Performance Risk Management – the practical approach

Performance Risk Management is my new and immensely practical approach to integrating performance management and risk management. This is the breakthrough that finally allows the “good ideas” behind enterprise risk management to shine through.

I have written about many aspects of risk management in the past. I find the topic fascinating because it offers such great promise to help organizations of all types accomplish their goals better, faster, and more completely. Unfortunately, for years, I was frustrated by all of the static surrounding risk management. This static has made it virtually impossible to convey a clear picture of the benefits of risk management.

The static

I have spent many years thinking this through. I have always known that the core message of risk management is profound. It just seemed that there was so much static surrounding risk management that the message was always hidden in irrelevancies. I needed to understand which pieces of risk management theory were creating this static. What did I need to strip away for this message to come through loud and clear? I have come to the realization that much of this static resulted from two fallacies:

  • An improper primary focus on risks, themselves
  • Useless attempts to categorize risks; focusing on the artificial differences between risks rather than finding the universal similarities

As I started recognizing these two ‘static generators’, I was able to develop an approach to risk management that suddenly accomplished two things.  

First, risk management could be intuitively aligned with an organization’s performance objectives. More than that – risk management works only if it is aligned with performance objectives.  It suddenly started making obvious, practical sense to executive leadership. It’s not just a “nice theory”; it can help achieve bottom line results in a real and practical way.

Second, it became clearer why so many organizations have prematurely abandoned their risk management implementation projects. I understood that the mind numbing real-world complications that these organizations experienced were, actually, irrelevant.

Eliminating the static

The first clear realization was that risk management starts with objectives, not risks. It’s always about accomplishing objectives. Managing associated risks is simply an additional technique to help accomplish your goals. Everyone knows this intuitively. The problem was that risk management theory made, at most, a passing reference to objectives. That’s why risk management never felt right. It never actually aligned with what we knew to be true. An organization doesn’t want to expend efforts to “manage risks”. It will, however, expend effort on better techniques that help it accomplish its objectives better, faster, and more completely.

The second clear realization came to me when I recognized the waste in categorizing risks among “Strategic Risk”, “Compliance Risk”, “Legal Risk”, “Financial Reporting Risk”, etc., etc., etc. Risk management theory loves to focus on these categories. This disguises a lack of deeper understanding – the similarity among all risks. This similarity flowed from the first clear realization – a focus on objectives, not risks. While there may be many types of objectives, there is only one type of risk – an inability to effectively execute.

When you logically extend these two clear realizations, the results are profound. Once you do away with the process of classifying risks, you can focus on actually identifying the risks. Not only that, you actually have a practical framework to identify those risks – real world things that could go wrong relative to a specific objective. Useless theory melts away and practical understanding takes its place. It has allowed me to better communicate not only how an organization benefits from risk management,  it has also allowed me to develop a practical way to (i) initially implement risk management within an organization, and (ii) enhance management processes to deliver results better, faster, and more completely.

These are the two basic components of Performance Risk Management. Many benefits flow as a result which I will continue to address in subsequent posts.

 

 

Advertisements

Risks have attributes, not categories

People like to categorize as I wrote in my prior post. But a question was left hanging — are there categories of risk? That depends on what we mean what we talk about categories.

One way of thinking about categories is to envision a number of “buckets” and every risk must fall into one of these buckets. This was where people think about whether a risk is a “Strategic Risk”, “Compliance Risk”, “Reputational Risk”, “Financial Reporting Risk”, etc. The problem with this approach is that there is an underlying assumption that the risk must be exist in only one category. Unfortunately, no matter how many buckets you come up with, sooner or later you’ll come up with a new item that doesn’t fit neatly into one of the buckets. So you create a new bucket. But then you discover that a risk that you earlier dropped into a different bucket now fits better in this new bucket. In short, this is an approach that simply doesn’t work very well because it is very difficult, probably impossible, to create a complete and exclusive system of categorizing risks in any meaningful way.

A better way of thinking about risks is through “attributes”. Rather than going through a mental process of depositing each risk into a specific bucket (which requires a sense of mutual exclusivity), consider instead what practical questions you might want to answer about your risks. What “knowledge” do you want to create?

Perhaps you will, in the future, want to know which risks occur simply because a computer is used as part of the process (e.g. “garbage in / garbage out”). Or perhaps, you want to know which risks occur simply because you choose to outsource a process to a third party (e.g. “insecure storage of sensitive data”). Or perhaps you want to know which risks might occur because of internal fraud (e.g. “expense reimbursement for the wrong amount”).

Notice that one or more of these attributes might apply to any particular risk. So, you can’t simply drop the risk into the “third party risk” bucket. It also needs to exist in the “IT risk” and “internal fraud” buckets. This is where it becomes necessary to eliminate  the idea of “buckets” think of “attributes”. Attributes are like standard sticky notes that you can attach to any risk, or perhaps  many risks.

Then, when you want to understand your risks better, this approach allows you to see see those risks that have the “internal fraud” attribute attached. Or, you can see those risks that have an “IT” attribute. Some risks will be in both lists.

This approach provides much more flexibility than going with an exclusive bucket approach.

If you don’t agree, I would love to hear your views.

Are there “categories” of risk?

People love to categorize — to group things together. I think it’s one of our deepest psychological activities. I’m sure it helps us create  sense in a very complex world.

