There has been increased attention and articles about the integration of enterprise performance management and risk management.

However, the topic has recently taken a dark turn. A recent report from The Economist Intelligence Unit sponsored by ACE, a global insurance company, and KPMG is titled, “Fall Guys: Risk Management in the Front Line.” In the report, a risk manager claims he was fired for telling his company’s board of directors that too much risk was being taken. Did management want to ignore a red flag of caution to pursue higher profits? The broader question involves how strategy planners view risk managers. Are they profit optimizers or detractors?

Fundamentals About Integrating Risk Management and Performance Management

Should risk be viewed as an opportunity or a hazard? Risk management is not about minimizing an organization’s risk exposure. Quite the contrary, it is all about exploiting risk for maximum competitive advantage. A risky business strategy and its action plans always carry high prices.

For example, what investment analysts do not know about a company, or any uncertainty or concerns they have, will add a premium to capital costs and discount a company’s stock value. Effective risk management practices counter this example by being comprehensive in recognizing and evaluating all potential risks and their sources. Its goal is less volatility, greater predictability, fewer surprises and, perhaps most importantly, the ability to bounce back quickly after a risk event occurs.  
Risk is usually associated with new costs, because risk-related threats may turn into problems. In contrast, opportunities can be associated with new economic value creation, such as increased revenues, because they may turn into benefits.

Organizations often cannot easily quantify their risk exposure in terms of the financial impact on profits. Further, they typically have no common basis to evaluate their risk appetite relative to their risk exposure. Risk appetite is the amount of risk an organization is willing to absorb to generate the returns it expects to gain. The objective is not to eliminate all risk, but rather to match risk exposure to risk appetite.

Risk management is not simply contingency planning. That is too vague. It begins with a systematic way of recognizing sources of uncertainty and volatility. It then applies quantitative methods to measure and assess three factors:

  1.  Probability of an event occurring;
  2.  Severity of the event’s impact; and
  3.  Management’s capability and effectiveness to respond to the event.   

Based on these factors, risk management identifies the triggers and drivers of risk, and then evaluates alternative actions and associated costs to potentially mitigate or take advantage of each identified risk. These should ideally be included during the strategy formulation and replanning process and reflected financial projection scenarios – commonly called what-if analysis.
Multiple scenarios based on estimated probabilities of multiple variables (e.g., of occurrence) are the accepted approach to glean impact sensitivities and to determine which risk mitigation actions to pursue or reject. Using probabilistic scenarios provides strategists with distributions of possible outcomes and their source cause. It combines good business judgment with fact-based business analytics. Trend analysis, regression and correlation analysis are involved, but they no longer need to be scary memories of a university statistics course. Today, analytical software is designed for the casual user.  

Risk Managers – Friend or Foe to Profit Growth?

The Economist Intelligence Unit report was a result of extensive surveys and interviews. The impact of the recent global financial sector meltdown was clearly top of mind for the respondents. The report highlighted that risk management and governance policies and structures are being provided increasing authority, visibility and independence. However, planned increases in investment and spending have been modest, if present at all. Not a good sign.

The reality is that the natural tension and conflict between the risk functions and the business’ aspirations for higher profit growth still exists. How can a balance and compromises be achieved?

Key findings of the report are:

  • Strategic risk management is in a relatively embryonic stage of maturity. Executives view the identification of new and emerging risks as a key objective of risk management, but roughly two-thirds of them believe their organization is weak at anticipating and measuring future risks.
  • Few organizations involve risk functions in key business decisions.  Few companies expect risk functions to participate in strategic decision making in the near future.
  • Risk management should shift its emphasis from preventative activities to proactive and supporting ones. Risk managers should expand beyond police-like controls and monitoring to also include identifying opportunities to achieve business objectives.   

Window of Opportunity

Will increasing interest in including the risk function in strategy formulation continue or be a temporary phase? Hopefully, the interest will be permanent, but there are impediments. Business line managers may continue to view the risk function as a mechanical brake slowing sales and profit growth. Also, technical knowledge and experience by boards of directors and executives may be inadequate to fully understand how to integrate risk and performance management.

On a positive note, risk management is gaining influence and using more structured modeling and analytics software. Managers are creating a richer organizational culture for metrics and risk awareness that considers opportunities, not just threats.   

Invulnerable Today, Aimless Tomorrow

I continue to be intrigued by the fact that almost half of the roughly 25 companies that passed the rigorous tests listed in the once-famous book by Tom Peters and Robert Waterman, “In Search of Excellence,” today either no longer exist, are in bankruptcy, or have performed poorly. What happened in the 25 years since the book was published? My theory is that once an organization becomes quite successful, it becomes adverse to risk taking. Taking risks, albeit calculated risks, is essential for organizations to change and be innovative.

Is the risk manager going to continue to be the “fall guy”? Not if those responsible for strategic planning appreciate that they are not gamblers using investors’ money, but rather stewards of the company’s – and investors’ – financial futures.