The idea of integrating the consideration of risk into assessing and optimizing performance is not new. The well-founded belief — held, for example, by Robert Kaplan, creator of the Balanced Scorecard, and the accounting firm Ernst & Young — is that when risk and performance are viewed together rather than separately, operational and financial performance can be enhanced. The CFO can see not only whether the organization is projected to hit its targets but also the potential obstacles that might inhibit success. Management can then ensure that appropriate actions are taken to address risks and boost performance.
But the practice is infrequent. And the increased level of attention paid to risk management and the publicity it has sparked have spawned the emergence of risk reporting as something separate and distinct from performance management and reporting. While it is encouraging to see management considering and addressing risks, doing so without the context of achieving objectives and performance targets will do little to help the CFO and the management team meet those targets.
I suggest that melding risk considerations into the setting of strategy and optimization of performance will make a significant contribution to any organization’s long-term success by help it to more consistently achieve financial and operational objectives. I don’t know about you, but I believe it’s important to know not only that you have achieved the desired speed of 100 kph (performance data) but that you are not 100 meters from a brick wall (risk data).
Research reports from eminent institutions support that view.
“[A]t some banks the group risk management function was alerted to potential subprime losses long before the senior management appreciated the severity of the problem. Often, it was not until a presentation was made to the Chairman that included both performance and risk aspects that the size of the problems became known to the board.”
“Risk-enhanced performance management must evolve from an ad-hoc event under pressure of the economic downturn, to a continuous process that must be embedded within the company’s governance processes. Unfortunately, many companies’ efforts in the area of performance and risk management seem to focus too much on meeting regulatory requirements (“ticking the boxes”) and not enough on how to integrate performance and risk management for more effective strategic decision making.”
“In our research we did not detect a single best practice of integrating risk and performance reporting.”
(Integrating Risk into Performance: Reporting to the Board of Directors, Slagmulder and Boicova, Vlerick Leuven Gent Management School)
(Integrating risk and performance: Collaborating for better decisions and greater buy-in, Valentine, Economist Intelligence Unit)
A stronger focus on risk in performance reports addressed to senior managers can address such expectation. Incorporating risk into performance management processes can foster a better understanding of the overall organizational risk exposure and improve business results.”
(Integrating Risk into Performance, Palermo, The London School of Economics)
So what should finance executives do? I suggest they recognize that performance reports are incomplete without related risk information and identification, and review of the assumptions (uncertain by definition) included in the reported numbers.
Finance executives should, in their charters and job descriptions, mandate coordination between those who provide risk and performance information to executives and the board. They should also clarify that all executives are responsible for the management of both risk and performance in their designated areas.
Among the steps CFOs should take is clarifying that the role of risk managers is to assist executives in managing risk, not to manage risk themselves. The desired role is as mentor and trainer, communicator and coordinator, together with responsibility for the adequacy of the overall risk-management framework and processes. Finance chiefs should also question the value of isolated risk-management reports that are separated from overall performance.
I understand that these are radical suggestions, especially the last one. But I believe they represent an opportunity for the CFO to lead a change that will only contribute to performance and long-term success.
Norman Marks, CPA, is a vice president with SAP and a long-term internal-audit and risk-management practitioner. He has been honored for his thought leadership by The Institute of Risk Management (honorary fellow) and Open Compliance & Ethics Group (fellow). He regularly blogs and provides updates on Twitter: @normanmarks.