How to integrate strategy and risk management
Lord Turner, Chairman of the UK’s Financial Services Authority, said about the Credit Crunch, “The failure to properly evaluate and challenge risk of overall business strategies was probably the biggest intellectual failure of boards, regulators and shareholders.”
The financial crisis illustrated that in the digital era, strategies cannot be responsibly executed by organizations without fully considering and managing the accompanying risks and, perhaps most importantly, their appetite for risk: after all, most of the financial institutions that suffered catastrophic losses believed they had sophisticated risk management instruments and processes. Appetite, alas, was hardly considered. As Citigroup’s Chief Executive, Charles O. Prince, said in July 2007, “As long as the music is playing, you’ve got to get up and dance. We’re still dancing.” And dance they did, all the way to a 90% fall in their share price.
Risk-based performance management
Our book, Risk-Based Performance Management: Integrating strategy and risk management, introduced the Risk-Based Performance Management (RBPM) framework and methodology, which provides organizations with an integrated strategy and risk management approach that places risk, and specifically risk appetite, at the core of strategy execution. Figure 1.
Bringing strategy and risk closer together is right and proper and fundamentally important, but it is working within the parameters of appetite – “the amount and type of risk that an organization is willing to accept, and must take, to achieve their strategic objectives and therefore create value for shareholders and other stakeholders” – that will enable organizations to both establish the controls and inculcate the agility that are required in today’s markets.
Although risk appetite is the central pivot of the RBPM framework and methodology, the approach is essentially a strategic management methodology, not a risk management solution. The RBPM methodology begins with formulation of strategy, and in execution enables organizations to align risk taking to strategy to drive sustainable strategic execution.
[risk] appetite – “the amount and type of risk that an organization is willing to accept, and must take, to achieve their strategic objectives and therefore create value for shareholders and other stakeholders”
Note, that although for ease of explanation and reference, the RBPM framework is here described according to sequential steps, in application it has to be understood holistically, with added clarity around the inter-dependencies between the disciplines. As examples:
- Appetite serves as an overarching determinant through the framework and methodology
- Managing Performance and Risk happen simultaneously and indeed work in unison with both involving an interrelated set of indicators
- The outcomes from the Aligning Risk-Taking with Strategy step directly inform earlier steps
- The Governance, Communication and Culture piece ensures that any excellent work in aligning risk, and in particular that of risk appetite, with strategy management is not underdone by inappropriate behaviors
The most important element of the RBPM approach is that of Appetite. This is about defining the organization’s appetite for risk within the context of strategy and then executing accordingly.
By defining a clear statement of risk appetite, the board and executive can establish clear boundaries within which the organization can execute the strategy and manage risk. It also provides the foundation for cascading the strategy and risk management disciplines through the organization, thus shaping the organization culture.
In the context of RBPM, the Strategy Management discipline is about developing a clear sense of direction as to where the organization is going, how much risk it is willing or required to accept to get there, and what the key opportunities and threats are along the way.
At the formulation stage, risk appetite plays a central role in that it broadly defines the risk boundaries for the subsequent execution phase. Risk appetite should play a key role in strategic options evaluation and the decision-making processes around which option(s) the organization will pursue.
For this discipline, RBPM draws mainly from the Balanced Scorecard strategy execution framework that comprises a Strategy Map and a scorecard. The Strategy Map describes how value is created through cause-and-effect relationships between objectives. Supporting the Strategy Map is a scorecard of KPIs, targets and strategic initiatives. The KPIs are used to track progress to the objectives, targets are set over the lifetime of the strategic plan, and initiatives are launched to close targeted performance gaps.
The Strategy Map and scorecard are collocated according to four perspectives (although the exact number and even titles are not mandated) that are described hierarchically, with shareholder (or financial) at the apex and then flowing down through customer, internal processes, and learning and growth. A slightly different hierarchy is typically used in the public sector.
At the measurement level, the RBPM methodology brings clarity through the use of three types of indicators, KPIs, Key Risk Indicators (KRIs) and Key Control Indicators (KCIs). KPIs form part of the Managing Performance discipline of RBPM, while KRIs and KCIs fall within Managing Risk. Each of these indicator types provides different, yet complementary data to support management conversations and decision making.
Risk management is all about understanding the risks the organization faces in pursuit of its objectives, and the continuous monitoring and management of those risks. It is also about understanding that risks can present opportunities as well as threats.