Risk management is certainly prone to categorization. It’s a good idea. When you do it correctly. When you do it wrong, it simply confuses some of the essential concepts. Allow me to explain.

When I talk with business people about risk management, categories often are the first thing that jump to their minds. They don’t do it intentionally, it’s just the way we are often urged to consider risk management. For instance, when I asked a colleague (a finance and accounting professional — smart guy) about his view of the major risks to a company, he stated quickly “liquidity, credit, reputation”.

This caused me to take a mental step back. This isn’t how I identify  risks. I’m sure it’s because I operate down in the trenches but I identify risks much more distinctly. To me, a risk isn’t “liquidity”, it’s “insufficient or unreliable credit relationships to assure short term funding needs”. Are they the same thing? More or less — sure. But “liquidity” is a general concept while the other is more easily understandable and actionable. In my mind, liquidity is (one of many) potential categories … but not a risk, itself.

However, I suggest going one step further. In my approach to risk management, liquidity isn’t even a category of risks. Instead, it’s a category of objectives. Let me explain.

To “do” risk management, you should start by identifying what you’re trying to accomplish. These are the objectives of the organization and, more distinctly, of each individual person within that organization. Organizations can surely have “liquidity” objectives and “credit” objectives. They also have “strategic”, “operational”, “financial reporting”, “compliance”, “legal”, “reputational”, and potentially dozens of other types of objectives. This is where the categories come in handy. They serve as a road map when brainstorming and identifying objectives. This road map helps the process by forcing the question “Hey, don’t we have compliance objectives? We haven’t identified those yet.”

You should use whatever tools are helpful, including these categories, to help you identify real and practical objectives. Once the objectives are identified, the risks are relatively easy to identify.  The only question you need to ask in order to identify the risks is “For this objective, what could reasonably go wrong?” Now you’re discussing real risks, not pseudo-categories.

Here’s a very simple example of why it’s more practical to work with risks within the context of specific objectives. If you’re considering the risks for an upcoming party that you’re planning, is it easier to brainstorm “operational risks”, “financial reporting risks”, etc? Or, is it easier to come up with the risks if you consider what can go wrong relative to “invitations”, “entertainment”, “food”, etc.? Once these objectives were identified, real risks come more readily to mind, right?

My advice use categories as a framework to help you brainstorm objectives, not risks. Identifying and understanding objectives must always be the first step in managing risks. Then, once real objectives are identified, the risks flow readily to mind. This is efficient and productive. My experience confirms, for me, that any other approach simply doesn’t work in the real world.

But this advice doesn’t really answer the question … are there categories of risk? I’ll address that in my next post.

The Sarbanes-Oxley lesson: doing it wrong is very expensive

One of the lessons from Sarbanes-Oxley was the sheer waste of time and energy for those organizations that tackled it the wrong way. Admittedly most organizations tried to be thoughtful and creative in addressing SOx. Some recognized that SOx requirements were not significantly different from what they were (should have been) already doing. However, given the relatively small amount of time for implementation and the very large downside, it was often approached as a ‘compliance’ issue rather than a ‘management information’ issue. It should have  been approached as a relatively easy re-design of management reporting to include  existing organizational knowledge about the internal control environment.

Public accountants and other consultants bear substantial blame for this. The CPAs were feeling pressure from their governing bodies to assure ‘compliance’ with SOx. This sometimes meant that they were in a less-than consultative mood with their clients. And third-party consultants, of course, were ready to accept fees and help assure that these public companies satisfied the requirements imposed by their public accountants.

Now let’s move forward a few years.

Many organizations are moving, in some way, into risk management. The reasons can vary … regulators are becoming more insistent, the governing board has indicated that they want it. Or, perhaps, executive leadership is intrigued by what they imagine risk management can provide to help them better run their organization.

One thing that organizations need to avoid is treating risk management implementation like they may have treated  Sarbanes-Oxley implementation. There is a natural temptation to presume that risk management is a side-project that the organization simply must accomplish and move past. There may be a presumption that there is a checklist that, once completed, will provide a risk management environment. In fact, there is … but only at a very high level. There are specific objectives that need to be achieved in order to implement risk management. But each of those objectives needs a strategy that is specific to each organization.

For those organizations considering a more formalized approach to risk management, there are three options:

  1. Spending: Creating a  risk management program that provides little value beyond the fact of its existence.
  2. Waiting: Doing nothing formal and continuing to rely on the management team to manage risk in an ad-hoc manner.
  3. Investing: Thoughtfully design and implement a risk management environment that will continually pay dividends in better organizational information and decision making.

The worst of these options is the first – spending money with little or no payback. The biggest damage is the illusion but no substance of risk management that is often created through a weak program.

The other two options are simple cost/benefit. If management believes that the organization can’t afford to improve its ability to make better decisions and achieve its objectives, it may be better to wait and not invest in risk management. However, if executives believe that the organization needs to perform better and achieve results faster then risk management is definitely a tool that they need to consider.

My advice – executive leadership should firmly reject any weak risk management process. Spending money with no clear payback is irresponsible.

Instead,  executives must consider carefully the cost and benefit of  risk management. Bring in advisers who can guide management in understanding, at a business level, the costs and benefits of risk management. Then make a decision of either waiting or investing.