Risk has always been an integral part of business, but dealing effectively with risk is a progression. Indeed, history shows businesses adapting and coping better with risk through innovation. The importance of using information technology to manage risk is growing because today’s systems can automatically measure and analyze a much broader set of risk factors than individuals can, and do so more reliably. But a key challenge companies face in implementing enterprise risk management is developing a process for defining and measuring risk.
The objective of enterprise risk management is to optimize risk. By that I mean defining an organization’s risk tolerance and taking steps to minimize risk within the context of its tolerance. Ideally, optimization is accomplished through a formal process of seven steps:
- Identification lists the relevant risks and defines their precursors. It answers these questions: What usually goes wrong? What is the source of the risk? What usually happens before something goes wrong?
- Analysis and quantification define the consequences of the risk, where the impact falls, and who controls the impact under which circumstances and estimates the cost and probability of the risk.
- Risk integration, a step specific to enterprise risk management, lists risks that are correlated across business units, identifies portfolio effects (where risks in individual business units may cancel each other out) and aggregates the risks within business units and across the enterprise.
- Assessment initially arrays the risks at the business unit level based on their cost and probability, refines those priorities at the business unit level based on management objectives and then further refines priorities at the corporate level.
- Response requires a company to address each of the identified risks. Some they may take steps to eliminate entirely because both the probability of this risk occurring is high and the consequences if it does are steep. In other cases, it can take steps to reduce the impact of a risk by narrowing the probability that it will occur or having responses in place to mitigate its impact. It can insure the risk fully or in part with third parties or self-insure it because of a cost/benefit calculation.
- Monitoring involves implementing continuous and consistent methods of tracking risks, reporting and alerting when these risk events (or their precursors) occur and measuring and assessing responses to them.
- Review is a periodic, fact-based secondary assessment because risks themselves are not static and all organizations learn from their successes and failures in identifying and dealing with risks.
This is a comprehensive model, but, alas, few corporations undertake this sort of rigorous risk management effort. Most set their risk parameters through a potpourri of explicit policies or more often by less formal means. And even in those cases, most companies don’t establish the appropriate metrics for these risks and therefore have a difficult time monitoring them.
Short of the major effort of overhauling a corporation’s attitudes and practices, the next best way to improve enterprise risk management is to focus on establishing key risk indicators on a bottom-up basis (defining risks and their appropriate metrics) and incorporating risk explicitly in performance management processes. Even without a rigorous, company-wide effort, companies should create key risk metrics for individuals and business units. Using them, executives and managers can assess performance of individuals or business units in a way that takes these risk metrics into account in determining how well they have performed.
“Risk-adjusted performance” is a concept central to investment management. Portfolio managers are assessed on their risk-adjusted returns, not their absolute returns, because they can show superior results by taking above-average risks – but usually only for a while. Risk-adjusted returns is a way of handicapping their performance so that the returns of those taking on average or even less risky investments are measured on a common scale with those that are making chancier bets.
Similarly, focusing only on business objectives without explicitly considering risk can produce results that are not in the best interest of senior executives, the business owners or employees as a whole, as I pointed out in an earlier blog.
Another contributing factor to the neglect of enterprise risk management is the absence of this important factor from purveyors of balanced scorecards. This technique emerged as a way to address the unintended negative consequences of simplistic performance measurement systems that focus on one or a few metrics. The scorecards are “balanced” because they incorporate metrics that model the kinds of trade-offs that intelligent executives or managers would want their direct reports to make. If, for example, call centers only measure call times, customer satisfaction will suffer because agents will attempt to get them off the phone as soon as possible, regardless of whether their questions have been answered or their issues have been addressed. A balanced scorecard therefore would include first-call-resolution percentage as a compensating metric to call times. Similarly, risk should be considered in assessing how well an individual or business unit has done. It provides a more balanced evaluation of performance and focuses individuals on key risks and their relative importance.
Most companies don’t need new software to implement enterprise risk management. Whatever systems they use to collect and report data will do the job of collecting and disseminating risk data and risk metrics. If they have a scorecard application, they can incorporate key risks into it. Implementing risk management requires executives to participate so the appropriate attention is paid to defining key risks, determining how to measure and monitor them, and ensuring complete data is available for this purpose. In good times, disasters and scandals only briefly raise awareness of dangers to the business. Challenging economic environments, such as the one we’re in today, tend to focus executives’ attention on risk. There’s no better time to deal with its implications.
Robert Kugel – SVP Research