Integrating Risk & Performance Management
Long term and sustained success of an organization is a function of two key factors; risk management and performance management. Strategic objectives form the base for the approach adopted for both.
Why do we need integration?
Risk management approaches are designed to enable organizations to reduce the uncertainty surrounding the achievement of their objectives. They are aimed at reducing the likelihood of occurrence of those events which are expected to negatively affect them. These approaches also focus upon mitigating the impact of such events on the objectives, in case the event does occur.Performance management approaches focus on deciding the strategic objectives that an organization needs to achieve and on monitoring the progress of achievement through measurable parameters. This approach revolves around cascading these measurable parameters down to each individual in an organization. The monitoring system works around trend, deviation and root-cause analysis of these parameters. These individual parameters are then consolidated to establish and analyze the achievement of strategic objectives. Figure 1 depicts a typical Enterprise Risk Management (ERM) and Performance Management framework in an organization. In a brick & mortar business, risk management has always been part of finance function, comprising accountants and finance professionals. On the other hand, performance management finds its roots in the quality assurance and quality
management functions, comprising engineers and other operational staff. Therefore, methodologies and tools adopted in risk management and performance management differ even though, essentially, both work towards a common goal, i.e. the achievement of key objectives. Efforts and resources deployed in monitoring risk levels and performance achievements can be integrated, if the approaches adopted are seamless and coordinated. However, due to the absence of a unified approach and structure, organizations tend to duplicate efforts and resources (energy) and in many cases, findings and corrective actions tend to contradict.
The law of conservation of energy states that the total amount of energy in an isolated system remains constant. This concept can be extended to the efforts and resources (energy) deployed in developing and monitoring approaches leading to the achievement of strategic objectives of an organization. If the risk associated with non-achievement of an objective is reduced, the measurable parameters associated with that objective would automatically show positive trends.
How do we integrate?
A typical integration of risk management and performance management framework comprises the following, as depicted in Figure 2:
• Event identification and likelihood estimation is based on departmental targets, scorecards and resultant employee KPIs, which have been cascaded down from the strategic objectives of the organization
• The past trend and deviation analysis data provides inputs for event identification and likelihood estimation
• The resultant risk catalogs and matrix along the performance parameters, both departmental and individual, form the basis for creating a ‘Performance & Risk Based InternalAudit’ methodology and checklist.
• A team of internal auditors are trained to roll out the internal audit, which would provide feedback consisting of the following:
-Level of achievement of various targets for the concluded period with reasons for non-achievement, through the trend and deviation analysis
- An update of the risk matrix and responses, through a fresh set of event and likelihood estimations, which are based on current trend and deviation analysis
- A consolidated action plan for risk mitigation and performance improvement
The implementation of an integrated framework depends a great deal on how these functions are structured in an organization; combining the risk management and business excellence functions of an organization is one of the first steps. Individuals who form part of this function need to be multi-skilled or in the least, the function needs to have a healthy mix of individuals from finance, process, HR & IT professions. These individuals would then need to be given a
common platform and tools to think and operate cohesively. Irrespective of their professional skills, every individual needs to have sound analytical capabilities, strong conceptual understanding of the business, very good interpersonal skills and to say the least, be self-driven to achieve goals.
Creating a single risk management and business excellence function in an organization, which can integrate risk and performance management would surely create a strong and sustainable model for the success and growth of an organization. The approach for such integration would be based on the business model and operating structure. Designing the right approach is critical to its success.