Does the focus on risk management inhibit performance?
In a post today in my IIA blog, I reviewed three studies on the need for challenge of integrating risk and performance. As I said in that post: “They all agree on a couple of things: (a) that the integration of risk considerations into the setting of strategy and optimization of performance is a key to long-term success, and (b) few are doing it effectively, with any degree of formality, in practice.”
In other words, if risk is not integrated into performance reporting and management, there is a significant likelihood that optimization and long-term success will be impaired.
The need for integration is not new. I have been reading about ‘risk-adjusted’ budgeting, planning, and performance for a long time. Business Finance ran an interesting piece in 2008.
But, it seems to me that the suggested solutions, which have a risk management orientation, may be missing the point.
While they (correctly) say that the risks to achievement of objectives and optimization of performance should be the focus of the risk management program, the result is still a risk register and a set of risk reports.
The presence of two separate sets of reports, one on risks and the other on performance, is symptomatic of the problem. Risk and performance are not being seen as joined at the hip, where seeing one without the other is seeing only part of the picture.
In the IIA blog, I included this quote from the Vlerick report:
“It was not until a presentation was made to the Chairman that included both performance and risk aspects that the size of the problems became known to the board.”
What I am suggesting is that the solution is to be found by asking for change, not only in risk management, but in performance management.
- Recognize that performance reports are incomplete without:
- Related risk information
- Identification and review of the assumptions (uncertain by definition) included in the reported numbers
- Mandate, in their charters and job descriptions, coordination between those who provide risk and performance information to executives and the board
- Clarify that all executives are responsible for the management of both risk and performance in their designated areas
- Clarify that the role of the risk manager is to assist executives manage risk, not to ‘manage risk’ themselves. The desired role is as a mentor and trainer, communicator and coordinator, together with responsibility for the adequacy of the overall risk management framework and processes
- Question the value of separate risk management reports
OK, these may be radical suggestions – especially the last one. But are the presence of a Chief Risk Officer and the production of risk reports, together with discussions by executive leadership and the board, a problem rather than something desirable?
Shouldn’t the CRO be driving for integrated performance and risk reviews and discussions, and stop asking for discussions focused only on risk?
I welcome your views!