The idea of integrating the consideration of risk into assessing and optimizing performance is not new. The well-founded belief — held, for example, by Robert Kaplan, creator of the Balanced Scorecard, and the accounting firm Ernst & Young — is that when risk and performance are viewed together rather than separately, operational and financial performance can be enhanced. The CFO can see not only whether the organization is projected to hit its targets but also the potential obstacles that might inhibit success. Management can then ensure that appropriate actions are taken to address risks and boost performance.
But the practice is infrequent. And the increased level of attention paid to risk management and the publicity it has sparked have spawned the emergence of risk reporting as something separate and distinct from performance management and reporting. While it is encouraging to see management considering and addressing risks, doing so without the context of achieving objectives and performance targets will do little to help the CFO and the management team meet those targets.
I suggest that melding risk considerations into the setting of strategy and optimization of performance will make a significant contribution to any organization’s long-term success by help it to more consistently achieve financial and operational objectives. I don’t know about you, but I believe it’s important to know not only that you have achieved the desired speed of 100 kph (performance data) but that you are not 100 meters from a brick wall (risk data).
Research reports from eminent institutions support that view.
- “The biggest challenge in performance management today is the increased attention that needs to be paid to the risk-reward trade-off. Companies have been ignoring the risk side of performance management for too long — a lot of attention has traditionally been paid to performance measurement and monitoring (i.e., the reward side of the equation), but all performance is essentially linked to risk. Risk is intrinsic to doing business.”
“[A]t some banks the group risk management function was alerted to potential subprime losses long before the senior management appreciated the severity of the problem. Often, it was not until a presentation was made to the Chairman that included both performance and risk aspects that the size of the problems became known to the board.”
“Risk-enhanced performance management must evolve from an ad-hoc event under pressure of the economic downturn, to a continuous process that must be embedded within the company’s governance processes. Unfortunately, many companies’ efforts in the area of performance and risk management seem to focus too much on meeting regulatory requirements (“ticking the boxes”) and not enough on how to integrate performance and risk management for more effective strategic decision making.”
“In our research we did not detect a single best practice of integrating risk and performance reporting.”
(Integrating Risk into Performance: Reporting to the Board of Directors, Slagmulder and Boicova, Vlerick Leuven Gent Management School)
- “The economic turmoil of the past two years has taught executives of the need to anticipate risks and plan for alternative scenarios. But learning a lesson and acting on it are two different things. Many organizations lack the right processes to create the kind of robust and flexible business plans suited to a fast-changing environment.”
(Integrating risk and performance: Collaborating for better decisions and greater buy-in, Valentine, Economist Intelligence Unit)
- “The recent economic crisis has focused attention on risk management, but managing risk is all about achieving objectives. Senior managers in particular, are expected to build sustainable performances: create value at acceptable risk levels over time. To this end, they should be clearly aware of the multiple sources and types of risks.
A stronger focus on risk in performance reports addressed to senior managers can address such expectation. Incorporating risk into performance management processes can foster a better understanding of the overall organizational risk exposure and improve business results.”
(Integrating Risk into Performance, Palermo, The London School of Economics)
So what should finance executives do? I suggest they recognize that performance reports are incomplete without related risk information and identification, and review of the assumptions (uncertain by definition) included in the reported numbers.
Finance executives should, in their charters and job descriptions, mandate coordination between those who provide risk and performance information to executives and the board. They should also clarify that all executives are responsible for the management of both risk and performance in their designated areas.
Among the steps CFOs should take is clarifying that the role of risk managers is to assist executives in managing risk, not to manage risk themselves. The desired role is as mentor and trainer, communicator and coordinator, together with responsibility for the adequacy of the overall risk-management framework and processes. Finance chiefs should also question the value of isolated risk-management reports that are separated from overall performance.
I understand that these are radical suggestions, especially the last one. But I believe they represent an opportunity for the CFO to lead a change that will only contribute to performance and long-term success.
Norman Marks, CPA, is a vice president with SAP and a long-term internal-audit and risk-management practitioner. He has been honored for his thought leadership by The Institute of Risk Management (honorary fellow) and Open Compliance & Ethics Group (fellow). He regularly blogs and provides updates on Twitter: @normanmarks.