Managing strategy: performance and risk
Keeping one eye on performance and one on risk
There have always been risks attached to strategy execution, but with so many variables in play these days, it is ever-present. In this, the digital economy, successfully implementing strategy is about keeping one eye on performance and the other on risk. One without the other is not enough. Conventional Balanced Scorecard systems only consider the performance view, with Key Performance Indicators (KPIs) providing the information on the success, or otherwise, of strategic objectives.
Risk does NOT belong on a strategy map
Some organizations will claim that they cater for risk through its inclusion on a Strategy Map as a strategic theme, or objectives. I’ve even seen it captured as a separate perspective. However, although this was common early in the scorecard history, I agree with the comments made to me in an interview with Dr. Robert Kaplan:
“…when I first began to look closely at strategic risk, I thought that risk management would become a strategic theme that would appear on the Strategy Map, alongside other themes such as customer service management and operational excellence. I now advocate that risk should not be on a Strategy Map at all, be that as a theme, perspective or objective. The Balanced Scorecard, after all, is about managing and delivering performance, not mitigating risk.”
“Risks (both threats and opportunities) impact each and every objective on a Strategy Map – financial and non-financial.”
The Balanced Scorecard, after all, is about managing and delivering performance, not mitigating risk
Strategy map as the anchor
Aligning risk, along with performance, to strategy begins with the Strategy Map, which is the anchor for both. The risk lens includes:
- Identifying key risks (often described as part of a key risk event)
- Calculating the likelihood and consequence of the risk materializing (risk heat map)
- Tracking Key Risk Indicators (KRIs) through a Risk Dashboard.
Identifying key strategic risks
First a definition: “a key strategic risk is the possibility of an event or scenario (either internal or external) that inhibits or prevents an organization from achieving its strategic objectives.” Note that a strategic risk event is a tangible occurrence. It’s something that happens. Staff turnover is not a risk event, as turnover is an everyday reality of any business, although a defined loss of capability against a strategically critical skill might well be.
Key risk questions
Although there are various ways to identify key strategic risks, one useful technique is to pose a key risk question (KRQ). For example, “What circumstances might lead to a degradation of processing accuracy?” might be a KRQ for a strategic objective “improve application processing accuracy” in a financial services company. A key risk event might be described as “the risk of a failure to achieve standards of processing accuracy caused by the loss of key staff resulting in the deployment of inexperienced staff.”
Note that the strategic risk event is articulated as “the (key) risk of (what, where, when) . . . caused by (how) . . . resulting in . . . (impact)”.
The risk bow tie
A popular tool for identifying what might potentially cause a risk to happen (such as lack of policies and procedures, inadequate activity management or external events) and the consequences should it materialize (direct, indirect or intangible) is a Risk Bow-Tie. Figure 1.
When using the Risk Bow Tie, start by focusing on events that could prevent the achievement of the strategic objectives. Once these have been listed, start to develop as many potential causes as possible that will lead to the event happening and therefore the risk materializing.
Creating this “long list” of causes will help clarify thinking about the risk and form the base of a consolidated list of causes that should be documented alongside the risk. This process should be repeated for consequences.
With the list created, there is then a prioritization process to choose the risk events to monitor alongside the strategic objectives. As with selecting KPIs, the goal is to end up with a select few key risk events that are deemed the most impactful and together provide a powerful sense of the key risks for the specific strategic objective. This is not to say the causes/consequences not selected are necessarily discarded. On a Risk Bow Tie they might be listed alongside preventative and mitigation controls and managed accordingly.
Assessing likelihood and consequence
With the strategic risk events identified, we sequence to assessing whether that risk will materialize and the effect on the organization if it does. This assessment can be completed through a Likelihood and Consequence matrix. This simply plots on a vertical axis the likelihood of a risk materializing and the consequence to the organization if it does. The point where likelihood and consequence meet determines the risk’s position on the matrix (the Risk Heat Map, figure 2) and therefore the level of urgency for risk mitigation.
While a Risk Heat Map is a well-known tool, one innovation (pioneered by Andrew Smart, CEO of Ascendore) is a Four Perspective Risk Map. This brings key risks together, enabling their visualization in relation to each other (Figure 3).
Just as performance to strategic objectives is tracked via KPIs on a scorecard, key risks are monitored through KRIs on a Risk Dashboard (I prefer the term dashboard, simply to differentiate from the performance-focused scorecard). KRIs provide an early signal of increasing risk exposure.
As examples of KRIs, the cited strategic objective, “continuously improve application processing accuracy,” is supported by the key risk event, “the risk of a failure to achieve standards of processing accuracy caused by the loss of key staff resulting in the deployment of inexperienced staff.” A leading KRI might be “key employee retention rate”, while a lagging KPI might be “number of loan processing errors due to inexperienced staff”.
As Kaplan noted, “…Identified risks should be managed through a separate Risk Dashboard.” This comprises the organization’s key risks, the key risk events, risk exposure, KRIs and KRI score. Keeping the KRI within the tolerance range might lead to a risk mitigation, which could be a simple control change or a strategic initiative that impacts one or more strategic objectives from both performance and risk dimensions.
Identified risks should be managed through a separate Risk Dashboard
Those organizations that build sustainable success and defendable positions in the digital era, in which continuously turbulent times is the norm, will be those that vigilantly manage with one eye on performance and one eye on risk. But, as with humans, organizations require both eyes to be working in synch for optimal results. Twenty-twenty strategic vision is the ultimate goal.
As always feedback is welcomed.
Material for this article was drawn largely from Risk-Based Performance Management: integrating strategy and risk management, Andrew Smart and James Creelman (Palgrave MacMillan, 2013) with additional information gleaned from How do you integrate strategy and risk management? Strategically Speaking, Palladium, October 2015.