As with objectives, a broad set of key risks are identified as part of the strategy management process. These are then monitored and managed to increase the probability that the objectives of the organization will be achieved.
A key part of the risk management process is regularly assessing risk to understand the level of risk that the organization is taking. Typically, this is done on the basis of a Likelihood × Impact assessment, which provides an “at risk” value, and can be used as one of the steers to identify where risk mitigation interventions are required.
One of the main ways that risks are managed is via an effective controls environment. Controls are the processes, policies, practices or other devices or actions designed to affect control over the risk. Key controls should be defined for each risk identified and the effectiveness of those controls regularly assessed. The key controls can be either preventive, that is, designed to reduce the likelihood of the risk materializing, or detective, that is, controls that are designed to detect when a risk has materialized.
Aligning risk-taking with strategy
A key component of “operating within appetite” is what we call appetite alignment: the process of continuously aligning current risk exposure to the defined risk appetite. To translate into simple terms, it is about understanding if an organization’s current risk-taking is aligned to its chosen business strategy, that is, are we operating within appetite?
The RBPM methodology introduces a new and innovative tool for managing and assessing appetite, the Appetite Alignment Matrix, which assesses an organization’s exposure to risk against its agreed appetite levels (Figure 2).
One of the key benefits of paying close attention to appetite and one that is rarely recognized is that doing so sometimes leads organizations to take on more risk, because in doing so they are still “operating within appetite”. Managing risk is about exploiting opportunities as well as minimizing threats.
One of the key benefits of paying close attention to appetite and one that is rarely recognized is that doing so sometimes leads organizations to take on more risk, because in doing so they are still “operating within appetite”.
It is generally agreed that a failure of corporate governance was a major contributor to the Credit Crunch. Such failure was somewhat surprising as corporate governance is hardly new, and was believed to be essentially in good shape, that is, robust and effective – as was risk management.
Governance is embedded into the RBPM approach, supporting the corporate level obligations and enabling those commitments to be cascaded through the organization. A greater focus by the board on demanding the parameterizing of risk appetite and then supervising how executives execute strategy within those boundaries is now a critical governance role, and has been stressed in many reports by regulatory and expert bodies.
However, as part of the RBPM approach, governance also has a more operational, day-to-day role to play within an organization. This approach to governance is based on the RACI framework which has been widely used within the program and project management world. RACI is an acronym for Responsible, Accountable, Consult and Inform, and is used to clarify individual roles in the achievement of objectives and management of risks.
Culture is perhaps the ultimate strategy and risk management tool. The importance of getting the culture right is often overlooked in major change efforts. Although few organizational leaders would publicly state that culture is less important than process, structure or technology, the fact is that due to its being so nebulous, and so difficult to define and to equate a precise financial figure to its effective management, it is more often than not “dealt with” through a nice sounding value statement and then either forgotten about or handed over to the HR function to manage. Many organizations live to regret this oversight.
The importance of getting the culture right cannot and should not be underestimated. Culture is, quite simply, a showstopper. Indeed, an August 2012 article in the Financial Times reported a survey of risk managers that found that 62% of major risk events were the result of culture, leadership or behavior.
Get the culture right and objectives will more likely be achieved and risk managed. Get the culture wrong and failure will be just about inevitable, even though ultimate failure might well be preceded by a period of stunning financial success, as we have seen with many organizations that suffered catastrophic failure.
Communication is a key management discipline in any circumstance, and especially when large-scale change is taking place. Communication is critical when an organization is setting out to take an integrated approach to strategy and risk management and so has been included as a discipline within the RBPM approach – most notably in getting the appetite message across and in driving the correct behaviors.
Crucially, communication should be an ongoing process, rather than a one-off exercise repeated on an ad-hoc basis. Messaging must be a constant part of reinforcing the dos and don’ts around strategy, risk and risk appetite, and the importance of balancing risk and reward. If this is not done, there is a pressing danger that decision-makers, and indeed all employees, might revert to inappropriate behaviors.
The rigor provided through the seven RBPM disciplines might go a long way toward ensuring that the value delivered is sustainable over the longer term; and that the pursuit of profit and the delivery of short-term and superior returns to shareholders is not at the expense of long-term value, or even continued survival.
Extracted and abridged from Risk-Based Performance Management: integrating strategy and risk management, Andrew Smart, James Creelman (Palgrave MacMillan, 2013)
by James Creelman and Andrew Smart