Home > Risk > Does the focus on risk management inhibit performance?

Does the focus on risk management inhibit performance?

November 26, 2012 Leave a comment Go to comments

In a post today in my IIA blog, I reviewed three studies on the need for challenge of integrating risk and performance. As I said in that post: “They all agree on a couple of things: (a) that the integration of risk considerations into the setting of strategy and optimization of performance is a key to long-term success, and (b) few are doing it effectively, with any degree of formality, in practice.”

In other words, if risk is not integrated into performance reporting and management, there is a significant likelihood that optimization and long-term success will be impaired.

The need for integration is not new. I have been reading about ‘risk-adjusted’ budgeting, planning, and performance for a long time. Business Finance ran an interesting piece in 2008.

But, it seems to me that the suggested solutions, which have a risk management orientation, may be missing the point.

While they (correctly) say that the risks to achievement of objectives and optimization of performance should be the focus of the risk management program, the result is still a risk register and a set of risk reports.

The presence of two separate sets of reports, one on risks and the other on performance, is symptomatic of the problem. Risk and performance are not being seen as joined at the hip, where seeing one without the other is seeing only part of the picture.

In the IIA blog, I included this quote from the Vlerick report:

It was not until a presentation was made to the Chairman that included both performance and risk aspects that the size of the problems became known to the board.”

What I am suggesting is that the solution is to be found by asking for change, not only in risk management, but in performance management.

  1. Recognize that performance reports are incomplete without:
    • Related risk information
    • Identification and review of the assumptions (uncertain by definition) included in the reported numbers
  2. Mandate, in their charters and job descriptions, coordination between those who provide risk and performance information to executives and the board
  3. Clarify that all executives are responsible for the management of both risk and performance in their designated areas
  4. Clarify that the role of the risk manager is to assist executives manage risk, not to ‘manage risk’ themselves. The desired role is as a mentor and trainer, communicator and coordinator, together with responsibility for the adequacy of the overall risk management framework and processes
  5. Question the value of separate risk management reports

OK, these may be radical suggestions – especially the last one. But are the presence of a Chief Risk Officer and the production of risk reports, together with discussions by executive leadership and the board, a problem rather than something desirable?

Shouldn’t the CRO be driving for integrated performance and risk reviews and discussions, and stop asking for discussions focused only on risk?

I welcome your views!

    November 26, 2012 at 12:10 PM

    the CRO should not be asking for discussions focused only on risk and if she/ he is, then that person should not be the CRO

    the problem is not that the focus is on risk management- this is a good thing
    the problem is that when the plan is assembled for input to the Chairman before undertaking such an implementation- the entire integration process should be clearly described- in fact integration represents one of the six key board areas of responsibility as noted in the template created by Domenic

    To the extent that this information is not presented to the Chairman and the Chairman does not address it in his/her queries, then when the risk management system fails- the shareholders should terminate the Chairman. The Chairman should of course be properly trained to know what questions to ask

  2. November 27, 2012 at 8:09 AM

    Great post Norman. As we all know, the purpose of a business is to perform, and the purpose of risk management is to reduce the risk of performance that is not up to par for various reasons. I work for Symantec and believe that risk management in combination with performance metrics will give a more true, more accurate value of the performance being measured. Just like any model, the risk management aspects which are incorporated must be tailored to the specific business needs and industry, otherwise it will skew the numbers. Everyone wishes they could predict the future, and that’s what makes future business performance hard to evaluate. As risk management continues to mature, the effective application of risk management will become a key differentiator in predicting (and managing) performance.

  3. November 27, 2012 at 11:56 AM

    Would think as well that the misconception is tat when there is a CRO he/she is responsible and all others have delegated their responsibility to the CRO.
    Here the challenge for the CRO is to ensure that others are trained and helped to pick up their risk responsibility in their area, and which they most probably know very well. A CRO facilitating the process and making clear that this is what he/she is doing will most probably improve the embedding of risk management into the DNA of the people and the organisation.

  1. January 22, 2013 at 11:38 AM
  2. January 23, 2013 at 4:09 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: