Home > Risk > The inter-relationships of risk, objectives, strategy and performance

The inter-relationships of risk, objectives, strategy and performance

January 20, 2012 Leave a comment Go to comments

Every so often, I read an article or guidance that talks about risk and strategy, risk and achieving objectives, or risk and performance management. For example:

Then there are the risk management standards (such as ISO 31000:2009) and frameworks (such as COSO ERM), which address the need to manage the effect of uncertainty on business objectives so the latter can be achieved (or surpassed).

What I want to do in this post is share my personal perspectives on the flow and relationships between these items. As you will see, it is not a simple relationship at all!

Objective and Strategies

Organizations exist to create value for their stakeholders. Governments provide public services for residents while corporations generate profit and share value for shareholders. (Simplistic version)

Objectives are established to create that value, and strategies are how the objectives will be achieved. They are best set with a solid understanding of risks (I use the word to include potential events that could have either positive or negative effects, as well as the uncertainty around forecasts and projections).

  1. If you understand the risks inherent in different objectives and strategies, you can decide which among them to adopt. Which is more likely to succeed and create value (and how much), and can the risks be kept with acceptable limits?
  2. If you understand the risks inherent in an objective or strategy, you can set appropriate targets. For example, you might slow down the target date for a product launch so you have time to manage the risk of quality defects and allow a vendor time to ramp up production of a new component.
  3. You can also plan to execute in a way that will minimize harmful and maximize potential positive results (which includes planning and resourcing any required actions such as new controls to treat the risks).

So, objectives and strategies are set with an understanding of related risks and how they can be managed to remain within acceptable limits.

Objectives, Strategies, and Risk – Part 1

As advocated in both ISO and COSO guidance, organizations need to manage risks related to the achievement of their objectives. So, organizations should (IMHO) ensure they have a top-down process for identifying, assessing, evaluating, and treating risks to each objective.

So, risks are ‘managed’ within the context of the organization’s objectives and strategies.

Performance Management and Risk

Monitoring and optimizing performance should include consideration of risk levels. Kaplan has recommended that balanced scorecards include not only key performance indicators (KPI) but key risk indicators (KRI) as well.

It’s not enough to know that you are proceeding down the freeway at 80 mph (seemingly ahead of targets) if you don’t know that there is dense fog ahead and a high risk of accidents if you don’t slow down.

Objectives, Strategies, and Risk – Part 2

Risk management includes monitoring and generally keeping tabs on what is happening, whether new risks are emerging, and whether risk levels are changing.

What is often overlooked is that management should consider modifying objectives and strategies based on new assessments of risk and whether they can be managed within acceptable limits. Has the danger of the current course increased? Is there a new potential for a faster route?

If objectives/strategies should perhaps be modified, go back to the start.

In my mind,

  1. Risk and objective/strategy-setting are, or should be, inseparable
  2. Performance management without considering risk is flying blind
  3. Risks are managed within the context of achieving objectives

What say you? Does this make any sense?

  1. January 20, 2012 at 1:41 PM

    Norman, all important and all related to enterprise and process architecture for value creation and value preservation. I would add:

    To align with BOD, CEO and Analysts thinking you have to start and end with value creation and preservation. That is what we advocate at Governance, Value Management and Performance (GVP) Partners.



  2. Norman Marks
    January 20, 2012 at 2:28 PM

    COSO has today released a thought leadership paper on risk appetite, which includes discussion of the need to integrate risk and strategy. See http://www.theiia.org/blogs/marks/index.cfm/post/COSO%20Contributes%20to%20Thought%20Leadership%20on%20Risk%20Appetite

  3. Lismar
    January 21, 2012 at 3:24 AM

    What about controls? I am a beginner auditor. I would like to understand its role.

    • Norman Marks
      January 21, 2012 at 9:27 AM

      Lismar, I suggest you review the COSO Internal Controls – Integrated Framework, available at http://www.coso.org. Get the existing version, not the draft update.

      Basically, controls ensure things are done the way you want, and they help you manage risk to within acceptable limits.

  4. Robert
    January 22, 2012 at 9:26 PM

    This is all interesting and I totally agree that risk and objective/strategy setting are inseparable.

    Norman, it seems to me there is a trend in the integration of governance, risk and compliance (GRC). I am interested in anyone’s view(s) on how compliance fit into this “model” of risk, objective, strategy and performance?

  5. Norman Marks
    January 23, 2012 at 6:59 AM

    Robert, people are talking about GRC as if there is a single GRC process. I don’t believe there is. However, the risk officer should certainly be concerned about the risk of non-compliance with laws and regulations, and working in a coordinated fashion with the chief compliance officer. Some (myself included) like a risk-based approach to compliance. So, it is possible for risk and compliance officers to share technology and cooperate in reporting.

    I have distinct views on GRC, and you can see my posts here and on my IIA blog. Here is one example: https://normanmarks.wordpress.com/2010/01/25/grc-vs-%E2%80%9Cgrc%E2%80%9D-a-chat-with-business-finance%E2%80%99s-eric-krell/

  6. January 23, 2012 at 11:58 AM

    Norman, thank you for the good summary. I would like to add that somehow management needs to include a method of communicating the objectives/strategies with attending risks to those closest to the processes enabling their success. Maybe this is one of the risks. Too often I hear from process owners/doers that they are doing an activity because audit says so or the manager says so or the person before me did it. I’d like to hear a person say they do an activity because it supports an organization’s objective/strategy and the activity plays a certain role in support the outcome. How many opportunities are missed by an organization due to a person did not understand how their process supported the objective and therefore missed a potential loss or gain?

  7. January 23, 2012 at 12:26 PM

    JDHascup, I have become a member of the Center for the Advancement of the Enterprise Architecture (EA) Profession (http://caeap.org) One of the roles of an EA is help with this communication process in the design, implementation and operational phases of a business or process transformation. In particular, on their website is a EA value map that is a good reference piece.

  8. Mandla
    January 25, 2012 at 6:16 AM

    It is key to have that alignment (risk, objectives, strategy and performance); otherwise risk management would not be meaningful in an organisation, if risks are not linked to strategy & objectives. Once you have that alignment; risk management becomes an element of thought throughout the organisation.
    Someone mentioned that employees tend to perform tasks because they have some how been instructed or has it has been the norm and not understanding the link with strategy. The reason for such a gab is becuase senior managemnet does not communicate clearly the company strategy and objectives. The strategy gets discussed at senior level without equally engaging the entire staff. When you do that; the entire staff fails to understand the reason behind some tasks and end up doing them becase the boss said so. We need to stress the importance of engaging the entire staff from a risk point of view to ensure that we minimise company exposure. Having the majority of staff failing to link tasks to overall company objectives widen up the risk exposure of that particular entity.

  9. Mike Tierney
    February 14, 2012 at 8:33 AM

    Dare I suggest that if communication is so bad between the do-ers and the thinkers then there is likely a greater risk that the thinkers think they know how to perform a process and then might, perhaps by osmosis, hope that this is communicated to those that perform it. Many of the risks in doing something only emerge after something has has been undertaken because the thinker didn’t consult with the do-er in the first place. Communication helps, but its probably necessary to go one better and provide leadership. A good leader should be capable of canvassing the needs, requirements and issues of the do-er first, then motivating through discussion that reveals a common understanding and that relates the business objectives and wider strategy. Talk to each other! Often!

  1. January 21, 2012 at 9:57 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: