The inter-relationships of risk, objectives, strategy and performance
Every so often, I read an article or guidance that talks about risk and strategy, risk and achieving objectives, or risk and performance management. For example:
- Enterprise performance management: towards profit
- Integrating risk appetite into business strategy
- Why integrating risk and strategy is important
Then there are the risk management standards (such as ISO 31000:2009) and frameworks (such as COSO ERM), which address the need to manage the effect of uncertainty on business objectives so the latter can be achieved (or surpassed).
What I want to do in this post is share my personal perspectives on the flow and relationships between these items. As you will see, it is not a simple relationship at all!
Objective and Strategies
Organizations exist to create value for their stakeholders. Governments provide public services for residents while corporations generate profit and share value for shareholders. (Simplistic version)
Objectives are established to create that value, and strategies are how the objectives will be achieved. They are best set with a solid understanding of risks (I use the word to include potential events that could have either positive or negative effects, as well as the uncertainty around forecasts and projections).
- If you understand the risks inherent in different objectives and strategies, you can decide which among them to adopt. Which is more likely to succeed and create value (and how much), and can the risks be kept with acceptable limits?
- If you understand the risks inherent in an objective or strategy, you can set appropriate targets. For example, you might slow down the target date for a product launch so you have time to manage the risk of quality defects and allow a vendor time to ramp up production of a new component.
- You can also plan to execute in a way that will minimize harmful and maximize potential positive results (which includes planning and resourcing any required actions such as new controls to treat the risks).
So, objectives and strategies are set with an understanding of related risks and how they can be managed to remain within acceptable limits.
Objectives, Strategies, and Risk – Part 1
As advocated in both ISO and COSO guidance, organizations need to manage risks related to the achievement of their objectives. So, organizations should (IMHO) ensure they have a top-down process for identifying, assessing, evaluating, and treating risks to each objective.
So, risks are ‘managed’ within the context of the organization’s objectives and strategies.
Performance Management and Risk
Monitoring and optimizing performance should include consideration of risk levels. Kaplan has recommended that balanced scorecards include not only key performance indicators (KPI) but key risk indicators (KRI) as well.
It’s not enough to know that you are proceeding down the freeway at 80 mph (seemingly ahead of targets) if you don’t know that there is dense fog ahead and a high risk of accidents if you don’t slow down.
Objectives, Strategies, and Risk – Part 2
Risk management includes monitoring and generally keeping tabs on what is happening, whether new risks are emerging, and whether risk levels are changing.
What is often overlooked is that management should consider modifying objectives and strategies based on new assessments of risk and whether they can be managed within acceptable limits. Has the danger of the current course increased? Is there a new potential for a faster route?
If objectives/strategies should perhaps be modified, go back to the start.
In my mind,
- Risk and objective/strategy-setting are, or should be, inseparable
- Performance management without considering risk is flying blind
- Risks are managed within the context of achieving objectives
What say you? Does this make any sense?