Chief Officer

Beyond risk identification Evolving provider ERM programs

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

company mission organisational objectives business objectives/business strategy marketing objectives marketing strategy operational objectives

Operational Risk Management - The Next Frontier The Risk Management Association (RMA)

On the Setting of the Standards and Practice Standards for. Management Assessment and Audit concerning Internal

Business Continuity Management

The Logical Framework Approach An Introduction 1

Solvency Assessment and Management: Pillar II Sub Committee Governance Task Group Discussion Document 81 (v 3)

Enterprise Risk Management Process Improvement. Secure Banking Solutions, LLC

Compliance Policy AGL Energy Limited

SOL PLAATJE MUNICIPALITY ENTERPRISE RISK MANAGEMENT FRAMEWORK AND POLICY

Improving information to support decision making: standards for better quality data

University of Windsor Board of Governors. That the Board of Governors approve of the Enterprise Risk Management Framework.

What Every Director. How to get the most from your internal audit. Endorsed by

Accreditation Application Forms

Risk Management Policy Adopted by:

Business Continuity Management

THE GOVERNANCE OF RISK MANAGEMENT. Session 5

RISK MANAGEMENT STRATEGY

Relationship Manager (Banking) Assessment Plan

Transcription:

Integrating Risk Management with Performance Management * Margaret Woods Aston Business School Why Risk Management Matters Sometimes it is the things you don t see that really matter. Source: Enron Corporation advertisement (2000). Certainly the investors in Enron found this to be true. What they could not see was the existence of fraud, questionable accounting practices and weak internal controls which ultimately resulted in the corporation s bankruptcy, and triggered major governance reforms in the USA and around the globe. Enron is an extreme example which illustrates the core truth that risk management matters. Post Enron, governance reforms around the world have served to raise the profile of risk management, and emphasise the need for a corporate wide approach to internal control that is overseen by the Board of Directors. In the US, this is most clearly demonstrated by the emergence of Enterprise Risk Management (ERM), which is defined as: a process, effected by an entity s board of directors, management and other personnel, applied in strategy setting across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. (COSO, 2004, p.2) CIMA s Official Terminology defines risk management as the process of understanding and managing the risks that the organisation is inevitably subject to in attempting to achieve its corporate objectives. Both of these definitions establish common basic principles- that risk management is designed to ensure the achievement of corporate objectives. In practical terms, however, the introduction of an enterprise wide holistic risk management system poses a big challenge to all but the smallest of organisations. The financial crisis has clearly shown that enterprise wide risk management remains a dream rather than a reality for even the world s largest and once highly respected companies. Risk management has traditionally been practiced in a fragmented way, and focused on operational rather than strategic issues. Consequently, strategic risks have been managed * This article was originally published by the Chartered Institute of Management Accountants in 2007 in Excellence in Leadership Vol.2 pp.32-35. Copyright rests with the author. 1

reactively rather than proactively. In contrast, a shift towards an ERM style of approach requires a willingness to move away from this silo based style of management in favour of a portfolio based system of risk management. This means that directors and senior management need to recognise that inter-linked operational activities within a company create exposure to a portfolio of inter-linked risks. Managers need to be encouraged to identify, measure and monitor the upside and downside risks that their decisions may create for the WHOLE of the organisation: the inter-relationship between what goes on in one division or business unit and the organisation s aggregate risk exposure must be clearly understood. The need is for joined up thinking. Senior managers also need to recognise that embedding a culture of risk management which takes an organisation wide perspective on issues can be made difficult by the apparent distance between company strategy and day to day operations. The challenges for risk management are very similar to those of performance management: how can the issue be made relevant to individual employees? How can individual involvement be demonstrated to be relevant to overall company performance? Parallels in risk management and performance management There are strong parallels to be drawn between performance management and risk management because they are both: Designed to ensure the achievement of corporate objectives. Organisation wide in their scope Designed to recognise organisational inter-dependencies The operational responsibility of line management Formalising the links between performance and risk management can begin by reference to the strategic planning process which links strategy and performance across all levels of the organisation. In developing its strategic plan, an organisation begins by defining its strategic focus, and then elaborating on how it will deliver its commitments under the plan and how it will measure success. The detail of the plan breaks this down into significant corporate annual targets and associated action plans which outline how all the various business activities contribute to the achievement of the strategies. If the organization uses a performance management system such as the Balanced Scorecard, individual scorecards can be developed for every level of the organization. The scorecards cascade down from corporate level, through divisional and business units down to the individual line managers. At each level the scorecards will be underpinned by plans showing the linkage between strategic objectives and targeted outcomes for that level. The scorecards may be complemented by strategy diagrams or maps which set out the plans 2

and actions that will deliver the performance measured by the scorecards as well as the relevant performance targets. The use of scorecards which cascade down through the corporate hierarchy ensures ownership of targets and also directly links them to the strategic plan. This can be taken down to the level of the individual manager by specifying and agreeing the targets in their personal performance and development appraisal meetings. Recording the allocation of targets to individual managers in the performance database also provides an audit pathway for each performance indicator. Figure 1 illustrates this type of control system, which encompasses performance planning, delivery, and monitoring. Figure 1: Cascading Down of Performance Measures and Monitoring Planning Delivery Monitoring Corporate Plan and Scorecard Divisional Plans and Scorecards Business Unit plans and scorecards Portfolio Strategy Maps & Performance Indicators Comparison of performance against targets Team and individual targets 3

The principle of cascading down responsibility for performance as shown in Figure 1 can also be applied to risk management. The underlying aim is to ensure that at all levels of an organisation, staff are: aware of the risks that may affect performance in the areas over which they have responsibility take responsibility for management of those risks performance and risk monitoring work in parallel to ensure achievement of corporate objectives The strategic maps that define how performance targets will be achieved can be complemented by risk maps that identify the key threats to successful delivery at each level of the organization. At the same time, responsibility for management of those risks can be specified by identifying owners of risks, and including details of such ownership in the performance management system. In other words, risk management and performance management can become fully integrated systems. Integrating Risk and Performance Management A key step towards integrating risk and performance management is the creation of a formal procedure for risk identification, assessment and allocation of responsibility. The identification and assessment of risks is vital and it is now common practice for most organizations to maintain a key risk register. The key risks are those which pose a major threat to survival and these must be managed at a very senior level. In their annual reports many large companies now state that responsibility for their management and monitoring rests with the Board of Directors. For example, the 2005 Annual Report of Hammerson plc, a FTSE 100 listed real estate company states: The risk management procedures involve the analysis, evaluation and management of the key risks to the group, including those relating to joint venture arrangements and plans for the continuance of the Company s business in the event of unforeseen interruption. The Board has allocated responsibility for the management of each key risk to Executive Directors and senior executives within the group who report on these risks to the Board. Any recommendations arising from such reports and reviews are implemented under the supervision of the Board. The statement reveals that each key risk is owned by an Executive Director. An identifiable person is thus answerable if the risk becomes effective. If responsibility for management of key risks is in the hands of the board, this leaves open the question of the systems used to manage all other risks i.e. the business level risks that may encompass compliance, financial or operational dimensions. The precise terminology 4

varies from company to company, but these are risks which do not pose a major threat to survival but may nonetheless impact upon corporate performance, and may be caused by factors either internal or external to the business. Examples might include property maintenance, regular untimely deliveries of essential components, a shift in consumer taste away from specific products, or a need to recall faulty goods. All of these issues may damage company performance in both financial and non financial terms, but can be overseen by operational managers rather than at Board level. In the view of the Head of International Audit as Tesco plc, accountability for managing risk lies clearly with line managers. If this is the case, then identifiable lines of responsibility and reporting must be established, and risk and performance management inter-linked. Every individual manager should be asked to take each performance target for which they are responsible, and produce a list of the risks that may cause performance to fall below target. In this way the risks become embedded in the performance scorecard and in so doing the practice of risk management matches up to its definition as the process of understanding and managing the risks that the organisation is inevitably subject to in attempting to achieve its corporate objectives. The risks can be ranked by using a matrix system to assess both their likelihood and consequences. This ranking helps to focus attention on potential problems and also facilitate the identification if risks that may need to be managed at a more senior level within the organization. The risk matrices for each manager can also be directly linked to individual appraisal and remuneration plans. The net result is a performance scorecard and risk scorecard that run in parallel and perform strategically important and complementary roles. Management control systems are used to monitor actual against expected results in terms of both performance and risk, and the outcome of these reviews helps to inform future business planning and internal audit planning by highlighting areas where controls may be failing. Figure 2 illustrates how this type of integrated system might work in practice. 5

Figure 2: Integrating Performance and Risk Management Performance Corporate plan and scorecard Risk Corporate key risk matrix Monitoring Divisional Plans and scorecards Divisional Risk Matrices Performance Indicators an + Business Unit plans and scorecards Business Unit risk matrices Risk ownership + Team and individual targets Team and Individual risk matrices Comparison of risk and performance against targets 6

Conclusion The system outlined above ensures that risk management is cascaded down through an organization so that individual business units and line managers take responsibility for identifying their own risks and are also held accountable for their management. In so doing it provides a governance structure that integrates performance and risk management to facilitate achievement of the priorities laid down in the strategic plan. Reference Committee of Sponsoring Organisations of the Treadway Commission (COSO) (2004), Enterprise Risk Management, AICPA,New York, NY. 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information